Patient Privacy Notice
Last Updated: 26 March 2020
Butterfly Network, Inc. ("Butterfly", “we”, “us” or “our”) has developed a whole-body portable ultrasound scanner (the "iQ Device") to allow physicians and other licensed health care providers (each a "Customer") to perform certain diagnostic imaging, measurements and medical examinations on their patients. In connection with the use of the iQ Device by our Customers on their patients, certain personal information relating to the Customers' patients (such as the ultrasound scan data) will be collected and processed by Butterfly.
This Patient Privacy Notice ("Patient Notice") supplements Butterfly's General Privacy Notice (which is available here) and explains how we collect and use patient data following the use, by our Customers, of the iQ Device and related services for our deep learning purposes in order to develop and improve the use and operation of the iQ Device and related services.
Please note that this Patient Notice only applies to patients of our Customers. This Patient Notice does not apply to our Customers, whose license and use of the iQ Device and related services are governed by a separate legal agreement with Butterfly.
Scope of this Patient Notice
Our iQ Device and related hosted services are intended for use by our Customers. This means that in most cases, we are collecting and processing your personal information on behalf of our Customer's as a 'data processor'. This means that it is primarily our Customers (the 'data controllers'), who control what personal information we process and how we use it.
Therefore, if you are a patient of one of our Customers, and have privacy related questions or concerns about the privacy practices of our Customer's or the choices the relevant Customer has made to share your information with us or any other third party, you should contact the relevant Customer directly for more information, or otherwise review their or (where applicable) their organization's privacy notices.
Please note that we are not responsible for the privacy or security practices of our Customers, which may differ from those set out in this Patient Notice. For the avoidance of doubt, this Patient Notice does not apply to the extent we process patient data as a data processor on behalf of our Customers.
Who are we?
We are a company headquartered in the United States. In support of our mission to democratize healthcare by making medical imaging accessible to everyone around the world, we have developed and provide to our Customers the iQ Device and related services, including a web-based application, application programming interfaces and platform services. In particular, the iQ Device allows our Customers to perform diagnostic imaging and measurement of blood vessels and perform medical exams such as obstetric exams, musculoskeletal checks and cardiac scans. You can find out more about us and our services here.
How does Butterfly collect and use your personal information?
As described above, in most cases, we only process patient data on behalf of and as instructed by our Customers (your physician or health care provider), who are the 'data controllers' of the personal information collected.
However where permitted by our Customers and applicable law, we combine and leverage certain patient data (including sensitive health data) collected through our Customers' operation of the iQ Device for our internal purposes in order to develop and improve the use and operation of the iQ Device and related Butterfly services. Such purposes include:
- To train our models and algorithms to better interpret the ultrasound images captured from iQ Devices, to make more consistent measurements and therefore to improve the functionality of our services and diagnostic outcomes; and
- To allow Customers with less training to be able to operate more easily an iQ Device, to be able to better interpret the images captured from the iQ Device and to make more consistent measurements.
We take a number of robust steps to ensure that patient data is first de-identified so that it does not specifically identify any particular patient by reference to their name or other directly identifying information. In particular, we remove all directly identifying data (such as the patients contact information and the unique study ID or organization ID assigned to the image scans) and replace such data with new unique randomized IDs that do not trace back to a specific patient or Customer. To the extent the de-identified patient data is still considered personal information under applicable data protection laws, we ensure that such data is processed and protected in compliance with such laws.
What personal information does Butterfly collect for such purposes?
We process the following patient personal information for our internal learning purposes:
- Image scans, including ultrasound images, collected from Customer's use of the iQ Device.
- A unique randomized image ID, which we assign to an image scan so we can identify the image without tracing the image back to a specific patient or Customer.
- The metadata related to the image scans, such as scanning mode selected, physical pixel size of an ultrasound study.
- A randomized study ID, which we use to identify which image scans form part of the same group.
- The country in which the patient is located.
Some of this information may be considered sensitive data or "special category data" under some data protection laws and regulations. For example, the image scans will qualify as sensitive health data under certain data protection laws and regulations.
We do not process any patient contact or other identification information (such as their name or contact details) or any information that identifies the Customer for our learning purposes. As described above, we take robust steps to ensure that all personal information is first de-identified so that it is not possible for Butterfly to specifically identify any particular patient or identify the Customer as the source.
Who is the data controller of my data?
If you are resident in the European Economic Area ("EEA"), United Kingdom or Switzerland, we act as a 'data processor' on behalf of our Customers (the 'data controllers') in most cases. However, in relation to the processing described in this Patient Notice, the 'data controller' is Butterfly Network, Inc.
What is Butterfly's legal basis to process your personal information (for EEA, Switzerland and UK residents only)?
We will process your personal information for the purposes described in this Patient Notice to the extent that such processing is necessary for our legitimate interest to develop and improve the iQ Device and related services. For example, to help identify difficulties that Customers may be having in the operation of the iQ Device, to better interpret the images captured from the iQ Device or to facilitate more precise and consistent measurements.
To the extent we process sensitive data or 'special category data' for such purposes, we may where permitted by applicable law and subject always to ensuring suitable measures to safeguard the fundamental rights and interests of patients, process such information for reasons of public interest in the area of public health (such as to ensure a high standard of safety of the iQ Device) or as necessary for scientific research purposes or statistical purposes.
In some circumstances, where local data protection law requires, we will seek your consent to use your personal information for the purposes described in this Patient Notice. If you have further questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.
With whom will Butterfly share your personal information?
We will not share your information with anyone except with other Butterfly entities for the purposes described in this Patient Notice, our third party service providers (such as our cloud hosting providers who provide data storage and processing services), and as may be required by law and for protecting our rights.
Our third party service providers are not authorized to retain, share, store or use your personal information for any purposes other than to provide the services they have been hired to provide.
For more information, please see the section titled "Who Do We Share Your Information With?" of our Privacy Notice available here.
Where is my personal information stored?
Butterfly is headquartered in the United States and we have processing facilities in the United States, Canada and Europe. Where your personal information is transferred outside of the European Economic Area, United Kingdom or Switzerland (or other country of collection), we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Notice.
For more information, please see the section titled "International Data Transfers" of our Privacy Notice available here.
How long do we keep your personal information?
We retain your personal information where we have an ongoing legitimate business need to do so, for example, for the purposes described above or to comply with applicable legal, tax or accounting requirements.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymise it or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
How does Butterfly protect my personal information?
We take the security of your personal information very seriously. For more information about our security practices, please see the section titled “Security of the Site and Services” of our Privacy Notice, which is available here
What are my data protection rights?
You have certain rights concerning the personal information that we process, as further explained in the section titled "Your Privacy Rights" of our Privacy Notice, which is available here.
As further explained above, in most cases, we only process patient data on behalf of and as instructed by our Customers who are the data controllers of the personal information. Therefore, if you are a patient of one of our Customers, please contact such Customer directly with your request to access or limit the use or disclosure of your information. If you contact us with the name of the Customer to whom you provided your personal information, we will refer your request to that Customer and support them in responding to your access request. You also have the right to complain to your data protection supervisory authority if you feel that any of your personal information is not being processed in accordance with applicable data protection laws.
If you wish to contact us with your questions or comments regarding this Notice, please email us at: email@example.com.
Alternatively, you can contact us in writing at: 530 Old Whitfield St, Guilford, CT 06437, ATT: Data Protection Officer.