Antibiogo
privacy policy
privacy policy
Jump to section
Why write a privacy policy?
Privacy policies are rarely written to be read by people. Writing our own, we tried to make it as accessible and comprehensive as possible. By providing its service, the Antibiogo mobile app deals with data, sometimes personal identifiable information, and sometimes health data. This privacy policy aims to explain why and how we process data of any form.
Disclaimer: the Antibiogo mobile app is currently under clinical evaluation and in vitro Diagnostic Medical Device (IVDD) certification (98/79/EC). This means that the app is not yet available publicly, nor is in its final clinical use form. Thus, this privacy policy is subject to change accordingly.
Updated on May 18, 2022
Our mission
Antibiogo is a mobile app that supports non-expert laboratory technicians in low resource settings in measuring and interpreting Antibiotic Susceptibility Tests (AST), to help clinicians prescribe accurate antibiotics.
We aim to be available to most contexts. The app is and will remain free. And, can fully work offline.
On a global level, Antibiogo aims to help tackle antimicrobial resistance, following the World Health Organization’s Global Action Plan.
Our key principles on data privacy
- We collect only what is necessary. We undertake to collect and process only the data which are strictly necessary with regard to their purpose. Likewise, we are committed to ensuring that the data collected will be kept in a form allowing any identification for a period that does not exceed the time necessary for the purposes for which this data is collected and processed.
- We work to comply with European standards. In regard of the General Data Protection Regulation (GDPR) Antibiogo is a controller. We apply its regulation to our data use and organization. In addition, to comply with French regulations on health data treatment, we use a certified health data host (hébergeur agréé de données de santé in French).
- We will not sell any data. Antibiogo is created and fully funded by the MSF foundation. As a non profit humanitarian organization we do not make business out of any data collected in this app’s use.
Type of data collected and usage
There are 3 distinct types of data collected through use of the application.
AST data
Usage: Data that pertains to the main diagnosis flow of the Antibiogo. These are all used as input to generate the AST results.
- AST ID
- Sample type
- Bacteria species or genus
- Population group
- Lab technician name
- AST picture
- List of tested antibiotics
- Zone of inhibitions diameters per antibiotic
- Expert system coherence checks output
- Verifications prompted by the expert system
- Check performed
- Pass or fail value
- Type of verification requested
- User response
This data is mostly anonymous, except for:
- AST ID: It can be considered as “pseudonymised” data, as it doesn’t allow the identification of the patient on its own, given that it does not contain any identifiable information (e.g: name, date of birth or social security number) but could be leveraged to trace back to patient identifiable information through the patient id.
- Lab technician name: Login is not implemented in the app. Thus, we ask lab technicians to identify themselves so that both their team and clinicians know who generated the AST. Any form of pseudonymisation can of course be used here
The other data types cannot be used to identify the patient on their own. Nevertheless, they can be combined with others to facilitate with identification.
Lab technician names do not follow the 30 days deletion rule. They are locally saved as long as one of the AST present in the app use the name. Any AST deletion, app uninstall or storage reset will remove this data from the app.
Note: When sending results to the clinician, the user is invited to enter the associated patient ID. This ID is printed on the PDF that is generated to be sent, but the app does not store patient ID.
Legal basis of the processing: the processing is necessary in order to protect the vital interests of the data subject, namely the patient.
App usage and interactions
Usage: These are data that relates to user interactions with the app user interface (UI), such as clicking on a specific visual element or visualizing a screen of the app. This data is used to understand how the app is being interacted with and whether the features work as intended for users.
This data is anonymous (no user identifier).
Legal basis of the processing: the processing is necessary for the purposes of our legitimate interests, taking into account the interests or fundamental rights and freedoms of the data subject.
Technical data
Usage: Data that reflects the software performance of the application and helps the development team ensuring a healthy state throughout the app evolution.
This data is anonymous (no user identifier).
Legal basis of the processing: the processing is necessary for the purposes of our legitimate interests, taking into account the interests or fundamental rights and freedoms of the data subject.
Data hosting
Data hosting
Our data are stored on Google Cloud Platform. Their service claims that GDPR compliance is a top priority for them, and detail how they do it here.
Google Cloud is also a HDS-certified host, meaning that companies that work with and in the French healthcare industry and that comply with France's General Security Policy for Health Information Systems (PGSSI-S) can confidently exchange, store data, and run workloads pertaining to French PHI on Google Cloud Platform.
Our data is hosted in European Union. Servers hosting them are located in the Netherlands and Finland.
Services accessing to data
We use external services to provide our own. This means that partners can access some data that we choose to communicate with them. These transfers can only occur in the context of operations that we mentioned earlier. These operators are bound by their own privacy policies and subject to GDPR as contractors of Antibiogo.
- Google Cloud (data hosting and storage)
- Firebase (storage and engineering features)
Security measures
Local app storage is secured using Room native Android service. The system prevents other apps from accessing these locations, and on Android 10 (API level 29) and higher, these locations are encrypted.
When a network connexion is available, data collected from the app is transferred to the server. It serves for optional features such as AST approval, and to improve the operation of the app. In this context, we add extra layers of security:
Your rights on the data
For any questions concerning the security and processing of personal data, or to allow you to exercise your rights of access, rectification, deletion, withdrawal of consent, limitation of processing, objection to processing or right to portability, you can contact us and our Data Protection Officer (DPO) at hello@antibiogo.org.
If you feel like your rights haven’t been properly addressed, you have the right to complain to a data protection authority of your choice.