Back

Privacy policy regarding Aiforia Cloud service

This privacy policy has been updated on October 17th, 2023.

EXPLORE Arrow

Privacy Policy

General

The purpose of this privacy policy is to provide the information required by the EU General Data Protection Regulation 2016/679 on how Aiforia Technologies Oyj ("Aiforia Technologies", "we") processes personal data in relation to Aiforia Cloud service.

Data controller and contact details

Aiforia Technologies Oyj

Business ID: 2534910-2

Address: Pursimiehenkatu 29-31 D, FI-00150 Helsinki, Finland

Representative: For further information about your data processing, please contact

Furthermore, Aiforia can also act as a joint controller together with other data controllers in certain research projects. 

Purposes and legal bases for processing personal data

This privacy policy applies when Aiforia acts as a data controller. Aiforia's clients and partners can be pharmaceutical companies, healthcare companies, laboratories, hospitals, universities, academic research groups or similar entities (hereinafter "client" or "partner").

This section explains how Aiforia processes

  • the personal data of its clients' and partners' employees and other personnel; and
  • the personal data of individuals (patients) whose pathological tissue samples are used as a training data for Aiforia Cloud's artificial intelligence's ("AI") neural networks.

In case you suppose that your personal data derived from pathological tissues is or has been processed by using Aiforia Cloud services, e.g., in relation to diagnostics, please contact the health care service provider that has treated you. When it comes to pathological tissue samples, Aiforia does not get your personal information other than specified below and cannot identify you from the data Aiforia processes in general. We can only fulfil your rights as a data subject if we get additional information. Without further information we are unable to identify you and therefore we cannot fully fulfil your rights.

The first column, "Aiforia as a controller", describes the situation in which Aiforia acts as the controller, i.e., when Aiforia determines the purposes and means of processing personal data. The second column, "Aiforia as a processor", describes the situation in which Aiforia acts as a processor on behalf of another controller. The processing of personal data by Aiforia is guided by the instructions of the controller that is an Aiforia's client. Please note that when Aiforia acts as a data processor, this privacy policy only applies to limited extent and applies to only to the processing done by Aiforia.

The roles and responsibilities of Aiforia are described below in more detail.

 

Aiforia as a controller

Aiforia as a processor
In which situations does Aiforia act as a controller or as a processor?

Aiforia acts as a controller when Aiforia determines the purposes and means of processing personal data. These situations include the following:

Aiforia provides the Aiforia Cloud service to its clients and partners as a service provider, in which case Aiforia e.g., processes contact information and log data of Aiforia's customers' employees and other users of Aiforia Cloud solutions.

Aiforia uses the pathological tissue samples in order to train its AI models (neural network models).

 Aiforia acts as a processor when Aiforia processes personal data on behalf of another controller. This situation occurs when the clients use Aiforia Cloud services to process their pathological tissue samples and to diagnose possible diseases and Aiforia provides the platform and maintenance functions for the client as a processor.
Can Aiforia be both a controller and a processor?

Yes. Aiforia can be both a controller and a processor for the same data. This situation occurs when Aiforia first provides Aiforia Cloud service to a client who uses the service to process and diagnose its pathological tissue samples, in which case Aiforia acts as a data processor.
If Aiforia has the right to use such data collected by another controller for training its AI neural networks with the samples that the client uses in order to develop its AI model, Aiforia will in such a case act as a data controller for the same data.
What is the purpose of the processing? Aiforia's Cloud service is intended to enhance the analysis of microscope-scanned image samples of pathological tissues, improve the quality of analysis performed by pathologists and assist pathologists in finding new tissue features or combinations of image samples that may also allow the development of new diagnostic tests.
As a controller, the main purpose of the processing is providing Aiforia Cloud service to Aiforia's clients and partners, which includes maintenance of the services, e.g., debugging and improving the software usability and performance. Purpose for the processing is also training AI neural networks with obtained pathological tissue sample images, where applicable.     As a processor, these purposes are accomplished by providing Aiforia Cloud service to Aiforia's clients. The purposes of the processing are defined in more detail by the client.
What is the legal basis for the processing?

Aiforia processes the personal data of its clients' and partners' employees and other personnel based on performance of the contract between Aiforia and its clients and on Aiforia's and third parties' legitimate interests.

The identified legitimate interests of Aiforia are the following:

  • to enable and provide access and use of Aiforia Cloud service; and
  • debugging and improving the software usability and performance.

    Furthermore, the identified legitimate interests of third parties', i.a., Aiforia's clients and partners are the following:
  • providing their core services in a more effective manner; and
  • providing the employees with necessary tools to carry out their duties.

    Aiforia processes the personal data of the patients and other test subjects whose tissue samples are diagnosed based on scientific research in the public interest.
 As a processor Aiforia acts on behalf of a data controller. Aiforia does not have a separate legal basis for processing but processes personal data only according to its clients' instructions. Therefore, the legal basis is the legal basis used by the data controller.
What kind of personal data does Aiforia collect about you?

Aiforia collects the personal data of its clients' and partners' employees and other personnel that include the following:

  • Client name
  • Contact information (name, phone number, email, job title, address of the client)
  • Username and password
  • User IP address
  • User logs of user data and user actions data
  • Information provided by the user, e.g., information filled in the free text form
  • Information collected by cookies, e.g., IP addresses, site pages visited, site page visit times, browser type, operating system, website visited before entering Aiforia Cloud service. For more information on cookies, please see Cookies below.

Aiforia also receives the patients' and other test subjects' personal data that include the following:

  • Pathological tissue samples
  • Images of pathological tissue samples
  • When data is collected from biobanks, Aiforia does receive some high-level information regarding e.g., cancer type, survival and treatment.

Aiforia receives the patients' and other test subjects' personal data that include the following:

  • Pathological tissue samples
  • Other information provided to Aiforia by the controller

Aiforia can access the data processed by the controller. Aiforia only accesses such data for maintenance and care purposes and only when requested by the client.
From what sources does Aiforia collect or receive your personal data?

Aiforia receives pathological tissue samples from its clients or its partners. Furthermore, Aiforia can receive pathological tissue samples from commercial partners and biobanks.

Aiforia collects personal data of its clients' and partners' employees and other personnel directly from these persons themselves. Some data regarding the usage of the system, including log files, are based on the behaviour of the data subjects on Aiforia Cloud services.

 Aiforia receives pathological tissue samples from its clients.
Does Aiforia use your personal data for profiling? Profiling means the automated or partly automated processing of personal data for evaluating the personal aspects of an individual. The personal aspects of an individual include, i.a., analysis or prediction of aspects concerning the data subject's health.
Aiforia processes pathological tissue samples by its AI neural networks in order to diagnose a person's health conditions. Aiforia does not profile individuals, but it can use individual samples to improve Aiforia Cloud network. Aiforia Cloud can be used as part of wider profiling purposes if the controller decides to use Aiforia Cloud for such purposes. Aiforia does not profile data subjects. If any profiling is done by using Aiforia Cloud, you can find further information regarding the purposes and possible consequences of such profiling from the controller's privacy policy. 
Who may Aiforia share your personal data with?

Aiforia may share the personal data of its clients' and partners' employees and other personnel with external hosting services providers. These include, but are not limited to, the following:

We enter into a data processing agreement with every service provider who processes personal data on our behalf. In accordance with the data protection agreement, each service provider processes personal data only to the extent necessary for the provision of that service.

In addition, we may disclose your personal data to the extent permitted and obligated by existing legislation, including in connection with business transactions, unless you deny the disclosure of your personal data. We may also transfer or disclose personal data to authorities, where required to do so by applicable laws.

If Aiforia Technologies is involved in a corporate transaction, personal data may be disclosed to third parties in relation to such transaction in accordance with the applicable data protection laws.

We do not share the pathological tissue samples or images thereof with third parties.

Aiforia services can be integrated on its client's platform at the client's request. Unless otherwise agreed with the client, Aiforia services are generally built on top of Microsoft Azure, Amazon Web Services or Google Cloud platforms.

Such external hosting services are considered as data processors. We enter into a data processing agreement with every service provider who processes personal data on our behalf. In accordance with the data protection agreement, each service provider processes personal data only to the extent necessary for the provision of that service.
Does Aiforia transfer personal data outside the EU/EEA?     Aiforia's products are used globally. We and/or our processors may transfer personal data outside the European Union or the European Economic Area. We ensure that such transfers are subject to appropriate safeguards as required by data protection laws, such as the applicable Standard Contractual Clauses approved by the European Commission and the applicable supplementary measures. These can be obtained by contacting Aiforia's representative stated above. Aiforia does not transfer personal data to anyone when it acts as a data processor unless specifically requested by the controller.
How long does Aiforia store your personal data?

Personal data will be stored and processed during the term of Aiforia Cloud service contract, and also thereafter as long as there are legal grounds for the processing.

We delete the personal data of clients' and partners' employees when these persons do not continue working at their service in the respective entity.

Aiforia Cloud logs user data and user actions on the platform, in order to be compliant with applicable regulations for electronic records and electronic signatures. This is our quality policy and is a requirement for Aiforia Cloud clinical compliance. The user logs will be stored indefinitely due to legal requirements.

The deletion of personal data will be performed following Aiforia Technologies’ data erasure procedures.

 

 The controller defines the retention times for personal data processed by Aiforia. Aiforia will either delete or return all personal data to the controller after the processing.
Security of processing We have taken and will maintain the necessary and appropriate technical and organisational measures to ensure the security of processing and to monitor the use of personal data, such as access control and rights, event logging, protection of hardware and files, physical access restrictions, encryption of sensitive data, pseudonymization, user guidelines and supervision. In addition, we have internal procedures for controlling non-conforming products and services, such as IT equipment or software components at Aiforia. Aiforia is ISO27001 certified.

We have taken and will maintain the necessary and appropriate technical and organizational measures to ensure the security of processing and to monitor the use of personal data, such as access control and rights, event logging, protection of hardware and files, physical access restrictions, encryption of sensitive data, pseudonymization, user guidelines and supervision. In addition, we have internal procedure for controlling non-conforming products and services, such as IT equipment or software components, at Aiforia.

The more specific instructions on how the technical and organizational data protection is organized is based on the instructions given by the controller of the data.
Your rights as a data subject

In case you suppose that your personal data derived from pathological tissues is or has been processed by using Aiforia Cloud services, e.g., in relation to diagnostic, please contact the health care service provider that has treated you. When it comes to pathological tissue samples, Aiforia does not get your personal information other than specified below and cannot identify you from the data Aiforia processes in general. We can only fulfil your rights as a data subject if we get additional information which we will request, as necessary. Without further information we are unable to identify you and therefore we cannot fully fulfil your rights. In other cases, and if we receive enough information in order to identify you, the following will apply.

When Aiforia acts as a controller, you as a data subject, have the following data protection rights towards us:

Right of access: You have the right to receive information from us whether we are processing your personal data. If your personal data is being processed, you may request a copy of your personal data that is being processed.

Right to rectification: You have the right to request that inaccurate or incomplete personal data relating to you be rectified or completed. This is provided, as a rule, free of charge.

Right to erasure ("right to be forgotten"): You have the right to request the erasure of your personal data in some cases without undue delay.

Right to restriction of processing: You can request us to restrict the processing of personal data concerning you when it is processed with your consent.

You may in some cases have the right to restrict the processing of your personal data.

Right to object: You may have the right to object to the processing of your personal data in some cases. If your personal data is processed for direct marketing, such as for newsletters, you always have the right to object to the processing of your personal data.

Right to data portability: To the extent that we process your personal data on the basis your consent and the processing is carried out automatically, you have the right obtain the personal data relating to yourself that you have provided to us in a structured, commonly used and machine-readable form, and the right to transmit this data to another controller.

Right to withdraw consent: You have the right at any time to withdraw your consent to the processing of personal data. Withdrawal of consent has no effect on the lawfulness of processing carried out prior to withdrawal.

Right not to be subject to a decision based solely on automated processing: You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Right to lodge a complaint with a supervisory authority: You have the right to lodge a complaint with the competent supervisory authority, in particular in the EU/EEA member state of your habitual residence, place of work or place of the alleged infringement, if you consider that your personal data has been processed in violation of applicable data protection laws. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact information is accessible through the following link: https://tietosuoja.fi/en/contact-information

In order to have more information about our Privacy policy, or if you wish to exercise any of the above-mentioned rights, you can contact our Service Desk.

All data subject rights requests will be forwarded to the controller when Aiforia acts as a data processor. You can also contact the controller in question directly in order to exercise your data subject rights when Aiforia acts as a processor.

In order to have more information of our Privacy policy, or if you wish to exercise any of the above-mentioned rights, you can contact our Service Desk.

 

Cookie consent management

Book a free demonstration

Seeing is believing

Book a demo