We are ScribePro Ltd (Company number SC593435) having our registered office at Office 2/1, 34 West George Street, Glasgow, Scotland, G2 1DA (“we”, “our”, “us”).
We provide a digital solution delivered through an online application which is hosted on our website accessed at www.scribepro.co (the “Site”), made available through our online portal accessed at portal.scribepro.co (the “Portal”) and available via a mobile application which allows sporting organisations to record and manage medical information in relation to their teams and individual players (the Platform together with the mobile applications are known collectively as the “Platform”). ScribePro Ltd takes data privacy seriously. The services made available by us through the Platform are referred to as the “Services”.
We try to meet the highest standards when processing your personal data. We therefore conduct our business in compliance with applicable laws on data privacy protection and data security.
This privacy statement describes who we are, how we collect, share and use your personal data, how we are committed to protecting the security and privacy of all personal data collected from you and how you can exercise your privacy rights.
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (“UK GDPR”). We are also subject to the EU General Data Protection Regulation (“EU GDPR”) in relation to goods and/or services we offer to individuals in the European Economic Area (“EEA”).
Key Terms
These are a list of the key terms we use in this privacy policy:
“Contact” means a person that a Customer has given us personal data about through the Platform and/or Services. For example, if you are a Customer then a person within your organisation such as the clinician who inputs personal data into the ScribePro application will be a Contact as would any Player whose personal data has been uploaded onto the Platform by that clinician and is being managed on that application platform.
“Customer” means the entity or organisation that is registered to use the Platform and/or Services. This will usually be a sports club or organisation (as distinct from an individual player).
“Player” means an individual sportsperson who is part of a sports team operated by a Customer.
“Visitor” means, depending on the context, any person who visits our Site or makes use of the Platform or who otherwise engages with us whether by telephone, email, forms on the Site, through our social media platforms, at events, through our social media platforms or even face to face. This will usually be someone who contacts us through our Site to enquire about our company or the Platform and/or Services or subscribes to our marketing lists, but can also be a supplier or business contact.
“you” or “your” means, depending on the context, a Customer, a Contact, a Player or a Visitor.
How your personal data is collected
We collect personal data from you:
- directly, when you enter or send us information, such as when you register with us, contact us (including via email), send us feedback, post material on the Site, Platform or through the Services; and
- indirectly, such as your browsing activity on the Site, your use of the Platform and through the use of tracking technologies explained in the section ‘Cookies and other tracking technologies’ below.
What personal data do we collect
The personal data we collect from you may vary depending on whether you are a Customer, a Contact or a Visitor:
(A) Customers
Personal data we collect from Customers will vary depending on your interactions with us, your account settings, the features of the Platform and Services you use, your location and applicable laws. We may collect the following personal information from Customers:
- the name of the key contacts within your organisation and administrators of your account on the Platform;
- contact and billing details, including email addresses and phone numbers for key contacts within your organisation and your organisation’s postal address;
- account login credentials for users who access your Customer account;
- profile details from documents you or your key contacts fill in on the Site Platform;
- troubleshooting and support data, including contact data and submissions and responses to queries and support requests from persons within your organisation;
- information from your personnel in response to surveys about our Platform and/or Services.
(B) Contacts
Personal data about Players and other Contacts is to be provided on the authorisation of Customers. Where we collect personal data from Contacts on this basis we are doing so in accordance with the Customer’s instructions and we are acting as a processor of such personal data under data protection laws. We may collect the following personal data from Contacts:
- the Contact’s name, position within the Customer’s organisation and in the case of Players, a Player’s association with a team or squad within that organisation;
- the Contact’s contact information, including email address and phone numbers where this is made available on the Platform; and
- health-related (including mental health) data relating to Players, including a record of illnesses and injuries, prescription histories, suitability for practicing or playing and any medical notes on that Player’s file.
Please note that where we collect, store or process personal data about Players, this is done in accordance with our own privacy policy. We do not have any control or responsibility for the policies of the Customer’s organisation, which may differ from this privacy policy. Contacts should consult their Customer organisation for details on the policies which may apply to their personal data within that organisation. Players acknowledge that while their personal data is made available on the Platform and/or through the Services, we are acting only as the processor of such personal data and the Customer is the controller of such personal data as they decide how it is used. As the controller of Player personal data, the Customer has responsibility for providing Players with copies of any their personal data made available by the Customer on the Platform and/or Services and we will not provide Players with copies of their personal data.
(C) Visitors
We collect the following personal data about Visitors:
- identity information such as your name and contact details including your work postal/e-mail address and work phone number and job title (in the case of a supplier);
- details of products or services acquired by us and provided by you and advice received;
- financial and transactional details in relation to the provision of any services by you to us;
- data we collect in connection with queries we receive from you and which may include contact or authentication information, the contents of any correspondence via the Site between you and us
- information received from Visitor responses to surveys and feedback forms relating to the Platform and/or Services;
- information received from a Visitor in connection with job roles we make available via the Site; and
- information derived from Visitor browsing activity on the Site, including traffic data, location data, web logs and other communication data relating to actions taken on the Site.
How and why we use your personal data
Under data protection law, we can only use your personal data if we have a proper reason, including:
- where you have given consent;
- to comply with our legal and regulatory obligations;
- for the performance of a contract with you or to take steps at your request before entering into a contract; or
- for our legitimate interests or those of a third party.
A legitimate interest is when we have a business or commercial reason to use your personal data, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests, to balance our interests against your own. You can obtain details of this assessment by contacting us (see ‘How to contact us’ below).
How and why we use your personal data – in more detail
More details about how we use your personal data are set out in the table below:
Purpose | Processing operation | Lawful basis relied on under the UK GDPR and EU GDPR | Relevant categories of personal data |
Marketing our services to existing and former customers | Addressing and sending marketing communications | For our legitimate interests (Article 6(1)(f)), which is to provide customers and former customers information about our products and services |
|
Communications with you not related to marketing, including changes to our terms or policies or changes to the Platform or other important notices | Addressing and sending communications as required by law i.e. the UK GDPR, Data Protection Act 2018 or the EU GDPR | Processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(b)) |
|
Addressing and sending communications to you about changes to our terms or policies or changes to the products or other important notices (other than those addressed above) | Our legitimate interests (Article 6(1)(f)), which is to be as efficient as we can so we can deliver the best service to you |
|
|
Addressing and sending communications to you regarding legal actions or proceedings | Processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(b)) |
|
|
To respond to lawful requests by public authorities | Sharing information with the relevant public authorities | Processing is necessary for compliance with a legal obligation to which we are subject (Article 6(1)(b)) |
|
To provide the Platform and to provide support and improvements to the Platform | Sharing information with third parties who are involved in providing the Platform | Our legitimate interests (Article 6(1)(f)), which is to be as efficient as we can so we can deliver the best service to you |
|
Data analytics and research | Aggregating and anonymising Player personal data for the purpose of sporting injury and medical research and analysis | Player consent to process personal data for such purposes |
|
How and why we use your personal data – Special category personal data
Certain personal data we collect is treated as a special category to which additional protections apply under data protection law:
- personal data relating to a Player’s health status, including details of injury, disease, treatment and medical prescriptions, provided by medical records input and maintained on the Platform and/or made available through the Services by Contacts; and
- personal data relating to Player genetics, where this is included in medical records which are uploaded through the Services and maintained on the Platform.
Where we process special category personal data, we will ensure that we are permitted to do under data protection laws. The basis on which we are permitted to do so will be either:
- with the express consent of the Player to have this data processed using the Platform and Services; or
- on the basis that such processing is permitted on the basis that it is for the purpose of preventative or occupational medicine and to assess the working capacity of the Player as applicable to its status as a Player within a Customer’s organisation.
We process this special category personal data for the purposes of analytics and research into sporting injuries and trends in relation to these. Where we process special category personal data for these purposes, we ensure that the data is anonymised and aggregated in a format which prevents the identification of the individual Player to whom such personal data relates. We may also share this personal data in an aggregated and anonymised format with certain third parties. Please see ‘How and why we use your personal data – sharing’ below.
How and why we use your personal data – sharing
Marketing
We may use personal data provided by Customers and Visitors to send Customers and Visitors updates (by email, text, telephone or post) about our products and services, including exclusive offers, promotions and new products or services.
We have a legitimate interest in using your personal data for marketing purposes (see above ‘How and why we use your personal data’). This means we do not need your consent to send you marketing information. If we change our marketing approach in the future so that consent is needed, we will ask for this separately and clearly.
You have the right to opt out of receiving marketing communications at any time by:
- in the case of Visitors and Customers contacting us at hello@scribepro.co
- in the case of Visitors and Customers, using the ‘unsubscribe’ link in emails;
- in the case of Customers, updating your marketing preferences on your Customer account or contacting us at hello@scribepro.co.
Who we share personal data with
We may share personal data with:
- service providers who provide us with IT and administration services such as our IT Support and back up provider and webhosting company;
- third party providers of the services we use in connection with the Platform and/or Services such as contractors taking payments on our behalf but only to the extent necessary for the provision of the Services;
- regulatory authorities who require reporting of our activities by law such as the tax authorities;
- professional advisers such as our lawyers, accountants, bankers and insurers;
- debt collection agencies for the purposes of credit control or recovery of any sums due by you to us;
- third parties to whom we sell, transfer or merge our business or any part of it; and
- any other person only with your consent.
We also share specifically Player personal data relating to medical history or sporting injuries with recognised sporting, medical, education and research bodies. Any data personal shared will be done so in an anonymised and aggregated format and is strictly for the purposes of research and analysis of sporting injuries.
All third parties with whom we share personal data are required to protect your personal data, treat it confidentially and process it in accordance with the law. Where we use third parties who will be involved in processing personal data we take all reasonable steps to ensure that they are compliant with data protection laws and in particular assess that they have adequate technical and organisational measures in place to protect the security of your personal data.
How long will we hold your personal data
We will only retain your personal data for as long as is necessary in line with the purposes for which it was originally requested or collected or where we are required to retain personal data for legal or reporting purposes.
Different retention periods may apply for different types of personal data, for example in respect of Customers we are required by law to keep accounting records for six years after end of the year in which the last transaction with you occurred. This means that we will be required to keep some basic client details for that purpose even although our relationship with you may be at an end. However, it should be noted that the requirement is basic customer details and therefore it is not legitimate to also keep information such as your preferences for that period of time. Where we have no ongoing legitimate business need to process your Personal Data we will either delete it or anonymise it (for example because your personal data has been stored in backup archives) then we will securely store your personal data and isolate it from any further processing until deletion is possible.
Anonymised Player data may be kept indefinitely for the purpose of being able to analyse sporting injury and medical trends relating to the same.
If you have any questions relating to either retention periods or require more detail on the purposes of processing or the specific reason or legal grounds, we are relying on for that processing then please contact us using the details at ‘How to contact us’ below.
Cookies and other tracking technologies
A cookie is a small text file which is placed onto your device (e.g. computer, smartphone or other electronic device) when you use our Site or Platform. We use cookies and other tracking technologies such as:
- log files, which track actions taken through the Site or Platform (as applicable) and collect data including your IP address, browser type, internet service provider, referring or exit pages, and date and time stamps; and
- web beacons, tags and pixels which are electronic files on the Site used to record information about how you use the Site.
For further information on what cookies we use, when we request your consent before placing them and how to disable them, please see our Cookies Policy.
Security of personal data
We take information security very seriously. Your information and records will be stored securely to ensure privacy of your personal data. We take all reasonable steps to ensure that there are technical and organisational measures of security in place to protect your personal data from unauthorised access to or disclosure of it, and against loss or accidental damage or unauthorised alteration of it. Staff handling your personal data are also adequately trained in relation to the legal requirements for handling personal data. These include robust procedures for dealing with breaches including incident reporting and notifying the national supervisory or data protection authorities, and where appropriate you, of any breaches, the consequences of the same and the remedial action taken.
Transferring your data outside of the UK and EEA
Where possible the information you provide us with will be held within the European Economic Area (“EEA”) or within the UK.
The EEA, UK and other countries outside the EEA and the UK have differing data protection laws, some of which may provide lower levels of protection of privacy.
It is sometimes necessary for us to transfer your personal data to countries outside the UK and EEA. In those cases we will comply with applicable UK and EEA laws designed to ensure the privacy of your personal data.
Some types of processing may use cloud solutions which can mean information may sometimes be held on servers which are located outside of the EEA or may use processors who are based overseas.
Where we use cloud-based services or third-party providers of such services and in either or both circumstances the data is processed outside of the EEA (if you are an EU based individual) that will be regarded as an overseas transfer. Before instigating an overseas transfer, we will ensure that the recipient country and/or processor has security standards at least equivalent to EU standards and in particular one of the following permitted safeguards applies:
- the country in question is deemed to have adequate safeguards in place as determined by the European Commission; or
- there is a contract or code of conduct in place which gives your personal data the same protection it would have had if it was retained within the EEA; or
- if the overseas transfer is to the United States, then the transferee is a signatory to the EU-US Privacy Shield as all Privacy Shield signatories are obliged to give your personal data the same degree of protection it would have had if it was retained within the EEA; or
- if none of these safeguards exist, then we may seek your explicit consent for an overseas transfer. If you consent to the transfer of your personal data overseas you are free to withdraw this consent at any time. Please see ‘Your rights’ below.
Your rights
In certain instances, you have rights as an individual which you can exercise in relation to the information we hold about you. These rights are:
- the right to restrict processing of your personal data;
- the right to rectification or correction of your personal data;
- the right to object to processing of your personal data;
- the right of erasure of personal data (also referred to the right to be forgotten);
- the right not to be subject to a decision based solely on automated processing or profiling;
- the right to transfer your personal data (also referred to as the right of portability);
- the right to withdraw your consent to processing your personal data where this is relied upon as our lawful basis for processing that personal data; and
- the right of access to your personal data.
Additional information about these rights can be found on the Information Commissioner’s website at https://ico.org.uk/for-organisations/law-enforcement/guide-to-le-processing/individual-rights/
If you would like to exercise any of those rights, please contact us using the details below (please see ‘How to contact us’ below). When contacting us please:
- provide enough information to identify yourself (e.g. your name, address, associated business and Customer reference details or account details); and
- let us know which right(s) you want to exercise and the information to which your request relates.
As described in Section 1B above, for much of the personal data we collect and process about Contacts through the Platform and/or Services, we act as a processor on behalf of our Customers. In such cases, if you are a Contact and want to exercise any data protection rights that may be available to you under applicable law or have questions or concerns about how your personal data is handled by us as a processor on behalf of our individual Customers, you should contact the relevant Customer that is using the Platform and Services, and refer to their separate privacy policies. If a Contact submits a request to exercise these rights in relation to personal data for which we are acting as the processor on behalf of a Customer, such requests shall be referred to the relevant Customer.
Complaints
We would prefer to resolve any issues or concerns you may have direct with you. If you feel you are unable to resolve matters by contacting us direct or are you are unhappy or dissatisfied with how we collect or process your personal data you have the right to complain about it to your national data protection authority. For example, you have the right to lodge a complaint with:
- the Information Commissioner in the UK; or
- a relevant data protection supervisory authority in the EEA state of your habitual residence, place of work or of an alleged infringement of data protection laws in the EEA.
The UK Information Commissioner may be contacted using the details at https://ico.org.uk/make-a-complaint or by telephone: 0303 123 1113.
For a list of EEA data protection supervisory authorities and their contact details see here.
How to contact us
If you have any questions, comments or requests relating to this Privacy Policy, please contact us at hello@scribepro.co.
Changes to this privacy policy
We keep our privacy policy under regular review. This privacy policy was last updated on 28/03/2024.