We have designed our website, app and systems (the systems) to protect the security of your data and we are committed to protecting and respecting your privacy.
The app only works with COVID-19 tests which are compatible with the app, as confirmed on the app (a Test). The app is designed to enable you to upload an image of the results of a Test that you have taken, and in the event of a negative Test result, obtain a unique QR code (the Saturn Pass). The Saturn Pass is generated by the app as a record of you having taken a Test on a particular day or within a particular period which produced a negative result. This will enable you to show your Saturn Pass to third parties who accept the Saturn Pass as evidence of a negative Test result, including:
Further details about how the Saturn Pass can be used are set out in the section ‘How is the Saturn Pass used?’
From time to time we may also issue other privacy or fair processing notices to you relating to the way in which we collect personal data about you which we will make available on the app.
Saturn Passport Limited is a “data controller” in respect of personal data collected and processed through the app for the purposes of Data Protection legislation. Saturn Passport Limited is a limited company registered in England and Wales under company number 12647399. Our registered office is at 14th Floor, 82 King Street, Manchester, M2 4WQ, United Kingdom.
When you take a Test using the app, the Test must be carried out in the presence of a Health Care Professional (HCP) or Trained Supervisor, as explained in the instructions provided within the app. You will be required to confirm via the app whether you are in the presence of a HCP or Trained Supervisor, and scan their QR code to confirm this within the app. A Test will not be valid, and you will not therefore be able to proceed with uploading a Test result to the app, without the confirmation that the Test has been carried out in the presence of a Health Care Professional.
Personal data is any information that relates to you or to another person. It does not include any information which relates to a person who cannot be identified from that information or where the person’s identity has been removed (anonymous data).
To use the app for workplace testing, you will be invited by your Employer to download and register for an account on the app. Users of the app must be at least 18 years of age.
Whenever we collect, store, use, disclose or delete personal data, this is referred to as processing personal data.
When you use the app, we will process the following kinds of personal data about you:
● Profile data: when you register an account on the app:
● Test data: when you take a Test and record the results of the Test using the app, we will hold the results of your Test, as uploaded to the app, the date you took the Test, and the Health Care Professional or Trained Supervisor who observed the Test. Please see further information in the ‘How Test data is used’ section below.
● Device and usage data: we may collect electronic information which is automatically logged/stored by processing equipment, which may include your internet protocol (IP) address, the type of mobile device you have used to download the app, a unique device identifier (for example, your device's IDFA and IDVA number), operating system and platform, time zone setting, and the country and telephone code where your device is being used. We will also collect details of your use of the app, including how you navigate the app, and which sections of the app you access.
● Location data: if you turn on location data in the app, we will process details of your location, by reference to GPS location data using your mobile device GPS/WiFi settings, when you arrive at and leave the premises of the Employer (but only where the Employer has configured the system to auto scan-in and scan-out the Saturn Pass). The app will only collect this information whilst you are at the relevant location and to confirm the time at which you have left the relevant location. The app will cease to process this information as soon as you leave the location. You can also manually check in and out when you arrive at and leave the an Employer’s or Other Third Party User’s premises.
When you use our website to purchase Tests via our website for workplace testing, we will process the following kinds of personal data about you:
We may also process information relating to your correspondence with us.
From time to time, we may anonymise some of your personal data so that it can no longer be linked to you. This may include your Device and Usage data to assess how the app or website is performing and used, bug or error detection, for system maintenance support, or for improving our software and services.
If you would prefer not to disclose your personal data to us, you are of course free to stop using the app at any time. If you would like us to delete your personal data, please refer to the sections ‘How long we hold your personal data for’ and ‘What are your rights?' below.
The majority of the personal data we hold about you will be uploaded by you to your account on the app, or when purchasing Tests via our website.
Where you use the app for workplace testing, your Employer will provide us with your name and email address in order to send you a link to invite you to download and use the app.
From time to time, we may also collect information from you if you communicate with us directly, for example, if you have a technical issue or other query relating to the app or website.
When you use the app, our systems will automatically collect information about your device, and details of how you use the app. We collect this personal data (namely Device and Usage data, as described in the section ‘The data we collect about you’ above).
The app records the result of your Test.
When an image of the Test result is uploaded to the app, the app reads the Test result using computer vision. You will also need to follow instructions provided with the Test, and enter the Test results manually into the app.
If the Test result recorded by the computer vision within the app is the same as the result you have manually entered in the app, a conclusive result is provided. Where this is a negative Test result, the app will generate a Saturn Pass (in the form of a QR code) which can be shown to your Employer (if the date on which the Test was taken meets the time period requirements of your Employer, as explained in the section ‘How is the Saturn Pass used’ below).
If the app detects a different Test result to the result you have manually entered in the app, the Test result will be recorded as inconclusive by the app, and you should take another Test.
When you take a Test as part of workplace testing, details of your Test result and date of Test will, where you have consented to this, be provided to the Employer in a separate dashboard system (the Dashboard). The Dashboard is hosted by us, but the Employer is responsible for the content and management of the data held within this system. Where you download the app via the invitation link sent to you on behalf of the Employer, the Test result and date of your Test will, where you have consented to this information being provided to the Employer, be linked with your details held by the Employer on the Dashboard so that the Employer can see your Test result and date of Test. The Employer is a data controller of the data it holds on the Dashboard, and information regarding how such data is processed by the Employer should be available from the Employer. Where you have enabled Location data, and therefore consented to the processing of such data, for the purposes of auto checking in and out of the Employer’s premises (as described in ‘The data we collect about you’ section), this information will also be provided to the Employer.
Please note that COVID-19 is a notifiable disease under UK law. If we are, or we become, required under law to notify Public Health England and/or NHS Test and Trace of a positive Test result, and on the basis that it is necessary for reasons of public interest in the area of public health, we may disclose the results of a positive Test result to Public Health England and/or NHS Test and Trace or a governmental or regulatory body of competent jurisdiction, as is required under law. In such circumstances, those third parties will also be controllers of your data. We shall not be responsible or liable for the way in which other data controllers hold or process your personal data.
Your Test result will be held on the app for 30 days, at which point it will be deleted from the app.
When you take a Test as part of workplace testing, the period of time for which Test results and date of Test will be available on the Dashboard is determined by the Employer and will be held in accordance with the retention period determined by the Employer.
We may anonymise the following information (so that it can no longer be associated with you) and retain it for a longer period: the image of the Test result and whether a positive or negative result was recorded, in order to develop, test and improve the computer vision software used on the app. This data may be kept for up to 90 days, at which point it will be deleted.
The purpose of the Saturn Pass is to allow you to show to third parties who accept the Saturn Pass that you have recently tested negative for COVID-19. When the Employer or Other Third Party User views the Saturn Pass or scans the QR code in the app, they will see your name, confirmation that you have a Saturn Pass, date of Test, together with the photograph of yourself which you uploaded to the app, and whether ID was provided and verified (if applicable). This enables an Other Third Party User to verify that the Saturn Pass relates to a Test you have taken. No other personal data is provided through the QR code.
The QR code and Saturn Pass are only disclosed to the Employer or Other Third Party User by you where you choose to do so, and is therefore with your explicit consent.
Your Saturn Pass will expire on the app after 5 days. However, please note that the Employer or Other Third Party User may require the Test to be carried out within a shorter period, and the Saturn Pass will only be confirmed to the Employer or Other Third Party User as being valid when they scan the QR code or view the Saturn Pass, if it meets the time period they have specified. For example, an Employer or Other Third Party User may require you to have taken a negative Test within 48 hours of admittance to their premises and the Saturn Pass will only show as valid if the Test was taken and uploaded to the app within that period.
We will only collect and process your personal data for which we are a data controller where we have a legal basis to do so. In some cases, we may rely on more than one lawful ground to process your personal data. Please contact us at email@example.com if you require further detail at any time.
Information regarding a Test result would be classed as ‘special category data’ under UK Data Protection law and as such, must be processed with more caution than other types of personal data. We only use the Test result data for the purposes set out in the ‘How Test data is used’ section above, the lawful basis for which is set out below.
Please note that if you wish to continue using the app in order to obtain a Saturn Pass, the legal grounds for processing your personal data are as follows:
It is your choice as to whether to present your Saturn Pass to an Other Third Party User or Employer, and by doing so, you are consenting to us sharing some of your personal data (as described above in the section ‘How is the Saturn Pass used’) to the relevant party.
Where you have carried out a Test as part of workplace testing, we may disclose your Test result to your employer or workplace where you have consented to us doing so, as described in the section ‘How Test data is used’.
You are entitled to withdraw your consent to us processing your personal data at any time. We will then generally be required to cease processing your personal data unless we have another lawful basis for using it. Please refer to the section ‘What are your rights?’ below for further information on how to withdraw your consent. This shall not affect our processing of such data prior to your consent being withdrawn. Please note though that if you do not want us to process the Test data or some of the Profile data (as described above), we may not be able to provide a Saturn Pass to you.
− To process an order for a Test placed through our website;
− To manage our relationship with you and to correspond with you concerning your account and respond to any queries or complaints (which may include processing your Profile and/or Device and usage data, as applicable, any information from or relating to your correspondence with us, and/or any other information you may provide to us or which have provided to or uploaded to the app);
− To measure performance, analyse and understand our users and how the app is used, to develop, test and improve the app, the services we provide, user relationships and experiences, by using data analytics using Device and usage data, anonymised data and/or aggregated data, and information from or relating to your correspondence with us;
− To send you survey and feedback requests to help improve our services;
− To understand how users find out about the app (which may include processing Device and Usage data);
You have the right to object to the above processing which is conducted for our legitimate interests, in which case we would assess your complaint and determine whether or not we are still entitled to continue the processing and whether any additional safeguards are required.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, the personal data you provide to us is only available to our personnel and contractors who need access to it in order to fulfil their duties. They are required to process your personal data on our instructions and shall be subject to a duty of confidentiality.
Although we will do our best to protect your personal data, you should be aware that the transmission of information via the internet is not completely secure, therefore we cannot guarantee the security of any personal data transmitted to the app; any transmission is at your own risk. Once we have received your information, we will use appropriate security measures to protect your personal data from unauthorised access.
As explained in the section ‘How is the Saturn Pass used?’ above, the app allows you to show to an Other Third Party User or Employer that you have recently tested negative for COVID-19 by presenting the Saturn Pass or QR code. Information disclosed to an Other Third Party User or Employer is processed by the Other Third Party User or Employer as a controller, and they are therefore responsible for how they process your personal data.
In addition, we may share your personal data with the following third parties:
Where you have carried out a Test as part of workplace testing, we may disclose your Test result and date of Test to the Employer where you have consented to us doing so, as described in the section ‘How Test data is used’. Where you have enabled Location data, and therefore consented to the processing of such data, for the purposes of auto checking in and out of the Employer’s premises (as described in ‘The data we collect about you’ section), this information will also be provided to the Employer. Where you choose to manually check in and out of an Other Third Party User’s or Employer’s premises, this information will be provided to the relevant Other Third Party User or Employer, as applicable.
In respect of any Test result data, as explained in the section ‘How Test data is used’ above, if we are, or become, required to do so under law, we may disclose the results of a positive Test result, to Public Health England and/or NHS Test and Trace or a governmental or regulatory body of competent jurisdiction, as is required under law. Those parties will also be controllers of your personal data.
We require third parties to respect the security of your data, keep it confidential, and to treat it in accordance with the law.
We shall not be responsible or liable for the way in which other data controllers hold or process your personal data.
To the extent we share data with third party data processors, we do not allow our data processors to use personal data for their own purposes and only permit them to process personal data for specified purposes and in accordance with our instructions as set out in our data processing agreements. Further, we do not sell your data.
The app is hosted by Amazon Web Services (AWS), on its servers based in the EEA.
We will only retain your personal data for only as long as necessary to fulfil the purposes for which we collected it.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements. Our retention periods take into account legal and regulatory requirements and are subject to change. If you have any questions in this regard, please contact us at firstname.lastname@example.org.
When you upload a Test result to the app, your Test result and date of Test will be held on the app for 30 days, at which point such data will be deleted from the app. Your name, mobile number, photograph, and proof of identification (if provided) will remain stored in the app until your account is deleted, to simplify the process of uploading a further Test on a later date. Location data which is processed for the purposes of auto scanning in and out of the Employer’s premises (see ‘The data we collect about you’ section) is not stored in the app.
As explained in ‘The data we collect about you’ and ‘How Test data is used’ sections above, we may anonymise the following information (so that it can no longer be associated with you): the image of the Test result and whether a positive or negative result was recorded, which may be kept for up to 90 days, in order to develop, test and improve our software and systems. This data will be deleted after this period.
If you delete the app from your device, this will delete all the personal data held about you in the app, but you can email email@example.com to request a copy of the data which is held in the app at that moment in time. Please note that this will not delete personal data held on the Dashboard for which the Employer is a controller, or which you have disclosed to an Other Third Party User or Employer through your Saturn Pass or QR code.
We shall not have any liability to you for the deletion of personal data in accordance with our data retention policy.
Saturn is subject to the UK Data Protection Act 2018 and UK General Data Protection Regulation (the UK GDPR). Where we process personal data about you, you may be entitled to the following rights pursuant to this legislation:
If you wish to exercise any of the rights set out above in respect of your personal data, please contact us at firstname.lastname@example.org.
We may ask you to verify your identity if you make a request to us to exercise any of the rights set out above. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. You also have the right to request a copy of the information we hold about you.
Please let us know if you are unhappy with how we have used your personal information. You may contact us at email@example.com.
You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please do contact us in the first instance and we shall endeavour to resolve your complaint.
Please let us know if you change your contact details. You have the right to question any information we hold about you that you think is wrong or incomplete. Please contact us if you want to do this.