Privacy Notice

See our Terms of Use

Last updated: 05 December 2022

The important bits

Here are the most important bits you need to know:

  • How do we use your data and why? We use your personal data to deliver our services to you - such as when you use our platform and app - as well as to deliver training and updates to you about our products and services. You can ask us to stop using your data at any time by exercising your data subject rights.
  • Where do we get your personal data from? We collect it directly from you - both manually and automatically. We may also collect it from third parties like your affiliated hospital when using our Touch Surgery™ Enterprise product.
  • How do you exercise your data subject rights? Please email The Medtronic Privacy Office at [email protected] and [email protected] to exercise your Data Subject Rights and include Digital Surgery as a reference in your email;
  • How do you opt-out of marketing? You can opt-out of email marketing using the link at the bottom of the message we've sent you. You can opt-out of all other types of marketing through your account profile or by emailing us or by submitting your request to our Privacy Office.
  • Do you use cookies that collect information about me? Our website uses cookies and we collect analytics information from the use of our products. Please see our Cookie Policy at https://www.touchsurgery.com/cookies.
  • Want to get in touch? You can email us anytime at [email protected] or [email protected]
  1. The basics
    1. Who are we?

      2. We're Digital Surgery Limited, a Medtronic company based in the United Kingdom ("UK"), but you may know us as simply Digital Surgery. Other Medtronic companies are our "Affiliates". We operate the Touch Surgery™ website and mobile app and the Touch Surgery™ Enterprise platform (together, the "Services"), which allow our customers (e.g., healthcare professionals, hospitals or institutions and their authorized users) to upload, store and manage surgical and medical videos. Our Services also provide tools and content to help our customers and authorized users to analyze procedures and to train, educate and reflect on their practice.

    2. What does this Notice apply to?

      3. This Notice applies to the situations set out in Section 2 below, when Digital Surgery determines how your personal data is processed.
      This Notice does not apply to situations when Digital Surgery processes personal data on behalf of our customers who are Touch Surgery™ Enterprise account holders (such as hospitals or other healthcare organizations), in accordance with their instructions. In such cases, the healthcare organization is responsible (i.e., as the data controller) for how your personal data is used. For example: when Digital Surgery provides functionality to live stream or record images or audio of participants in an interactive session, we do so on behalf of the Enterprise Account holder organizing such session.
      Please refer to the relevant Touch Surgery™ Enterprise account holder for further information on how they process your personal data as a controller in such situations.

    3. How do you contact us?

      4. If you have any questions about how we process your data as described in this Notice, please contact us at [email protected] or you can write to us at Privacy Office, Digital Surgery Limited, 230 City Road, EC1V 2QY, London, UK. You can also contact our Data Protection Officer at [email protected].

    4. Who does this Notice apply to?

      5. This Notice applies to you if you are an authorized user of our Services and any other products and services we offer, or if you have otherwise contacted us in relation to those, no matter where you are located.

  2. The details - how we're collecting and using your data, and why
    1. Where do we collect your personal data?

      2. We use a few different methods to collect data from and about you. These include:

      • Direct interactions, such as when you use our Services.
      • Automated technologies or interactions where we automatically collect data about your equipment, browsing behavior and patterns when you use our services. Cookies and similar technologies might also be used to collect data in this way.
      • From third parties who have a legal basis to share your data with us such as your institution.

      In some cases, you may have choices about the data we collect. When you are asked to provide personal data, you may decline. If you choose not to provide data that is necessary for us to provide our Services, you may not be able to use all or a portion of the Services.

    2. What personal data do we collect and why?

      3. We collect personal data for a number of reasons, including to meet our legal obligations, manage our operations, improve our organization and deliver our Services to you or your institution. We’ve set out some examples below.

      Type of personal dataDescriptionPurposeLawful
      Personal and contact informationName, email address, postal address, social media information, phone number and date of birth.Registering and managing your individual Touch SurgerySurgery™ account.

      Communicating with you or responding to your queries.

      Delivering any marketing messages, newsletters or other information that you’ve signed up to receive or have not opted out.

      		When it is necessary for our legitimate interests, e.g., to manage our relationship with you, and keep our records up to date.

      When it is our legal duty to do so, or when it is necessary for our legitimate interests, e.g., to resolve issues and improve the service we provide to you/your institution. When you consent to it, where required by law, or when it is necessary for our legitimate interests, e.g., to promote our Services and develop our organization.

      CommunicationEmails, calls and other communications between us.Investigating and responding to complaints and feedback, as well as other queries you might send us.When it is our legal duty to do so (e.g., as a manufacturer of a medical device), or when it is necessary for our interests to:
      • Communicate with you
      • Be efficient about how we fulfil our legal and contractual duties
      • Resolve issues and improve the service we provide to you
      PreferencesYour marketing and communication preferencesRegistering your preferences for marketing and user profiling (such as mass end-user communications on our products and services), and any other processing activities that you can opt-out of.
      Developing and carrying out marketing activities and surveys, including requesting you to complete product surveys, telling you about our products and services, etc.      		When you consent to it, where required by law or when it is necessary for our legitimate interests to:
      • Keep our records up to date
      • Ask for your consent when we need it to contact you
      Traffic data/Usage dataDetails about the devices and technology you use(for example your website browser settings, IP address, and login data).Administering Services and other services, and protecting them. This includes troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting. For example, we assume your location from your device’s IP address so we can show you information that is relevant to where you are.When you consent to it, where required by law or when it is in our legitimate interest to:
      • Ensure our organization runs properly
      • Protect our organizations systems and software, including your personal data
      • Understanding how to improve our products and services
      Data AnalyticsInformation about how you use our products and services.Understanding how we can improve our products and services, using data analytics and insights collected and created based on your actions, reports generated and activities when using our services. For example, we gather statistics on the pages visited on our Services. If permissible, we may also aggregate or otherwise de-identify information from reporting or dashboard functionality (e.g. post-operative insights) in order to further improve our Services.
      Showing you content and features that are personal to you and your interests, for example through targeted advertisements or push notifications.

      When you consent to it.
      When it is in our legitimate interest to:

      • Understand which of our products, services and content will be of interest to you, and telling you about them
      • Develop our business
      • Improve the services we have on offer
      Contractual and financial informationDetails about the products or services we provide to youCarrying out our obligations arising from and exercising our rights set out in our customer contracts.
      For the purposes of legal compliance (e.g. maintaining tax records).
      Collecting money that is owed to us.
      Operating our business in an efficient and proper way, including managing our financial position, business capability, planning, and audit.

      When it is our legal duty.
      When it is in our legitimate interest to:

      • Understand and improve how we contract with our customers, and run our business
      • Understand each party's obligations and risks under any agreements
      • Be efficient about how we fulfil our legal and contractual duties
      Optional Profile Picture:Pictures of you that you choose to provide to us, for example if you include a profile picture on your Touch Surgery account.Promoting engagement with our services and community.
      Enabling us and others to recognize authorship and connecting our users with their content.      		When you consent to it.
      Professional informationInformation about surgeons and other hospital personnel, including evidence of your position as a clinician, registration number (e.g. GMC number), license information, your affiliated hospital or institution and related information.Confirming your status as a clinical professional.
      Ensuring we only provide access to products and services to those professionals it is intended for.
      Processing and approving the Royal College of Surgeons of England’s Continuing Professional Development (CPD”) credits and certification.

      Fulfilling our contract with you.
      When it is our legal duty.
      When it is in our legitimate interest to:

      • Properly administer our business, products and services.
    3. Do we collect special category data from our users?

      4. We do not normally collect any special category data of authorized users of our products and services. Special category data means details about things like your race or ethnicity, sex life, political opinions, and information about your health, etc. In case we need to process this type of data in connection with our services (e.g. to accommodate your particular health needs when delivering training), then unless we notify you otherwise, we will only do so on the basis of your explicit consent and for the purposes for which you have provided such data to us.
      If you are a patient and have questions about how your health data may be processed through the use of our products and services, please contact your treating physician or institution (as the data controller) in this regard.

    4. Do we collect anonymized and aggregated data?

      5. We sometimes collect and process data that cannot be used to identify you - this is called anonymous data. We may also change your data to make it anonymous, after we’ve collected it to keep your information as safe as possible and so we and our Affiliates can use the data for research or statistical purposes, to develop, improve and deliver our products and services, without it impacting you.
      We also collect, use and share aggregated data such as statistical or demographic data. For example, we might use aggregate data to work out the percentage of people accessing a page on our website or to understand how we can improve our mobile app. When we aggregate personal data to the point where it cannot tell us or anyone else who the data belongs to, it’s not considered to be personal data. If we mix aggregated data with your personal data, we’ll treat that data as described in this Privacy Notice.

    5. How long do we keep your data for?

      6. We won’t keep your personal data for any longer than we need it. Because these needs can vary for different data types, actual retention periods can vary. We keep your data for the following reasons:

      • to make sure we can fulfil the stated purposes for which we have collected it
      • to meet our legal, accounting and reporting requirements

      To decide what the fairest period is for keeping your data, we consider different factors, including:

      • the amount, nature, and sensitivity of the personal data
      • the risk of harm to you that might be caused by unauthorized use or sharing of your personal data
      • our purposes for processing your personal data
      • whether we can achieve the same purposes without processing your personal data
      • any legal requirements we have to meet, for example anti-money laundering and tax regulations

      If data is anonymous (and cannot be connected to you) then it is not personal data and may be retained without restriction.

    6. Do we use cookies and other tracking technologies?

      7. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your computer (subject to your consent when required). You can’t actually see cookies as they sit in the background of our website, but they are probably present on most websites that you visit.
      We might use cookies to identify you from other users of our products or services. This helps us to provide you with a good user experience, and also helps us to improve our products and services. For further information, please see our Cookie Policy at https://www.touchsurgery.com/cookies.

    7. What marketing activities do we conduct?

      8. We want you to know all about us and our products and services. To do this, we undertake marketing activities which sometimes involve using your personal data - such as sending you newsletters via email or showing you online adverts.
      You won't receive marketing from us by email unless you've given us permission, or because you've used our products and services before. These messages might contain information about our organization's services, events, how to enroll in training programs, new products we’ve created and other important information.
      We adhere to any guidance, principles or related regulations when conducting marketing activities. In particular, we follow the guidelines set out in:

      • Network Advertising Initiative
      • Digital Advertising Alliance
      • European Interactive Digital Advertising Alliance
      • Digital Advertising Alliance of Canada

      If you have any questions about how we use your personal data for marketing, please feel free to contact us. You can find out how to opt-out of marketing below.

  3. Third parties
    1. We sometimes collect and/or share personal data from or with third parties. We make sure all third parties keep your personal data safe and only use it in ways they’re allowed. We will get your specific consent before we share your personal data with any non-affiliated third parties for their own direct marketing purposes.

      2. We’ve outlined below who those third parties are.

      Type of third partyDescriptionCollectShare
      AffiliatesDigital Surgery is part of the Medtronic group of companies so we might need to share and collect personal data with Affiliates to provide and administer our products and services.
      Your institution

      We might share and collect personal data from your employer or the institution you’re affiliated to. This is for the purpose of monitoring and reporting on your performance on Touch Surgery training tools. We might also collect and share your personal data with your institution for the purposes of registering, delivering and administering the products and services you’ve signed up to.
      In these cases, your institution will be acting as the data controller and we’ll be the data processor.

      Our legal and professional advisorsWe might share your data with our legal and professional advisors so we can receive their advice and manage legal disputes.
      Business support tools

      These include analytics and search engine service providers, customer support and relationship platforms, as well as subcontractors.

      Examples include: Salesforce, Tableau, Pinpoint.

      IT and hosting service providers

      To deliver our Services to you/your institution, we use software developed by other organizations. Their state-of-the-art products help us to deliver you the best service and keep your data safe.

      Examples include: Amazon Redshift, AWS, Google Cloud.

      Third parties involved in business reorganization

      If we, or the Medtronic group of companies, decide to sell, transfer or merge part of our organization, we may need to share your personal data with other organizations as part of the process and once it is complete.

      Examples include: Organizations that bought us or the group, law firms, liquidators.

      Public data sources

      We sometimes collect data about you from public sources to understand who you are or to conduct marketing activities. For example, we may check the accuracy of your registration data for medical verification purposes using external third party sources, such as open government databases or other data in the public domain.

      Examples include: Companies House, LinkedIn, Google search results.

      Government and regulatory organizations

      We might be required to share your personal data with official bodies to fulfill our legal and regulatory obligations. We might also disclose your data (when necessary) in court proceedings.

      Examples include: UK government, law enforcement agencies like the police, regulatory bodies like the ICO.

      Social networks and other online platforms providers

      For the purposes of conducting market research, marketing campaigns, targeted and retargeted marketing and understanding the success of our marketing activities.

      Examples include: Facebook, Twitter, Google.

      The publicIn some cases, we might share your personal information with the public with your explicit consent. This is only likely to be the case in situations such as webinars or presentations.
    2. What about third party links?

      3. Our Services might include links to third party websites, plug-ins and applications. Clicking on those links might allow third parties to collect or share data about you.

      We don’t control these third party websites and aren’t responsible for their privacy information. When you leave our services, we encourage you to read the privacy notice of every website you visit

    3. Do we transfer data to other countries?

      4. The personal data that we hold about you will be held in the UK and the European Economic Area (“EEA”), but we might also transfer it to our affiliates, including Covidien LP located in the USA, or our service providers outside the UK or EEA, for the purposes described above.

      When we transfer your data to third parties outside the UK and EEA, we ensure to keep your data safe. We do this by:

      • only transferring it to a country which has a suitable level of protection according to applicable laws; or
      • by putting in place approved safeguards (for example: Standard Contractual Clauses) to ensure the third party outside of the UK or EEA is obliged to protect your personal data in accordance with applicable laws. We also ensure any other necessary security measures are put in place.

      You may contact us as specified above for more information on the safeguards we’ve put in place for the transfer of your personal data outside the UK or EEA.

  4. Your rights
    1. The rights you can exercise may vary depending on your location. To the extent provided by applicable law, you may have the right to: (1) obtain confirmation that we process your personal data; (2) access your personal data; (3) correct incomplete, inaccurate or outdated personal data we hold about you; (4) have your personal data erased, or (5) ask us to restrict the processing of your personal data in certain circumstances.

      2. To the extent provided by applicable law, you also may object to the use of your personal data when we use that information based on our legitimate interests, as described above. In addition, to the extent provided by applicable law, you may receive, in a structured, commonly used and machine-readable format, your personal data you have provided to us based on your consent or a contract to which you are party. You have the right to have this information transmitted to another company, where it is technically feasible.

      Depending on your location, you may have the right to make a complaint with a privacy regulator if you are not satisfied with our response, including the UK ICO, or any data protection supervisory in the EEA Member State where you live.

    2. U.S. Consumer Privacy Rights

      3. If you are within the United States, you may have certain choices regarding our use and disclosure of your personal information, as described below, depending on your state of residence and the data involved. For a complete description of our privacy practices, including data retention policies, data subject request and rights information, and data practices over the past twelve months, please see https://www.medtronic.com/us-en/privacy-statement.html

      • Know: you may have a right to know of or confirm the existence of your personal data, any processing we do with it, and review our practices of data collection and processing, such as knowing what categories of personal data we process, our purposes of processing, and categories of party to whom we disclose.
      • Access and portability: you may have a right to access your personal data, accessing specific pieces of information, and knowing to which third parties your data was disclosed. You may have a right to obtain a copy of your data, including in a machine-readable format.
      • Correction: you may have a right to correct or amend your data if it is incomplete, inaccurate, or outdated.
      • Deletion or elimination: you may have a right to request your personal data be deleted or eliminated. Subject to applicable law, we may deidentify this data in certain circumstances.
      • Restriction: you may have a right to restrict processing of your data in some circumstances, such as if processing is excessive or unlawful, the accuracy of the data is contested, the controller no longer needs the data for its primary processing purposes but is needed for legal or compliance purposes, or if (in California) the data is sensitive personal data like health information and it is being used for purposes beyond those reasonably necessary to perform services or provide goods requested.
      • Objection and opt-out: you may have a right to object to or opt-out of processing of your data in certain circumstances, including in cases where that data is used for direct marketing (including email or telephonic marketing), shared with third parties for their own marketing or for retargeted/cross-contextual marketing, sold to third parties, used to make certain decisions or profiles about you by automated or artificial means, used for historical or scientific research, or used to place automated/prerecorded voice telephonic messages to you in some cases.
      • Consent: you may have a right to consent, and to withhold or withdraw that consent, for some practices, including processing of sensitive personal data or data on children, or where we use consent as our lawful basis for processing or transfer. If you withdraw consent, we will not further collect or process the personal data covered by that consent unless allowed or required by applicable law.
      • Non-discrimination: you will not be discriminated against for your exercise of your rights. This does not necessarily include, depending on applicable law in your jurisdiction, cases where a difference in price or services offered is reasonably related to the value provided by your data, or where you consent to participate in a voluntary loyalty or similar incentive program.
      • Appeal internally: you may have a right to appeal a decision we make about the exercise of your rights within Medtronic.
      • Complain externally: you may have a right to complain to a regulator, including a Data Protection or Supervisory Authority or a trade standards authority, if you are not satisfied with our response to your request, such as not having responded to you within a reasonable time or you disagree with our determination, or have concerns about our data practices. If you ask us, we will try to provide you with information about complaint pathways that may be open to you depending on your location and circumstances.

      HIPAA and Protected Health Information. This notice does not apply to our data processing activities and practices for Protected Health Information, which is regulated under the Health Insurance Portability and Accountability Act of 1996. In those cases, you may have received a Notice of Privacy Practices from Medtronic or your health care provider which will govern that data use.

      Deidentifying data under HIPAA. Where we operate under HIPAA (the Health Insurance Portability and Accountability Act of 1996) as a Covered Entity or Business Associate, we may deidentify data under HIPAA’s Privacy Rule using either the “Safe Harbor” method (which calls for the removal of a set list of identifiers) or the “Expert Determination” method (which calls for an independent expert to use statistical analysis to determine if a particular data set is reasonably identifiable). This data will be “deidentified data” as well.

      Covered data practices disclosure. For the scope of the activities covered by this notice, Medtronic does not sell your personal data, disclose it to data brokers, nor disclose to unrelated third parties for their own direct marketing purposes. Except as stated in our cookie policy (available at https://www.touchsurgery.com/cookies), we do not share your data for cross-contextual retargeted marketing purposes.

    3. How can you exercise your rights?

      4. If you want to exercise any of your data protection rights, please contact us at [email protected] (in the UK or EEA, including Digital Surgery as a reference in your email) or at this link or by calling +1/866 639-6907 (in the United States) . If you are located in the UK or EEA and you need more information about your rights, including the circumstances in which they apply to you, please see the ICO’s website or contact us. We might ask you to give us information that helps us confirm you are who you say you are. This is to ensure we keep yours and our other users’ personal data safe. We will, however, make sure that we don’t collect data for identity verification unless we really need to for security reasons.

    4. How can you withdraw your consent and opt-out of marketing messages?

      5. You can ask us to stop sending you marketing messages at any time you want, by using the link at the bottom of the marketing emails or through your account profile. You can also get in touch with us at any time using the contact information stated above and we’ll unsubscribe you.
      When you opt-out or unsubscribe from marketing, we’ll stop using your personal data in the ways you’ve asked. However, we won’t delete your data as we may need it for other reasons. If you want us to delete all your data, please ask us to do that, as well as opting-out of marketing messages.
      If there are other circumstances where we rely on your consent for the collection and use of your data, you can ask us to withdraw your consent at any time by getting in touch.
      If you withdraw your consent, this will not affect the lawfulness of the processing of your data based on your consent before its withdrawal and we might not be able to provide certain services to you. If this is the case, we’ll let you know. You can of course give us your consent again if you want to access our services.

  5. Security
    1. What security measures do we have in place?

      2. We will put in place security measures to stop your personal data from being accidentally lost, used or viewed in a way that it shouldn’t be. These methods include:

      • taking out any information from the data that could be used to identify you
      • converting your data into a code that only we understand
      • making sure only the people that are allowed to see your data are given access to it
      • making sure no one tampers or changes your data
      • making sure our systems are up-to-date, working, hardy and safe
      • being able to get your data back quickly if there is an issue
      • regularly testing our measures to make sure they’re still good enough

      We have put in place processes to deal with any breaches of your personal data and we’ll let you know (and any regulatory body) about the breach when we need to.

  6. Updates to this Privacy Notice

    7. We understand that things change, so we’ll continue to review the effectiveness of this Notice and make sure it’s achieving its goals. We might revise the Notice from time to time and will post the most recent version of the Notice at this page. If we make a change to this Notice that is in our view material, we will notify you via an app notification or email to the email address associated with your account.

    If you have any questions about this Notice or how it works, please get in touch and we’d be happy to provide any help we can! You can email us anytime at [email protected].