TERMS OF SERVICE - ChestPal Pro

TERMS OF SERVICE

updated: 5 February 2024 

These Terms of Service (hereinafter, the Terms) regulate the general  manner of use of the Services and the distribution of rights, obligations  and liability of CHESTPAL LTD (hereinafter, CHESTPAL) and users of the  Services. These Terms of Service neither govern nor define the rights and  obligations of third parties. 

Take a moment to find out more about our Terms of Service and contact  us if you have any questions. 

By using our Services, you are agreeing to these Terms. Subject to these  Terms, CHESTPAL grants you a personal non-transferable right to access  and use the Services. 

1. General Provisions 

1.1. The Services include the mobile application “ChestPal Pro” (hereinafter,  ChestPal Pro) and the website with the domain name “chestpal.com”  (hereinafter, the Website). 

1.2. The Services are designed to conduct lung auscultation with automatic  lung sound analysis with the usage of ChestPal Pro mobile application and  electronic stethoscope, as well as to obtain relevant information about the  Services through the Website. 

Services related to ChestPal Pro can be used by healthcare providers who  provide medical services to their patients. Services related to the Website  can be used by the general public. 

1.3. The administration of the Services, as well as technical support, is  provided by: 

CHESTPAL LTD 

Company number 14073885 

63, Ship Street, Brighton BN1 1AE United Kingdom 

email (general questions):  [email protected]

email (personal data questions): [email protected]

1.4. The time of availability of the functionality of the Services is determined  by CHESTPAL and may be changed without prior notice.

1.5. CHESTPAL is not a medical institution or a healthcare provider, and  ChestPal Pro does NOT provide a diagnosis and cannot be used for  diagnosis and clinical decision making without a healthcare professional’s  over-read of the findings and consultation. Proper administration and  usage of the product is the healthcare professional’s responsibility. The  quality of the computer interpretations depends heavily upon the quality  of the inputted data. Please make sure you follow instructions from the  ChestPal Pro user manual when conducting a lung exam using ChestPal Pro. 

2. Terms and Definitions 

2.1. For the purposes hereof, the following terms and definitions are used:

You (User) – healthcare provider who uses the functionality of the Services  and has reached the age of full legal capacity in accordance with the  legislation of the country of their citizenship. 

We (CHESTPAL) – CHESTPAL LTD. 

Services – the website with the domain name “chestpal.com” and the  mobile application “ChestPal Pro”. 

3. User Consent 

3.1. By continuing to use our Services, you are agreeing to these Terms of  Service. Please stop using our Services if you do not agree to these Terms  of Service. 

3.2. By expressing consent, you agree to regularly check and read  notifications about updates and (or) additions to the Terms.

3.3. By expressing your consent, you also confirm that ChestPal Pro does  NOT provide a diagnosis and cannot be used for diagnosis and clinical  decision-making without a healthcare professional’s over-read of the  findings and consultation. Proper administration and usage of the product  is the healthcare professional’s responsibility. The quality of the computer  interpretations depends heavily upon the quality of the inputted data.  Please make sure you follow instructions from the ChestPal Pro user  manual when conducting a lung exam using ChestPal Pro.

3.4. By expressing your consent, you also acknowledge and assume all risks  associated with your consent.

4. Rights and Obligations 

4.1. Hereunder we undertake to: 

(1) comply with the Privacy Policy as well as the relevant requirements for  personal data protection; 

(2) duly consider incoming applications, complaints and comments of  Users. 

4.2. We have the right to: 

(1) amend and (or) supplement the Terms, if necessary, including updates  in accordance with the applicable law; 

(2) modify, suspend or terminate operation or access to the Services, any  part and/or function of the Services for any reason; 

(3) interrupt the operation of the Services or any part thereof, if it is  required to perform any maintenance, bug fixes and (or) make any other  modifications. 

4.3. The User agrees to: 

(1) submit accurate information requested for the use of the Services;

(2) comply with the Terms of Service and other rules of use of the Services  (Privacy Policy) as well as any other applicable law; 

(3) bear full responsibility for keeping personal account details, including  the password, confidential, as well as for any other activities that occur on  behalf of the user account. 

You agree to notify us immediately in case of a compromised account  (theft, unauthorized access); 

(4) ensure that there are sufficient legal grounds for uploading third-party  personal data to the Services by the user; 

(5) refrain from re-engineering (reverse engineering), decompilation and  disassembly of the Services or parts thereof, refrain from actions aimed at  determining the source code of the Services, refrain from actions aimed at  circumvention of the software and hardware means of protection of the  Services; 

(6) refrain from using the Services for any purpose prohibited by applicable  law or these Terms as well as incite any illegal activity or other activity that  violates our rights and legitimate interests as well as the rights and  legitimate interests of third parties.

(7) to comply with the rules of medical ethics, as well as follow doctor patient confidentiality and all other applicable rules regarding the  processing of medical information and personal data; 

(8) distribution of information as well as of any other relevant details about  Services’ vulnerabilities identified by the Customer.  

4.4. The User has the right to: 

(1) use the functionality of the Services within the limits and in the manner  permitted hereby and by the applicable law; 

(2) contact CHESTPAL for suggestions and/or complaints. 

5. Data Protection 

5.1. The Services may collect and process your personal data. Any collection  and processing of your personal data is governed by our Privacy Policy.

5.2. Healthcare providers are obliged to comply with the rules of medical  ethics, doctor-patient confidentiality and any other applicable to them  regulations on privacy and data protection. Any legal roles within above mentioned processing activities are assigned on the basis of our Privacy  Policy as well as respective provisions of applicable law. 

5.3. As CHESTPAL might be acting as a data processor within several  processing activities conducted with the usage of our Services by  consenting to the current Terms of Service users also agree to the  provisions of our Data Processing Addendum which is an integral part of  the current Terms. 

5.4. CHESTPAL Data Processing Addendum should be considered as an  applicable data processing agreement on behalf as well as a business  associate agreement under GDPR and HIPAA respectively.

5.5. Since CHESTPAL is processing personal data on behalf, users remain  fully responsible for the compliance with applicable data protection and  privacy laws as well as for legitimate collection of personal data in  accordance with general principles relating to the processing of personal  data. Explicitly these provisions apply to the situations when a User is  sharing any patients’ personal data via our Services. 

6. Content of Services 

6.1. All text, graphics, user interfaces, visual interfaces, photographs, names  and trademarks, logos, sounds, music, images and any other audio-visual content and software code (collectively referred to as the Content),  including, without limitation, the design, structure, selection, coordination,  appearance, overall style, location and any other way of organizing the  Content as part of the Services, are either owned by us or transferred to us  for further use by their owners under relevant agreements. The Content is  protected by copyright, law on trademarks and other laws governing  intellectual property and unfair competition. 

6.2. Unless expressly indicated herein, no parts of the Services or the  Content may be copied, reproduced, published, posted online, sent by  mail, demonstrated in public, encoded, translated, transmitted or  otherwise sent (including copied) to another computer, server, website or  any other data medium for publication, distribution or any other  commercial purpose as well as used otherwise and in any other form  without our prior express written consent. 

6.3. You may use the information which is specifically provided by us and  can be downloaded from the Services provided that you keep copyright  marks in all languages in all copies of such documents, use such  information for your personal, non-commercial (not related to commercial  profits) informational purposes and do not copy or post such information  on any network computer or transfer it to any medium, do not make  changes to such information or make additional representations or  warranties relating to such documents. 

6.4. All rights save those expressly granted to you in these Terms are  reserved. 

7. Available Subscription Plans 

7.1. To access ChestPal Pro software, an organization account must be  created via chestpal.com website. 

7.2. In the organization’s account, the organization’s details such as name,  address, contact person, product distributor or sales agent name, etc. must  be filled in. 

7.3. In the organization’s account, a list of user emails that shall be  authorized to access ChestPal Pro mobile app under the subscription must be created. An individual user email must be listed for each  healthcare provider using the ChestPal Pro mobile app.

7.4. By default, all added user emails are assigned an ‘Active’ status. ‘Active’  users will be authorized to create a ChestPal Pro app account, log in to the  app, review past exam history stored in the app and conduct lung exams  using the app. The organization will be charged 9.99 USD per month per  ‘Active’ user. 

7.5. ‘Inactive’ users will be authorized to create a ChestPal Pro app account,  log in to the app and review past exam history stored in the app, but they  will not have access to the lung exam functionality. The organization will  not be charged for ‘Inactive’ users. 

7.6. The subscription plan is 9.99 USD per month per ‘Active’ user. It is a  recurring subscription, which means the organization will be charged  automatically each month for all ‘Active’ users using the payment card  provided. Should a payment fail to go through, a notification will be sent via email. If the payment failure is not resolved within a week, the status of  all users will be automatically changed to ‘Inactive’ until the payment goes  through. 

7.7. Any processing of the payment information (details of the payment  card) is governed by our Privacy policy. 

7.8. In case of any change in the amount of payment, such change will be  announced in the organization’s account on the website. The subscription  plan can be canceled subject to disagreement with a new plan’s price.

7.9. By agreeing to these Terms, you also warrant that you use your  personal or relevant corporate payment card to pay for the paid ChestPal  Pro functionality and that you do not use any stolen, found or non-owned  payment cards to make any payments for our services. 

8. DISCLAIMER

8.1. CHESTPAL GUARANTEES NEITHER UNINTERRUPTED OPERATION OF  THE SERVICES NOR THAT ITS USE OR THE USE OF ITS FUNCTIONS WILL  HELP YOU OBTAIN YOUR DESIRED RESULTS. THE SERVICES AND ITS  CONTENTS ARE PROVIDED ON “AS IS” AND “AS AVAILABLE” BASIS. ANY  INFORMATION IN THE SERVICES MAY BE REMOVED AND/OR AMENDED  WITHOUT PRIOR NOTICE. CHESTPAL IS NOT RESPONSIBLE FOR ANY  ACTIONS AND (OR) OMISSIONS OF ANY THIRD PARTY WITH REGARD TO  YOUR USE OF THE SERVICES. 

8.2. Some links on the Services may lead to resources on third-party  websites. These links are provided for the convenience of users, and  CHESTPAL does not bear responsibility for the availability of these  resources and their content. 

8.3. The Services allow to enter and send information, including  confidential information, to the relevant sections of the Services. Users will  be fully responsible for the completeness and accuracy of such  information and undertake to obtain any necessary permits to enter third party personal data in the Services from such third parties.

8.4. Despite the fact that ChestPal Pro is a mobile application that provides  the analysis of automatic auscultation of the lungs at a high level, and a  service that is developed with the involvement of professionals in the field  of pulmonology, it does NOT provide a diagnosis and cannot be used for  diagnosis and clinical decision making without a healthcare professional’s  over-read of the findings and consultation. Proper administration and  usage of the product is the healthcare professional’s responsibility. The  quality of the computer interpretations depends heavily upon the quality  of the inputted data. Please make sure you follow instructions from the  ChestPal Pro user manual when conducting a lung exam using ChestPal Pro. 

9. Additional Terms 

9.1. If necessary, the Terms may be altered and (or) updated at any time of  operation of the Services. The Services will be updated with the new  version of the Terms and the date of their adoption. If you disagree with  amendments and/or additions hereto, you must discontinue the use of the  Services and their functionality.

9.2. The Terms are an agreement between us and the User with respect to  the use of the Services. Any other prior written or oral agreements or  arrangements with respect to such use are hereby canceled.

9.3. If any provision hereof is invalid or unenforceable, other provisions shall  remain valid and enforceable to the fullest extent permitted by the  applicable law. 

9.4. Failure to enforce your strict compliance herewith cannot be  construed as our waiver of any provision hereof or any right hereunder.

9.5. The law applicable to these Terms of Service is the law of the UK. The  competent court at the location of CHESTPAL has the exclusive jurisdiction  over all disagreements and disputes arising out of or in connection with  the Terms. 

DATA PROCESSING ADDENDUM 

1. Subject Matter and Terms 

1.1. This Data Processing Agreement is concluded between CHESTPAL LTD  (hereinafter, the Processor) and an individual (healthcare professional) that  is using functional features of the ChestPal Pro (hereafter, the Application)  

and that is assigning the Processor to process personal data on his/her  behalf (hereafter, the Controller). 

The Processor will process personal data on behalf of the Controller within  all the services provided in the context of ChestPal Pro application  functionality usage. 

1.2. The Agreement will be valid as long as the Controller is actively using  the Application. 

2. Personal Data, Processing Purposes and Data Subjects

2.1. The processing activities in the context of the present agreement will affect the following personal data and its categories:

  • profile data: patient ID, first name, last name, date of birth,  gender; 
  • auscultation results: lungs sounds and their analysis; 
  • medical info: chronic diseases, information about smoking and  harmful working conditions, notes. 

2.2. The Processor shall process personal data on behalf of the Controller  only for the purposes of providing the Controller with the Application’s  functionality. Any new purposes of the data processing activities shall be  provided to the Processor in the form of respective written instructions.

2.3. The following groups of individuals will be affected by processing  activities in the context of the present agreement: 

  • the Controller’s patients. 

3. Obligations 

3.1. The Processor processes personal data on behalf of the Controller. The  Controller is responsible for maintaining compliance with data protection  regulations. 

3.2. During the processing of personal data, the Processor is obligated to  follow only the instructions of the Controller. Outside the scope of these  instructions, the Processor may not use the data provided to it for  processing either for its own purposes or for the purposes of third parties.  The Processor shall adjust, delete or block the data processed in the order  in accordance with the Controller’s instructions. If the Processor is of the  opinion that instructions of the Controller are in breach of the applicable  data protection regulations, it must notify the Controller accordingly  without delay. 

3.3. The Processor shall assist the Controller in satisfying the data subjects’  rights to access, rectification, restriction of processing, objection, erasure,  and data portability regarding their personal data. If a data subject  contacts the Processor directly regarding the rights listed above, the  Processor shall forward this request to the Controller without delay.

3.4. Upon request, the Processor shall provide the Controller with the  information necessary to enable the Controller to satisfy notification  obligations, maintain records of processing activities, or perform a data  protection impact assessment.

3.5. Once the term of the present agreement has ended, the Processor  shall be obliged to surrender the data processed under the present  agreement in a generally readable format or to delete it, at the Controller’s  discretion. 

4. Use of Sub-processors 

4.1. The Controller is deemed to have consented to the involvement of the  sub-processors and functions listed in Processor’s Privacy Policy.

4.2. If sub-processor are replaced or added during the term of the present  agreement, the Processor must first obtain the consent of the Controller in  writing, including in electronic form. 

4.3. The Processor shall inform the Controller in writing about any new  sub-processors to be involved into relevant processing activities at least 15  (fifteen) calendar days before actual involvement. In case if the Controller  does not object to the involvement of any new sub-processors within the  mentioned period of time all the new sub-processors shall be considered  automatically approved by the Controller. 

4.4. Any Controller’s objections with regards to any new sub-processors  should be based solely on privacy and data protection considerations. In  the case of disagreement with regards to the involvement of any new sub processors both the Controller and the Process will take reasonable steps  to ensure continuous mutual compliance with applicable data protection  regulations in the context of the involvement of new sub-processors on  the side of the Processor. Those reasonable steps will include mutually  agreed mitigating measures subject to considering risk-oriented approach  as well as currently existing data protection best practices and  technological state-of-the-art. 

4.5. In case if both the Controller and the Processor are not able to  mutually agree on the involvement of new sub-processors the Processor  reserves its right to unilaterally terminate the Terms of Services and  relevant Data Processing Addendum with the Controller. 

5. Security Measures 

5.1. The Processor shall apply all necessary technical and organizational  measures to protect personal data on behalf of the Controller. Such 

measures should be implemented taking into account the state of the art  in the cybersecurity sphere as well as the costs of implementation of such  measures. In any case the Processor guarantees the compliance of its  technical and organizational measures with applicable privacy and data  protection regulations. 

5.2. The Processor may only grant authorization to access the Controller’s  data to its own employees in accordance with the authorization concept,  and to the extent required for the task in question in connection with the  execution of the present agreement. The Processor undertakes not to  

disclose the access authorizations assigned to it for the use of the system  to any unauthorized persons. 

5.3. The Controller or its representative have the right to carry out checks  on compliance with the requirements of the present agreement. The  Processor shall provide the desired information and, at the request of the  Controller and within a reasonable period, submit documentary evidence  that it has met its obligations by completing a questionnaire supplied by  the Controller or by confirming in writing that the measures agreed on in  the current agreement are appropriate and up-to-date. 

5.4. The Processor undertakes to treat as confidential all information – including but not limited to technical and commercial information, plans,  findings, intelligence, designs, and documents – that becomes known to it  or that it receives from the Controller in connection with the present  agreement. That includes, not to disclose this information to third parties,  to protect it from third-party access, to use it only for the purposes of the  present agreement, and to disclose it only to employees who are  themselves under an obligation to observe confidentiality, unless  otherwise agreed in writing between the parties. 

5.5. This confidentiality obligation shall not apply in respect of information 

  • That can be proven to have been known to the Processor before  the present agreement came into effect; 
  • That can be proven to have been lawfully obtained by the  Processor from a third party without being subject to a confidentiality obligation; 
  • That is already in the public domain or that enters into the public domain without any infringement of the obligations contained in  the present agreement;
  • That can be proven to have been developed by the Processor during the course of its own independent work. 

5.6. The Processor undertakes to impose on its employees to whom this  information is disclosed the same obligations that it entered into above  unless said employees are already subject to an equivalent confidentiality  obligation by virtue of their employment contracts. 

6. Data Breaches 

6.1. The Processor must report any data protection security breaches  (unintentional or unauthorized destruction, loss, amendment, disclosure or  access involving personal data processed under the present agreement) or  violation of client confidentiality to the Controller without delay in order to  give the Controller the opportunity to report the incident to the relevant  authorities without undue delay. 

6.2. The Processor shall initiate all steps necessary to clarify the matter and  remedy the security incident without delay, and provide the Controller all  information necessary to document the event and potentially submit a  report to the relevant supervisory authority.