Privacy Statement

Introduction

HebeDoc is strongly committed to protecting personal data. This privacy statement describes why and how we collect and use personal data and provides information about individual’s rights.

It applies to personal data provided to us, both by individuals themselves or by others. We may use personal data provided to us for any of the purposes described in this privacy statement or as otherwise stated at the point of collection.

“HebeDoc.com” (and “we”, “us”, or “our”) refers to HebeDoc Limited (the limited company registered in the United States (1) is a contracting party for the purposes of providing or receiving services, (2) posted a position for which you are applying, or (3) you have a role or relationship with.

Personal data is any information relating to an identified or identifiable living person. When “you” or “your” are used in this statement, we are referring to the relevant individual who is the subject of the personal data.

HebeDoc.com processes personal data for numerous purposes, and the means of collection, lawful basis of processing, use, disclosure, and retention periods for each purpose may differ.

When collecting and using personal data, our policy is to be transparent about why and how we process personal data. To find out more about our specific processing activities, please go to the relevant sections of this statement.

Business Contacts

HebeDoc.com processes personal data about contacts (existing and potential HebeDoc.com clients and/or individuals associated with them).

The collection of personal data about contacts and the addition of that personal data to the HebeDoc.com CRM is initiated by a HebeDoc.com user and will include name, employer name, contact title, phone, email and other business contact details. In addition, the HebeDoc.com CRM may collect data from HebeDoc.com email (sender name, recipient name, date and time) and calendar (organizer name, participant name, date and time of event) systems concerning interactions between HebeDoc.com users and contacts or third parties.

Use of personal data

Personal data relating to business contacts may be used for our legitimate interests and the legitimate interests of other HebeDoc.com member firms for the following purposes:

• Administering, managing and developing our businesses and services
  We may process personal data in order to run our business, including:
• managing our relationship with clients;
• developing our businesses and services (such as identifying client needs and improvements in service delivery and learning more about a client, relationship opportunity we or other HebeDoc.com affiliate have an interest in);
• Analyzing and evaluating the strength of interactions between us and a contact. The HebeDoc.com CRM uses an algorithm to help with this analysis and the ranking is primarily based on interaction frequency, duration, recency and response time;
• performing analytics, including producing metrics for HebeDoc.com leadership, such as on trends, relationship maps, sales intelligence and progress against account business goals;
• maintaining and using IT systems;
• hosting or facilitating the hosting of events; and
• administering and managing our website and systems and applications.
• Providing information about us and our range of services
  Unless we are asked not to, we use client business contact details to provide information that we think will be of interest about us and our services. For example, industry updates and insights, other services that may be relevant and invites to events.

HebeDoc.com does not sell or otherwise release personal data contained in the HebeDoc.com CRM to third parties for the purpose of allowing them to market their products and services without consent from individuals to do so.

Data retention

Personal data will be retained on the HebeDoc.com CRM for as long as we have, or need to keep a record of, a relationship with a patient or business contact, which is for the duration of our relationship with a contact or their organization.

Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

When and how we share personal data and locations of processing

Personnel (Directors, Staff and contractors)

We collect personal data concerning our own personnel (partners, staff and contractors) as part of the administration, management and promotion of our business activities.

Please refer to our privacy statement available on our intranet for information on why and how personal data is collected and processed in relation to your role with HebeDoc.com.

Corporate clients (and individuals associated with our corporate client)

Collection of personal data

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients to only share personal data with us where it is strictly needed for those purposes.

Where we need to process personal data to provide healthcare related services, we ask our clients to provide the necessary information to the data subjects regarding its use. Our clients may use relevant sections of this privacy statement or refer data subjects to this privacy statement if they consider it appropriate to do so.

The categories of personal data processed by us in relation to the services we provide are generally:

Personal details (e.g. name, age/date of birth, gender, marital status, country of residence);

Contact details (e.g. email address, contact number, postal address);

Medical records (e.g. health records, scans, images and any other information pertinent to the treatment of a patient associated with the corporate scheme);
For certain services or activities, we may process special categories of personal data (such as in performing know your client checks and providing immigration status which involve us processing government identification documents that may contain biometric data or data revealing racial or ethnic origin).

Generally, we collect personal data from our clients or from third parties when providing services to the relevant client.

Use of personal data
We use personal data for the following purposes:

Providing medical and health related services
We provide a diverse range of medical and health-related services (click here for information on our services) . Some of our services require us to collect and process personal data in order to ensure that our Healthcare provider partners have all the relevant information to make the appropriate patient treatment decisions. For example, details of a patient’s health record to ensure that the patient is indeed suitable for the treatment that they have applied for.

Legal grounds: Legitimate interests, legal obligation, public interest or consent.

This processing of personal data by us is necessary for the purposes of the legitimate interests pursued by us in providing medical and health-related services and our client in receiving medical and health-related services as part of running their organization and, in some cases, we have a legal obligation to provide the services in a certain way. Where we process special categories of personal data, we rely on a relevant public interest condition or consent.

Administering, managing and developing our businesses and services
We may process personal data in order to run our business, including:

• managing our relationship with clients and prospective clients;
• developing our businesses and services (such as identifying patient needs and improvements in service delivery);
• maintaining and using IT systems;
• hosting or facilitating the hosting of events; and
• administering and managing our website and systems and applications.
• Legal grounds: Legitimate interests.

This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.

Security, quality and risk management activities
We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements. 

We collect and hold personal data as part of our client engagement and acceptance procedures. As part of those procedures we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organizations and check that there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).

Legal grounds: Legitimate interests
This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of our services.

Providing our clients, Patients and prospective clients and patients with information about us and our range of services.
Unless we are asked not to, we use client and prospective client business contact details to provide information that we think will be of interest about us and our services. 

For example, industry updates and insights, other services that may be relevant and invites to events.
Legal grounds: Legitimate interests
This processing is necessary for the purposes of the legitimate interests pursued by us to promote our business and services.

Complying with any requirement of law, regulation or a professional body of which we are a member

As with any provider of medical and health-related services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.

This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.

We are continually looking for ways to help our clients and improve our business and services. Where agreed with our clients, we may use information that we receive in the course of providing medical and health-related services for other lawful purposes, including analysis to better understand a particular issue, industry or sector, provide insights back to our clients, to improve our business, service delivery and offerings and to develop new HebeDoc.com technologies and offerings. 

To the extent that the information we receive in the course of providing medical and health-related services contains personal data, we will de-identify the data prior to using the information for these purposes.

We have a legitimate interest in de-identifying data to help our clients, to improve our business, service delivery and offerings and to develop new HebeDoc.com technologies and offerings, including by performing benchmarking and analysis.

Data retention

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).

In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 8 years.

Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

When and how we share personal data and locations of processing

Further details about the processors (such as IT service providers) used by HebeDoc.com and locations of processing are provided here . We may use other organizations to help us deliver our services as agreed with our client on an engagement-specific basis.

Recruitment Applicants

Introduction

This section of our privacy statement describes why and how we collect and use personal data in connection with our recruitment activities.

If your application is successful, we carry out pre-employment screening checks as part of our onboarding process. Depending on the role you have applied for, these checks may include criminal records checks.

Collection of personal data

We will collect personal data in connection with our recruitment activities as described below. Most of the personal data we collect as part of our recruitment process is provided by you such as:

• Contact details (name, email, telephone number);
• Areas of interest;
• Username and password to apply for a role;
• CV, experience, education, academic and professional qualifications;
• Information provided as part of interviews and assessments;
• Social mobility data as part our contextual recruitment practices;
• Diversity and equal opportunities data;
• Pre-employment screening information if your application is successful;
• Information about your and your immediate family’s financial relationships if your application is successful; and
• Bank account details if your application is successful.

We create personal data in connection with our recruitment activities such as:

Interview and assessment results and feedback; and Offer details.

We obtain personal data from third party sources such as:

References from your named referees; Information from your referrer (where applicable); Results of Disclosure and Barring Service checks (depending on the role applied for); Verification of information provided during the recruitment process by contacting relevant third parties (for example, previous employers, education and qualification providers) or using publicly available sources (for example, to verify your experience, education and qualifications); and Information from social media sites that you are a member of about your engagement with our recruitment campaigns.

Use of personal data

We process personal data for our legitimate interests to attract and secure the best talent to work with us as follows:

To attract talent and market opportunities at HebeDoc.com including by arranging, hosting and participating in events, marketing and advertising opportunities and using recruiters to help find talent for us.

To identify and source talent including by searching our existing talent pool and publicly available sources (such as social media and job websites of which you are a member).

To process and manage applications for roles at HebeDoc.com, evaluate you for open positions that match your interests and experience throughout the HebeDoc.com network, manage your candidate profile, send you email notifications and other announcements, request additional information or otherwise contact you about your candidacy.

To screen and select talent by evaluating your suitability for employment with HebeDoc.com, including through interviews and assessments and conducting background checks.

To hire and onboard talent by making an offer to successful applicants and carrying out pre-employment screening checks.

To conduct statistical analyses and create reports including for example regarding usage of our careers websites, demographic analysis of candidates, reports on HebeDoc.com recruitment activities, and analysis of candidate sourcing channels.

To administer and manage our careers websites and communicate with you about careers at HebeDoc.com.

Any other purposes stated when you provide the information to HebeDoc.com.

We carry out criminal records checks for the following purposes:

To comply with our legal obligation to ensure an individual is eligible to work and to report relevant information to the Home Office as part of HebeDoc.com sponsored visa applications.

For our legitimate interest or that of a third party to carry out pre-employment screening including a full background and criminal records check, depending on the role: (i) to establish whether an applicant has committed an unlawful act or been involved in dishonesty, malpractice or other seriously improper conduct; or (ii) to comply with government and public sector clearance requirements.

We collect and use information about race and ethnicity, religious and philosophical beliefs and health data for the following purposes:

For our legitimate interest and reasons of substantial public interest.

To comply with our legal obligation to make reasonable adjustments (for example, as a result of the outcome of a pre-employment medical assessment).

If your application is successful and where you provide consent, to provide information on relevant HebeDoc.com support and networks.

When and how we share personal data and locations of processing

In addition to the general information about when and how we share personal data and locations of processing provided here, personal data processed by us in connection with our recruitment activities may be transferred to:

Other HebeDoc.com member firms
You personal data will be provided to the HebeDoc.com firm that has posted the position for which you are applying and other HebeDoc.com member firm(s) where the role you are being considered for involves working with other HebeDoc.com member firm(s) and to assist with their recruitment and employment activities (for example, if they are recruiting for a role that matches your interests and experience).

Third party organizations that provide applications/functionality, data processing or IT services to us.

We use the products and services of third party organizations as part of the recruitment processes. The products and services we use differ depending on the role you apply for.

Employment agencies or recruiters acting on behalf of a candidate.

Government and regulatory agencies as required by, and in accordance with, applicable law or regulation We are required to keep records of our recruitment processes where we sponsor a worker from outside the US. 

The Home Office has authority to obtain disclosure of this personal data to check that we are complying with applicable law and regulation. We will only fulfill requests for personal data where we are permitted to do so in accordance with applicable law or regulation.

Data retention

We retain personal data processed in connection with our recruitment activities as follows:

If your application is successful we will retain relevant personal data as part of your employee record and your talent pool account (if you choose to join our talent pool).

If your application is unsuccessful, we will retain and use the information you provided to HebeDoc.com as part of your application for a reasonable period of time to deal with any matter which may arise in connection with your application, for purposes of contacting you regarding other employment opportunities and for our legitimate business purposes (for example, to make sure we do not contact an individual about a role they have already applied for) and for as long as you are a member of our talent pool (if you choose to join our talent pool).

Where we sponsor a worker from outside the US we keep personal data about the other applicants for the role until we are audited by the Home Office to check we are complying with applicable law and regulation.

Patients & personal clients

Collection of personal data

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients only to share personal data where it is strictly needed for those purposes.

Where we need to process personal data to provide our services, we ask our clients to provide the necessary information to other data subjects concerned, such as family members, regarding its use.
Given the diversity of the services we provide to personal clients and patients click here for information on our services , we process many categories of personal data, including as appropriate for the services we are providing:

Contact details;

Medical records;

Family information;

For certain services or activities, and when permitted by law (e.g. under a public interest condition) or with an individual’s consent, we may also collect special categories of personal data. Examples of special categories include race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records.
Generally, we collect personal data from our clients or from a third party acting on the instructions of the relevant client.

Use of personal data

We use personal data for the following purposes: Providing medical and health-related services. We provide a diverse range of medical and health-related services (click here for information on our services) . 

Some of our services require us to process personal data in order to provide advice and deliverables. For example, we need to use personal data to provide information to our clinicians in relation to the treatment being requested by the patient.

Legal grounds: Performance of a contract, legitimate interests, legal obligation, public interest or consent.

This processing is necessary for the performance of the products and services purchased by the client on our website (contract) to which our personal client or patient (the data subject) is a party and, where we process personal data about other individuals (such as family members) in order to provide our services, this processing is necessary for the purposes of the legitimate interests pursued by us in providing medical and health-related services and our client in receiving medical and health-related services. In some cases, we have a legal obligation to provide the services in a certain way and where we process special categories of personal data, we rely on a relevant public interest condition or consent.

Administering, managing and developing our businesses and services
We may process personal data in order to run our business, including:

• managing our relationship with clients and prospective clients;
• developing our businesses and services (such as identifying client needs and improvements in service delivery); maintaining and using IT systems;
• hosting or facilitating the hosting of events; and administering and managing our website and systems and applications.

• Security, quality and risk management activities
  We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements. 
• We collect and hold personal data as part of our client engagement and acceptance procedures. As part of our client and engagement acceptance, we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organizations and check that there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).
  
• Legal grounds: Legitimate interests
  This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of our services.
• Providing our clients and prospective clients with information about us and our range of services
  
• With consent or otherwise in accordance with applicable law, we use client and prospective client contact details to provide information that we think will be of interest about us and our services. For example, industry updates and insights, other services that may be relevant and invites to events.
  Legal grounds: Legitimate interests
  This processing is necessary for the purposes of the legitimate interests pursued by us to promote our business and services.
• Complying with any requirement of law, regulation or a professional body of which we are a member
  
• As with any provider of medical and health-related services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
  

Legal grounds: Legal obligation or legitimate interests
This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.

We are continually looking for ways to help our clients and improve our business and services. Where agreed with our clients, we may use information that we receive in the course of providing medical and health-related services for other lawful purposes, including analysis to better understand a particular issue, industry or sector, provide insights back to our clients, to improve our business, service delivery and offerings and to develop new HebeDoc.com technologies and offerings. 

To the extent that the information that we receive in the course of providing professional services contains personal data, we will de-identify the data prior to using the information for these purposes.
Legal grounds: Legitimate interests

We have a legitimate interest in de-identifying data to help our clients, to improve our business, service delivery and offerings and to develop new HebeDoc.com technologies and offerings, including by performing benchmarking and analysis.

Data retention

We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 8 years.
Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

When and how we share personal data and locations of processing

Further details about the processors (such as IT service providers) used by HebeDoc.com and locations of processing are provided here. We may use other organizations to help us deliver our services as agreed with our client on an engagement-specific basis.

Suppliers (including subcontractors and individuals associated with our suppliers and subcontractors)

Collection of personal data

We collect and process personal data about our suppliers (including subcontractors and individuals associated with our suppliers and subcontractors) in order to manage the relationship, contract, to receive services from our suppliers and, where relevant, to provide Medical and Health-related services to our clients. The personal data is generally business card data and will include name, employer name, phone, email and other business contact details and the communications with us.

Use of personal data

We use personal data for the following purposes:

Receiving services
We process personal data in relation to our suppliers and their staff as necessary to receive the services. For example, where a supplier is providing us with facilities management or other outsourced services, we will process personal data about those individuals that are providing services to us.

Providing Medical and Health-related services to clients

Where a supplier is helping us to deliver Medical and Health-related services to our clients, we process personal data about the individuals involved in providing the services in order to administer and manage our relationship with the supplier and the relevant individuals and to provide such services to our clients (for example, where our supplier is providing people to work with us as part of a HebeDoc.com team providing Medical and Health-related services to our clients).

Legal grounds: Legitimate interest 

This processing of personal data by us is necessary for the purposes of the legitimate interests pursued by us in providing Medical and Health-related services and our client in receiving Medical and Health-related services as part of running their organization.

Administering, managing and developing our businesses and services
We may process personal data in order to run our business, including:

managing our relationship with suppliers; developing our businesses and services (such as identifying client needs and improvements in service delivery); maintaining and using IT systems; hosting or facilitating the hosting of events; and administering and managing our website and systems and applications.

Legal grounds: Legitimate interests
This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.

Security, quality and risk management activities
We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to our suppliers. We collect and hold personal data as part of our supplier contracting procedures. We monitor the services provided for quality purposes, which may involve processing personal data.

Legal grounds: Legitimate interests
This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of the services.

Providing information about us and our range of services
Unless we are asked not to, we use business contact details to provide information that we think will be of interest about us and our services. For example, industry updates and insights, other services that may be relevant and invites to events.

Legal grounds: Legitimate interests
This processing is necessary for the purposes of the legitimate interests pursued by us to promote our business and services.

Complying with any requirement of law, regulation or a professional body of which we are a member

As with any provider of Medical and Health-related services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.

Legal grounds: Legal obligation or legitimate interests
This processing is necessary for us to comply with a legal obligation; for example, when conducting supplier due diligence checks and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.

Data retention
We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation). 

Personal data will be retained about our contacts at our suppliers for as long as it is necessary for the purposes set out above (e.g. for as long as we have, or need to keep a record of, a relationship with a contact, which is for the duration of our relationship with a contact or their organization) and then deleted in line with our deletion and retention policies.

Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.

How we share personal data

Further details about the processors (such as IT service providers) used by HebeDoc.com and locations of processing are provided here . We may use other organizations to help us deliver our services as agreed with our client on an engagement-specific basis.

Individuals who use our applications

We provide external users access to various applications managed by us. Such applications will contain their own privacy statements explaining why and how personal data is collected and processed by those applications. We encourage individuals using our applications to refer to the privacy statements available on those applications.

Personal data obtained in connection with medical and health-related services to clients

Collection of personal data

Our policy is to collect only the personal data necessary for agreed purposes and we ask our clients only to share personal data with us where it is strictly needed for those purposes.

Where we need to process personal data to provide our services, we ask our clients to provide the necessary information to the data subjects concerned regarding its use.

We collect and use contact details for our clients in order to manage and maintain our relationship with those individuals. Please see the Business contacts section of this privacy statement for more information about our processing of this type of data.

Given the diversity of the services we provide to clients (click here for information on our services ), we process many categories of personal data, including:

Personal details (e.g. name, age/date of birth, gender, marital status, country of residence);

Contact details (e.g. email address, contact number, postal address);

Financial details (e.g. salary, payroll details and other financial-related details such as income, investments and other financial interests, benefits, tax status); and Job details (e.g. role, grade, experience, performance information and other information about management and employees).

For certain services or activities, we may process special categories of personal data (such as in performing know your client checks and providing immigration status, which involve us processing government identification documents that may contain biometric data or data revealing racial or ethnic origin or as part of an audit of an organization in the health sector).

Generally, we collect personal data from our clients or from a third party acting on the instructions of the relevant client. For some of our services, for example, when undertaking a due diligence review of an acquisition target on behalf of a client, we may obtain personal data from that target’s management and employees or from a third party acting on the instructions of the target.

Use of personal data
We use personal data for the following purposes:

Providing Medical and Health-related services
We provide a diverse range of medical and health-related services (click here for information on our services). Some of our services require us to process personal data in order to provide advice and deliverables. For example, we will review payroll data as part of an audit and we often need to use personal data to provide global mobility and pensions services.

Legal grounds: Legitimate interests, legal obligation, public interest or consent

This processing of personal data by us is necessary for the purposes of the legitimate interests pursued by us in providing Medical and Health-related services and our client in receiving medical and health-related services as part of running their organization and, in some cases, we have a legal obligation to provide the services in a certain way. Where we process special categories of personal data, we rely on a relevant public interest condition or consent.

Administering, managing and developing our businesses and services
We may process personal data in order to run our business, including:

managing our relationship with clients; developing our businesses and services (such as identifying client needs and improvements in service delivery); maintaining and using IT systems; hosting or facilitating the hosting of events; and administering and managing our website and systems and applications.

Legal grounds: Legitimate interests
This processing is necessary for the purposes of the legitimate interests pursued by us to administer, manage and develop our business and services.

Security, quality and risk management activities

We have security measures in place to protect our and our clients’ information (including personal data), which involve detecting, investigating and resolving security threats. Personal data may be processed as part of the security monitoring that we undertake; for example, automated scans to identify harmful emails. 

• We monitor the services provided to clients for quality purposes, which may involve processing personal data stored on the relevant client file. We have policies and procedures in place to monitor the quality of our services and manage risks in relation to client engagements. 
• We collect and hold personal data as part of our client engagement and acceptance procedures. As part of our client and engagement acceptance, we carry out searches using publicly available sources (such as internet searches and sanctions lists) to identify politically exposed persons and heightened risk individuals and organizations and check that there are no issues that would prevent us from working with a particular client (such as sanctions, criminal convictions (including in respect of company directors), conduct or other reputational issues).
  Legal grounds: Legitimate interests
  
• This processing is necessary for the purposes of the legitimate interests pursued by us to ensure network and information security, manage risks to our business and check the quality of our services.
• Complying with any requirement of law, regulation or a professional body of which we are a member
  
• As with any provider of Medical and Health-related services, we are subject to legal, regulatory and professional obligations. We need to keep certain records to demonstrate that our services are provided in compliance with those obligations and those records may contain personal data.
  
• Legal grounds: Legal obligation or legitimate interests
  This processing is necessary for us to comply with a legal obligation; for example, when conducting customer due diligence checks to comply with anti-money laundering regulations and, where we do not have a legal obligation, we have a legitimate interest in processing personal data as necessary to meet our regulatory or professional obligations.

• We are continually looking for ways to help our clients and improve our business and services. Where agreed with our clients, we may use information that we receive in the course of providing Medical and Health-related services for other lawful purposes, including analysis to better understand a particular issue, industry or sector, provide insights back to our clients, to improve our business, service delivery and offerings and to develop new HebeDoc.com technologies and offerings. To the extent that the information that we receive in the course of providing Medical and Health-related services contains personal data, we will remove the personal data prior to using the information for these purposes.
  
• Legal grounds: Legitimate interests
  We have a legitimate interest in de-identifying data to help our clients, to improve our business, service delivery and offerings and to develop new HebeDoc.com technologies and offerings, including by performing benchmarking and analysis.
  
• Data retention
  We retain the personal data processed by us for as long as is considered necessary for the purpose for which it was collected (including as required by applicable law or regulation).
  In the absence of specific legal, regulatory or contractual requirements, our baseline retention period for records and other documentary evidence created in the provision of services is 8 years.
  Personal data may be held for longer periods where extended retention periods are required by law or regulation and in order to establish, exercise or defend our legal rights.
  How we share personal data and locations of processing
  
• Further details about the processors (such as IT service providers) used by HebeDoc.com and locations of processing are provided here . We may use other organizations to help us deliver our services as agreed with our client on an engagement-specific basis.
  
• Visitors to our website
  Collection of personal data
  
• Visitors to our websites are generally in control of the personal data shared with us. We may capture limited personal data automatically via the use of cookies and analytics tools on our website. Please see the section on Cookies below for more information.
  
• We receive personal data, such as name, title, company address, email address, and telephone and fax numbers from website visitors; for example when an individual registers updates from us.
  Visitors are also able to send an email to us through the website. Their messages will contain the user’s screen name and email address, as well as any additional information the user may wish to include in the message.
  
• We ask that you do not provide special categories of personal data (such as race or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; physical or mental health; genetic data; biometric data; sexual life or sexual orientation; and, criminal records) to us when using our website.
  
• Use of personal data
  When you provide personal data to us, we may use it for any of the purposes described in this privacy statement or as stated at the point of collection (or as obvious from the context of collection), including:
• where you submit your contact details, unless we are asked not to, we may contact you with information about HebeDoc.com’s business, services and events, and other information which may be of interest to you. Should visitors subsequently choose to unsubscribe from mailing lists or any registrations, we will provide instructions on the appropriate webpage, in our communication to the individual, or the individual may contact us by email to data.protection@hextransforma.com;
• to administer and manage our website, including to confirm and authenticate your identity and prevent unauthorized access to restricted areas of the site or premium content;
• to communicate with you in order to distribute requested materials or ask for further information;
• to personalize and enrich your browsing experience by displaying content that is more likely to be relevant and of interest to you;
• to sort and analyze user data (such as determining how many users from the same organization have subscribed to or are using our websites);
• to determine the company, organization, institution, or agency that you work for or with which you are otherwise associated;
• to develop our businesses and services, including aggregating data for website analytics and improvements;
• aggregating data to conduct benchmarking and data analysis including, for example, regarding usage of our websites;
• to conduct quality and risk management reviews;
• to understand how people use the features and functions of our websites in order to improve the user experience;
• to monitor and enforce compliance with our terms, including acceptable use policies; and any other purposes for which you provided the information to HebeDoc.com (such as to subscribe you to the updates you request).

• Our websites do not collect or compile personally identifying information for sale to non-HebeDoc.com parties for their marketing purposes. If there is an instance where your personal data may be shared with a party that is not a HebeDoc.com member firm, you will be asked for their consent beforehand.
  
• Cookies
  We use small text files called ‘cookies’ which are placed on your hard drives to assist in personalizing and enriching your browsing experience by displaying content that is more likely to be relevant and of interest to you. The use of cookies is now standard operating procedure for most websites. However if you are uncomfortable with the use of cookies, most browsers now permit users to opt-out of receiving them. You need to accept cookies in order to register on our website. You may find other functionality in the website impaired if you disable cookies. After termination of the visit to our site, you can always delete the cookie from your system if you wish.
  You can find out more details regarding our use of cookies on our Cookies page.
  
• Third party links
  Our website may link to third party sites not controlled by HebeDoc.com and which do not operate under HebeDoc.com’s privacy practices. When you link to third party sites, HebeDoc.com’s privacy practices no longer apply. We encourage you to review each third party site’s privacy policy before disclosing any personally identifiable information.
  
• Data retention
  Personal data collected via our websites will be retained by us for as long as it is necessary (e.g. for as long as we have a relationship with the relevant individual).
  
• Other
  We collect personal data when an individual gets in touch with us with a question, complaint, comment or feedback (such as name, contact details and contents of the communication). In these cases, the individual is in control of the personal data shared with us and we will only use the data for the purpose of responding to the communication.