Patient Privacy Policy

  • Reference: GDPR REC 4.1
  • Organisation Issue No: V1.0
  • Organisation Issue Date: 17 May 2021

1. Scope

Patients of Tympa Health Technologies Ltd’s customers whose personal data is collected.

Further information on how TympaHealth processes privacy data can be found in our Privacy Notice.

2. Responsibilities

2.1 The Data Protection Officer is responsible for ensuring that this notice is made available to data subjects prior to Tympa Health Technologies Limited collecting/processing their personal data.

2.2 All employees/staff of Tympa Health Technologies Limited who interact with data subjects are responsible for ensuring that this notice is drawn to the data subject’s attention and, where necessary, securing their consent to the  processing of their data.

3. Privacy notice

3.1 Who are we?

Key terms:

Tympa Health Technologies Limited: Us.

Customers: Organisations using the Tympa product to provide healthcare to patients.

Patient/you/data subject: Individuals receiving healthcare from the customer organisation.

Tympa Health Technologies Limited is an audiology technology company that makes smart otoscopes. These otoscopes come with iOS and Android apps that include hearing test screening questions, can collect videos and assist with hearing healthcare. Tympa Health Technologies Limited processes data on behalf of customer organisations providing healthcare to patients.

Our Data Protection Officer can be contacted directly here:

Email: [email protected]

Phone: +44 203 878 1390

Postal address: Tympa Health Technologies Limited, Office 402 – Spaces, 4th Floor, Jubilee House, 213 Oxford Street, London, W1D 2LF

3.2 Data processing

The personal data about you that we would like to process is collected from customer organisations of Tympa Health Technologies Limited.

  • The personal data we collect will be used for the following purposes:
  • To book and manage your appointments.
  • To provide your healthcare.
  • Deidentified images and video (meaning that it is not possible to identify the patient) will be accessed by ear, nose and throat (ENT) specialists in order to improve the product and the quality of care provided to patients.
  • In rare cases, ENT specialists may be provided with identifiable information on patients. This will only happen if, during one of these improvement reviews, the ENT specialist identifies a health issue that has not been picked up as part of the treatment provided to the patient. In this case, the images and video will be combined with identifiable patient data to allow the ENT specialist to contact the customer organisation and advise on treatment.

Our legal bases for processing the personal data:

  • In the legitimate interests of the customer organisation and Tympa Health Technologies Limited.
    • To book and manage your appointments
  • With the consent of the patient.
    • To provide your healthcare
  • When processing is in the vital interests of the patient.
    • To allow an ENT specialist to contact a Tympa Health Technologies customer upon identifying a previously overlooked health issue.

The special categories of personal data concerned are:

  • Images and video of the ear collected by the otoscope.

For processing activities requiring consent, you may withdraw consent at any time by contacting the customer organisation that is providing your healthcare. If this is not possible, consent can also be withdrawn by contacting Tympa Health Technologies Limited using the details listed under ‘Who are we?’ above.

3.3 Disclosure

Tympa Health Technologies Limited will pass your personal data to the below third party as part of the service provided to our customers.

Google Cloud Storage: Database storage for data collected to provide treatment for patients.

3.4 Retention period

Tympa Health Technologies Limited will process personal data for as long as a customer organisation continues using Tympa Health Technologies Limited’s services. It will store the data for a maximum of seven years in the case of deidentified images and video that have been used for research.

3.5 Your rights as a data subject

At any point while we are in possession of or processing your personal data, you, the data subject, have the following rights:

  • Right of access – you have the right to request a copy of the information that we hold about you.
  • Right of rectification – you have a right to correct data that we hold about you that is inaccurate or incomplete.
  • Right to be forgotten – in certain circumstances, you can ask for the data we hold about you to be erased from our records.
  • Right to restriction of processing – where certain conditions apply, you have the right to restrict the processing.
  • Right of portability – where certain conditions apply, you have the right to have the data we hold about you transferred to another organisation.
  • Right to object – you have the right to object to certain types of processing, such as direct marketing.
  • Right to object to automated processing, including profiling – you also have the right to not be subject to the legal effects of automated processing or profiling.
  • Right to judicial review – in the event that we refuse your request, we will provide you with a reason as to why. You have the right to complain as outlined under ‘Complaints’ below.

All of the above requests will be forwarded on should there be a third party involved (as stated under ‘Disclosure’ above) in the processing of your personal data.

3.6 Complaints

If you wish to make a complaint about how your personal data is being processed by Tympa  Health Technologies Limited (or third parties as described under ‘Disclosure’ above), or how your complaint has been handled, you have the right to lodge a complaint directly with the supervisory authority and Tympa Health Technologies Limited’s Data Protection Officer.

Supervisory authority contact details:

The Information Commissioner’s Office (ICO) can be contacted at the below link.

Make a complaint | ICO (

Data Protection Officer contact details:

Email: [email protected] Phone: +44 203 878 1390

Postal address: Tympa Health Technologies Limited, Office 402 – Spaces, 4th Floor, Jubilee House, 213 Oxford Street, London, W1D 2LF

3.7 How we use your information

Personal data

Under the GDPR, personal data is defined as:

“any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

How we use your information

This privacy notice tells you how we, Tympa Health Technologies Limited, will collect and use your personal data for making our service available to customers that provide you with medical treatment.

Why does Tympa Health Technologies Limited need to collect and store personal data?

In order for your healthcare provider to administer treatment, we need to collect personal data necessary for providing services to them. We are committed to ensuring that the information we collect and use is appropriate for this purpose, and does not constitute an invasion of your privacy.

Tympa Health Technologies Limited will request your specific consent to process images and video collected by the otoscope.

Will Tympa Health Technologies Limited share my personal data with anyone else?

We may pass your personal data to third-party service providers contracted to Tympa Health Technologies Limited in the course of dealing with you. Any third parties that we may share your data with are obliged to keep your details securely, and to use them only as part of the service we provide to our customers. When they no longer need your data to fulfil this service, they will dispose of it in line with our procedures. If we wish to pass your sensitive personal data to a third party, we will only do so once we have obtained your consent, unless we are legally required to do otherwise.

How will Tympa Health Technologies Limited use the personal data it collects about me?

We will process (collect, store and use) the information you provide in a manner compatible with the GDPR. We will endeavour to keep your information accurate and up to date, and not keep it for longer than is necessary. How long certain kinds of personal data should be kept may also be governed by specific business-sector requirements and agreed practices, such as images or videos used as part of medical research. Personal data may be held for longer than these periods depending on individual business needs.

If you wish to know more about our retention and disposal procedures, please contact our Data Protection Officer using the details found under ‘Who are we?’ at the start of this notice.

Under what circumstances will Tympa Health Technologies Limited contact me?

In normal circumstances, you will only be contacted by your healthcare provider (i.e. our customer). Communications will be related to the treatment you are receiving.

Can I find out the personal data that Tympa Health Technologies Limited holds about me?

Your healthcare provider is the controller for the data processed by Tympa Health Technologies Limited. As such, they will be better placed to provide assistance regarding personal data held about you. If they are not able to answer your query then, at your request, we can confirm what information we hold about you and how it is processed. If we do hold personal data about you, you can request the following information:

  • Identity and the contact details of the person or team that has determined how and why to process your data.
  • Contact details of the Data Protection Officer, where applicable.
  • The purpose of the processing as well as the legal basis for processing.
  • If the processing is based on the legitimate interests of Tympa Health Technologies Limited or a third party, information about those interests.
  • The categories of personal data collected, stored and processed. Recipient(s) or categories of recipients that the data is/will be disclosed to.
  • If we intend to transfer the personal data to a third country or international organisation, information about how we ensure this is done securely.
  • How long the data will be stored.
  • Details of your rights to correct, erase, restrict or object to such processing.
  • Information about your right to withdraw consent at any time.
  • How to lodge a complaint with the supervisory authority.
  • Whether there is a statutory or contractual requirement to provide the personal data, or if it is a requirement to enter into a contract, as well as whether you are obliged to provide the personal data and the possible consequences of failing to provide such data.
  • The source of personal data if it was not collected directly from you.
  • Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.

Document owner and approval

The Data Protection Officer/GDPR Owner is the owner of this document and is responsible for keeping it up to date.

We keep this privacy notice under regular review. This privacy notice was last updated on 17 May 2021.