ORCHA Data Protection Principles
ORCHA Health Ltd is the data controller, in terms of the Data Protection Act 2018.
Thinkific Labs Inc is the data processor and adheres to the legal responsibilities of this role.
ORCHA respects the privacy and confidentiality of all users who engage with the ORCHA App Review platform, or organisations who engage in partnership, or project work with ORCHA.
ORCHA strives to ensure that all data that is shared with us, because of those relationships, is treated with full respect for personal, and client, privacy and is protected in line with all legal responsibilities and recognised best practice standards and processes.
ORCHA will only collect the minimum levels of personal data necessary to support our operational processes and will never share, or sell, personally identifiable data collected while maintaining ORCHA business processes without asking for and receiving fully informed consent from any ORCHA users, or clients, who may be affected by that action.
Why we publish this policy?
ORCHA also publishes this policy:
• to ensure all ORCHA data capture, data management and data utilisation processes are transparent to our end users
• to clearly explain what data we collect
• to explain how ORCHA uses any personal information that our end users supply to us
How we collect information
ORCHA collects personal information about you when you, for example:
• When you are registered with us to become a Pro User for an ORCHA site
• undertake actions on the ORCHA site such as:
- Recommend an App to another user, if that functionality is available to you
- Visit web pages on an ORCHA site
- Complete specific actions on an ORCHA web page – e.g. Click on the 'Download an App' button
- Participate and complete modules in the ORCHA Digital Health Academy
• complete an ORCHA survey
• take part in an ORCHA event or competition
• provide us with personal information in any other way
• enquire about the fundraising campaigns that we run
All these actions are required to enable ORCHA to deliver its services as a Data Processor and we only capture the minimum number of data items required for the delivery of those services.
All data that is captured through your interactions with ORCHA is stored securely in protected databases and only accessible to accredited administrative users with specific access permissions.
Data transferred between ORCHA webpages and the data stores we utilise is fully encrypted in transit, in line with best practice encryption methodologies (certified 256bit encryption) to minimise the risk of that data being intercepted or breached. ORCHA use TLS 1.2 to transmit data securely when the ORCHA systems are accessed via a browser.
ORCHA only collects the following personal data items, depending on your interactions with the platform:
• Your name
• Your address
• Your email address, and/or mobile telephone number
• Non-mandated additional information volunteered by yourself (e.g. Age)
• The pages you view on ORCHA websites
• The Apps you recommend to others
• The Apps you download via the ORCHA sites
• The address, name, and job role of relevant Healthcare Professional (if applicable)
ORCHA also uses Google Analytics which collects the following information from all users of the platform, registered and unregistered:
• IP address
Google Analytics service allows us to maintain a strong understanding of ORCHA platform utilisation to ensure the platform is continually improved for our platform users. The IP address is held separately from all data captured by ORCHA directly and cannot be used to identify an individual directly.
For more information on the Privacy Controls utilised in Google Analytics please visit:
This includes a:
• device's IP address (processed during your session and stored in a de-identified form),
• device screen size, device type (unique device identifiers),
• browser information,
• geographic location (country only), and the preferred language used to display our website.
Hotjar stores this information on our behalf in a pseudonymized user profile. Hotjar is contractually forbidden to sell any of the data collected on our behalf.
For further details, please see the ‘about Hotjar’ section of Hotjar’s support site.
ORCHA also collects the following usage data relating to the ORCHA Digital Health Academy (accessible to all Pro Users) internally:
• Academy courses accessed
• Progress against the academy courses accessed
How we get this information and why we have it
We collect this information through your interaction with the ORCHA platform and through your direct interactions with us as a company. We collect it to ensure we can deliver the full functionality of the ORCHA platform to you, and any additional ORCHA services you request directly from us. We also utilise the data to understand how users interact with the ORCHA platform so that we can continually adapt and improve the ORCHA platform for our users.
ORCHA will only capture the minimum number of data items necessary to ensure the fulfilment of required ORCHA services.
How we use your information
ORCHA uses the information that you give to us:
• to send you information, products or services that you have consented to receive
• to improve the information, products and services ORCHA offers to its users. (This includes improving our capability to match Health Apps specific to your health need/age/preferences and general improvement of ORCHA website and review functionality and presentation)
• to contact you about events, fundraising, campaigning and our other work, where you have consented to receiving marketing information
• to develop aggregated reports and analysis, using anonymised data, to support research into the broader ongoing development of the Health App market and the utilisation of Health Apps within a defined Health Economy
ORCHA may link data captured from different ORCHA services (e.g. The ORCHA Digital Health Academy), at a personal level, in order to improve our understanding of service utilisation and to support analyses on site utilisation and activity, but ORCHA will never publish, share or sell personally identifiable data without explicit, and informed, consent being received from all parties whose data is being used for those purposes.
How do we store and manage your data?
The Azure ORCHA solution is hosted on Azure and utilises a Hub and Spoke networking model. Any ePHI sits in the geographic jurisdiction of the client so local governance laws can be adhered to. For example, a UK clients ePHI would be hosted in the Azure UK South datacentre and adhere to GDPR laws. A Canadian clients ePHI data would be hosted with Azure in Canada in a way that adheres to local compliance laws. ePHI is stored in these local Spokes whereas all other system data is stored within the central Hub hosted in Azure UK South. All data is encrypted at rest.
All Azure to Azure communication within the ORCHA platform is done through the Azure backbone. On top of that, environments are hosted within Virtual Networks. There is a single point of access for all data and that is through Azure Front Door and then through a Firewall and then into the Hub. Once the Hub is accessed then data can be requested from any of the Spokes. All data that is passed out of the system goes back though the Firewall and then through Azure Front Door.
Access to the Production environment is through a Bastion host (Jump Box) and users can Remote Desktop to this machine. To access this the user needs to have an Azure Active Directory account and needs to have the correct permissions assigned. Production data is not used for reporting purposes.
How do we protect personal information?
ORCHA implements a range of measures to ensure that any personal information that you provide us with is kept secure, accurate and up to date.
ORCHA's protective measures include:
• regular reviews of data capture processes to ensure only data that is necessary to support the delivery of ORCHA services is captured
• transparent, informative opt-in Consent capture mechanisms to ensure that all ORCHA service users understand why ORCHA collects their data and how ORCHA manages that data.
• ORCHA provides the functionality for users to retract their consent should their preferences change. This functionality is available in the ‘My Account: Your rights under GDPR’ section on all ORCHA platforms.
• Users who choose not to provide any personally identifiable data, can continue to use the ORCHA platforms as normal, but the full functionality of the ORCHA platform will not be available to those users.
• Strong encryption of all data in transit between the ORCHA sites/Apps to our secure data storage facilities using certified 256 bit encryption.
• ORCHA databases are secured within a hosted via Microsoft Azure.
• Access to data collected through ORCHA interactions with end users of our services, is limited to only those ORCHA Data Administrators with appropriate permissions
• Critical system components are backed up across multiple, isolated locations and the system continuously monitors service usage to deploy infrastructure to support availability commitments and requirements.
• ORCHA keeps personally identifiable data for a period of 2 years following the closure of an account for legal and audit purposes. After this period all personally identifiable data items are destroyed in line with best practice data destruction standards.
ORCHA will not pass your personal details to other people, or organisations, without first obtaining your consent.
ORCHA reserves the right to share your information with other companies that we own, or other companies that help us provide any of our services.
There may be rare occasions where information is gathered through the day-to-day collection of ORCHA data, where the data identifies a clear need to safeguard the welfare of the individual and/or his/her family and, on those occasions, it may be necessary to contact relevant authorities to address this. ORCHA will only undertake these actions in line with appropriate legal guidelines and using formal, recognised, and auditable processes.
Your consent to utilise ORCHA services is contained within the ORCHA registration process and will clearly inform the user at the point of registration why the data we are requesting is necessary and how that data will be used by ORCHA.
The ORCHA consent process requires all end users to positively opt-in to a range ORCHA services, with information provided to explain each option prior to sign up.
Consent preferences can be changed at any time. The functionality to withdraw Consent is provided within the ‘My Account’ section on the ORCHA platform.
For users who are under 18, a parent/guardian's permission is required before any personal information is captured relating to the individual.
If you believe that an underage user has incorrectly created an ORCHA account, please inform the ORCHA team via firstname.lastname@example.org
Your data protection rights
Under data protection law, you have rights including:
Your right of access
You have the right at any time to ask for a copy of the information that ORCHA holds about you, and ORCHA will supply that data to you in line with its legal requirements to do so.
Your right to rectification
You have the right to ask ORCHA to rectify information we hold that you think is inaccurate. You also have the right to ask ORCHA to complete information you think is incomplete.
Your right to erasure
You have the right to ask ORCHA to erase your personal information in certain circumstances.
Your right to restriction of processing
You have the right to ask ORCHA to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the the right to object to the processing of your personal data in certain circumstances.
Your right to data portability
You have the right to ask that ORCHA transfers the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, ORCHA has one month to respond to you. However, ORCHA aims to provide a response to all Data Rights Requests within 24 hours, with full completion of related actions within seven working days.
Please contact us email@example.com if you wish to request any changes to the data ORCHA holds about you or to withdraw your consent. Please state in the heading of your email which right or rights you wish to exercise.
If your personal details change, please help the ORCHA team to keep those details up to date by telling us about any changes.
If you want to see what information we have about you, or need to tell us about any changes to the information that you have given to us, please contact:
Data Protection Officer,
ORCHA Healthcare Ltd.
We may change this Privacy Statement at any time. If you use this website after changes are made you will be agreeing to those changes.
How to complain
In the first instance please contact the ORCHA data protection officer at firstname.lastname@example.org
If you remain dissatisfied you can complain to the Information Commissioner’s Office (ICO), if you are unhappy with how we have used your data.
The ICO’s address:
Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire. SK9 5AF.
Helpline number: 0303 123 1113
Cookies are small text markers stored on your computer that enable us to understand how people use our website.
No personally identifiable information is stored in cookies. In common with many similar websites, ORCHA uses them to help remember preferences and for anonymous statistical measurements - for example so we know how many "visits" a page has had.
• remember certain information about users so they don't have to repeatedly provide that information
• recognise if users are already logged in to certain areas of the website
• measure how people use our website so we can continually improve how information is provided.
You can do this through your chosen internet browser (Internet Explorer, Google Chrome, Mozilla Firefox etc.). Use the help function within the specific browser to find out how.
However, if you restrict cookies for the ORCHA website then there is a risk you will not be able to access the full functionality of the ORCHA website and your user experience may be undermined as a result.
What cookies are used on ORCHA sites?
The cookies applied on ORCHA websites are:
• Google Analytics - This is a service we use from Google that collects information about how people use our website. We use this to make sure we are providing the best service we can to our web visitors. This information cannot be used to identify you and is only available for ORCHA's internal use only. ORCHA does not allow Google to share it. Using cookies, Google Analytics captures information that allows ORCHA to understand:
- What pages were viewed
- How long those pages were viewed for
- How the user came to the site
- What website buttons and functions were clicked on
- What browser was used to access the site
- What country the computer is accessing the site from
- What search terms were used
• HubSpot Content Management System (Joomla) – This is the system ORCHA uses to build the website and update the pages. In a similar way to Google Analytics this also collects information about how many times a page has been visited and how many times a file is downloaded (e.g. the PDFs of our research reports and briefings)
• Cookies are set when you visit the Hotjar website at hotjar.com and you can opt out of non-essential cookies that have been set. The Hotjar Tracking Code is also installed on hotjar.com and cookies that are specific to the Hotjar Tracking Code may also be set.
• Cookies that are set by other websites - If you are using the sharing facility already mentioned (i.e. Share content with Facebook, Twitter) then it is possible those websites (e.g. Facebook) may also set cookies when you log in to their service. ORCHA is not responsible for third party cookies of this nature and does not control these cookies.
• Embedded third party services - Occasionally we embed things like video, audio and pictures from other websites such as such as YouTube, Vimeo, Flickr or Soundcloud. This means it looks like one of our web pages, but the video is being fed through from another site (i.e. YouTube). When this embedded content is accessed via the ORCHA site, the owner of that content sites may use their own cookies to record that you watched or viewed the content. ORCHA has no control over these cookies so you should check the relevant website for more information.