Last Updated: 3 August 2021
- ANDBAM (Pty) Ltd is a private company incorporated in the Republic of South Africa. Our company registration number is 2020/755349/07 and our registered office is 17 Mount Stephens Crescent, Lyme Park, Sandton, Johannesburg, Gauteng, 2060, South Africa.
- We strive to ensure that our use of the Personal Data of data subjects is lawful, reasonable, and relevant to our business activities, to improve your experience as a User and customer, or prospective customer.
- By providing us with your Personal Data, you:
2. CONTACT US
3. OUR SERVICES
- We own and operate a men’s health website ("Website") which, among others:
- facilitates telemedicine consultations between Healthcare Practitioners and patients for the treatment of certain men’s health conditions;
- captures and provides secure and restricted access by Healthcare Practitioners and certain &BAM staff to informative medical data;
- sells and facilitates the sale of Products through membership to treat or support the treatment process of these conditions; and
- facilitates the regular delivery of the Products to the patient.
(collectively the “Services”)
- This Policy applies to all external parties with whom we interact, including but not limited to:
- Users of the Website and/or the Services;
- customers and potential customers;
- our suppliers, and contractors.
- We obtain Personal Data about you through the means discussed below when you use the Services. We need certain types of data to provide the Services to you. If you do not provide us with such data, or ask us to delete it, you may no longer be able to access or use part or all of our Services.
Data you provide directly to us
- We collect a variety of Personal Data that you provide directly to us. For example, we collect data from you through:
- account and product registration and administration of your account;
- processing your orders, requests and payments for:
- consultations with a Healthcare Practitioner;
- Products; or
- our Services.
- Processing general medical assessment answers and results you submit to us via the Services, including uploads or posts;
- further questions, communications, or feedback you submit to us via forms, email or WhatsApp;
- requests for customer support and technical assistance, including through electronic communications;
- your participation in research and surveys.
- The types of Personal Data we collect will depend upon the Services you use, how you use them, and the data you choose to provide. The types of data we collect directly from you include:
- Your name, sex, address, telephone number, date of birth, and email address;
- data about your health and wellbeing, such as:
- existing medical conditions, including highly sensitive conditions such as your status for:
- HIV or AIDS; and
- Cancer or malignancy.
- previous hospital admissions and surgeries.
- past and existing diagnosis, lab results, treatments, prescriptions, chronic medication, supplements, herbals, and dosages.
- Lifestyle and habits such as fitness and stress levels, and consumption of alcohol, tobacco, and banned or illegal products, to the extent that they may associate with or contribute to or worsen the relevant condition.
- Dermatological or rheumatological events, conditions and symptoms such as dandruff and rheumatological disorders or diseases.
- Endocrine related conditions and symptoms such as thyroid or liver disease.
- Cardiovascular conditions and symptoms such as blood pressure and cholesterol.
- Respiratory conditions and symptoms such as asthma and bronchitis.
- Mental health conditions and symptoms such as depression or bipolar disorder.
- Sexual and reproductive health-related conditions and symptoms such as erectile dysfunction and sexual behaviour.
- other physical and emotional characteristics to the extent that they are relevant to protecting your best interests in carrying out the Services.
- data about any of your parents, family or other relatives’ health conditions to the extent that they are relevant to protecting your best interests in carrying out the Services.
- Identifying documents and data such as your Government-issued identity document, passport or driver’s license.
- Usernames and passwords, if you create an account.
- Billing data, such as shipping address, credit or debit card number, verification number, expiration date, and identity verification data, collected by our payment processors on our behalf.
- Electronic signature.
- Data about purchases or other transactions with us.
- Data about your customer service and maintenance interactions with us.
- User-generated content you post in public online forums on our Services.
- Any other information you choose to directly provide to us in connection with your use of the Service.
Data we collect through passive (automated) means
- We collect certain data about your use of the Services and the devices you use to access the Services. We and our service providers such as Shopify may use a variety of technologies, including cookies and similar tools, to assist in collecting this data.
- When you use our Website:
- we collect and process technical and usage data such as your IP address, browser types, browser language, operating system, the state or country from which you accessed the Services, software and hardware attributes (including device IDs) referring and exit pages and URLs, platform type, the number of clicks, files you download, domain names, landing pages, pages viewed and the order of those pages, the amount of time spent on particular pages, the terms you use in searches on our sites, the date and time you used the Services, error logs, and other similar data.
- Through cookies and similar technologies, we and our service providers use web server logs, cookies, tags, SDKs, tracking pixels, and other similar tracking technologies.
- We use these technologies to offer you a more tailored experience.
Data we collect from social media
- When you “like” or “follow” us on Facebook, Instagram, TikTok, Twitter, or other social media sites, we may collect some data from you including your name, email address, and any comments or content you post relevant to us. We also collect your data if you sign up for one of our promotions or submit data to us through social media sites.
Data we collect from other third parties
- We work closely and may receive your Personal Data indirectly from the following categories of third parties or third-party intermediaries to provide you with the Services and their related services:
- Healthcare Practitioners, nurses and other medical professionals;
- Distributors and couriers;
- We may also receive additional personal data about you from the following sources (including public parties):
- our information technology, advertising and analytics providers;
- from other Responsible Parties where we act as contracted outsourced processors (“Operators”) in performing our Services, including:
- banks and other financial institutions;
- software and server suppliers;
- telecommunications providers;
- medical schemes and insurers;
- law enforcement.
- When we collect your Personal Data from third parties it is either because you have given us express consent to do so, your consent was implied by your actions, or because you provided consent, either explicit or implicit, to the third party that provided this data to us.
6. HOW AND WHY WE PROCESS YOUR PERSONAL DATA
Based on your consent:
- we will collect, store, use and share data about your health and well-being as described in this Policy and the relevant consent form to;
- carry out, improve, and manage the Services;
- as applicable, facilitate the provision of health care services to you by Healthcare Practitioners, other health care providers and other appropriate third parties; and
- ensure that the Healthcare Practitioners or health care providers have the services and support necessary for health care operations.
- where required by law, we may process your contact data for marketing purposes.
- You may withdraw your consent at any time after giving it as described in clause 14 of this Policy.
We process your Personal Data if it is necessary to enter into or perform under a contract that we have with you as a customer or to provide a solution to you as a customer. This includes:
- to provide customers with the Services, technical support and solutions they have requested;
- processing, collecting and administering payments for our Services rendered;
- to communicate with you about the Services, your use of the Services, or your inquiries related to the Services and send you communications on behalf of Healthcare Practitioners or other health care providers utilizing the Services to meet your needs.
- to respond to customer enquiries and complaints;
- to meet record-keeping obligations;
- to enforce and collect on any agreement when a customer is in default or breach of the terms and conditions of the agreement, such as to institute legal proceedings against a customer;
- transferring limited and necessary Personal Data to our contracted service providers (such as server hosts) in performing our obligations to you;
- for security and identity verification, and to check the accuracy of customer Personal Data; and
- for any other related purposes.
We process customer’s Personal Data if the law requires or permits it. This includes:
- Verifying your identity to comply with legislative, regulatory, professional, risk and compliance requirements;
- to fulfil reporting requirements and data requests;
- to meet record-keeping obligations;
- for any other related purposes.
We process the Personal Data when it is necessary to pursue your legitimate interests and/or our legitimate interests. This includes:
- to detect, prevent, manage and protect against fraud, security breaches, misuse, and other prohibited or illegal activity, claims and other liabilities;
- maintaining the safety, security and integrity of our Website, our Services, products, databases, networks and other technology assets;
- to protect our rights in any litigation that may involve you;
- general due diligence and risk assessment;
- enforcing and defending other legal claims;
- to manage business continuity and emergencies;
- for analytics, to gather metrics to better understand how users/customers use the Services, and to evaluate and improve our Services; and
- for other related purposes.
When we collect your Personal Data from third parties it is because such third parties have:
- authorised or instructed us to do so; and
- have represented to us (either express or implied) that:
- their instructions are lawful;
- they are permitted to disclose such Personal Data to us;
- they will, where required by law, obtain the necessary consents or justify the necessary legitimate interests pursued (Sec 11(1)(d)&(f) of POPIA), and provide all necessary data and privacy notices to you as a Data Subject.
We will not collect additional categories of Personal Data or use the Personal Data we collected for materially different, unrelated, or incompatible purposes without providing you and our customers notice.
7. DISCLOSURE OF PERSONAL DATA
- We may provide access to and disclose your Personal Data for legitimate business purposes, following applicable law and subject to applicable regulatory requirements regarding confidentiality and appropriate data protection measures.
- In addition, we may disclose your Personal Data in the following ways:
- Healthcare Practitioners and healthcare providers
- We share your data with these parties:
- to schedule and fulfil appointments and facilitate health care services as part of the Services,
- to whom you send messages through our Services, and
- for other treatment or health care operations purposes, including pharmacy services, with your consent.
- Our Service Providers
- We provide access to or share your data with Service Providers who use the data to perform services on our behalf, and whose assistance we require to conduct our business operations and that:
- where such Personal Data is necessary for the performance of their obligations to or on behalf of &BAM (i.e.file storage, payroll, payment gateways, server hosts, videoconferencing and cybersecurity); and
- based on our instructions, are not authorised by us to use or disclose the data except as strictly necessary to perform the services on our behalf as instructed or to comply with legal or professional requirements.
- We will only authorise the processing of any Personal Data by a third party acting as a subcontractor (Operator) on our behalf by, among others, entering into agreements with those third parties governing our relationship with them and highlighting instructions, confidentiality, security and non-disclosure obligations.
- Protection of &BAM and others
- By accepting our Terms and Conditions, you acknowledge and agree that we may access, retain and disclose the data we collect and maintain about you if required to do so by law or, in good faith, believe that such access, retention or disclosure is reasonably necessary to:
- comply with legal process (e.g. a subpoena or court order);
- respond to claims that any content violates the rights of third parties;
- respond to your requests for customer service; and/or
- to mitigate any actual or reasonably perceived risk, or to protect the rights, property or personal safety of &BAM, its contracted Healthcare Practitioners and Service providers, its Users, customers and/or the public. This includes exchanging data with other companies and organizations for fraud protection, and similar purposes.
- Business transfers
- We may buy, merge, partner with or be acquired by other companies. In such transactions, (including in contemplation of such transactions) User data may be among the transferred assets. If a portion or all of our assets are sold or transferred to a third party, customer data (including your email address) would likely be one of the transferred business assets. If such transfer is subject to additional mandatory restrictions under applicable laws, we will comply with such restrictions.
- We may also disclose your data in other ways you direct us to and when we have your consent.
- Public forums, social media and customer reviews
- Certain features of our Services make it possible for you to share comments publicly with other Users. Any data that you submit through such features is not confidential, and we may use it for any purpose (including in testimonials or other marketing materials). For example, if you submit a product review on our Website, on Google, or a social media platform, we may display your review (along with the name provided, if any) on our Website and on third-party websites, including social media platforms. Any data you post openly in this way will be available to the public at large and potentially accessible through third-party search engines. Therefore, please take care when using these features.
- By law
- With governmental agencies, and other regulatory or self-regulatory bodies, if required to do so by law or there is a reasonable belief that such is necessary for:
- compliance with the law or with any legal process; or
- the protection and defence of the rights, property or safety of &BAM, our customers, Users, contracted Healthcare Practitioners, employees, contractors, suppliers, service providers, or any third party.
8. COMPULSORY DATA AND CONSEQUENCES OF NOT SHARING WITH US
Where we are required to process certain Personal Data by law, or in terms of a contract that we have entered into directly with you, and you fail to provide such Personal Data when requested to do so, we may be unable to perform in terms of the contract in place or are trying to enter into with you. In such a case, we may be required to terminate the contract and/or relationship with you, upon due notice to you, which termination shall be done per the terms of that contract and any applicable legislation.
9. WHEN AND WILL WE USE YOUR DATA TO MAKE AN AUTOMATED DECISION ABOUT YOU
We do not use your Personal Data to make any automated decisions about you.
10. TRANSFERRING YOUR PERSONAL DATA OUTSIDE OF SOUTH AFRICA
- We reserve the right to generally transfer to and/or store your Personal Data on servers in a jurisdiction other than where it was collected, or outside of South Africa in a jurisdiction that may not have comparable data protection legislation.
- Where data is transferred or stored outside of South Africa and the location does not have adequate data protection laws, we will take reasonably practicable steps, including the imposing of suitable contractual terms and conduct a due diligence to ensure that your Personal Data is adequately protected in that jurisdiction.
- We will take appropriate and reasonable technical and organisational steps to protect all Personal Data held by us in line with industry best practices, including protection against accidental or unlawful destruction, accidental loss or alteration, and unauthorised disclosure or access. This includes the following:
- keeping systems secure (such as monitoring access and usage);
- storing records securely;
- controlling the access to our premises, systems and records;
- safely destroying or deleting records;
- encrypting and/or password protecting sensitive data;
- protecting our servers using firewalls and limiting access to Personal Data on a strictly need to know basis;
- testing the security of our Website and IT systems regularly;
- When processing payment card details, our payment gateways comply with the applicable Payment Card Industry Data Security Standard (PCI-DSS standard);
- periodically reviewing our collection, storage and processing practices, including physical and digital security measures
- However, no data transmission over the internet or electronic/physical storage can be guaranteed to be 100% secure. As such, you acknowledge and accept that we cannot guarantee the security of your data transmitted to, through, or on our Services or via the Internet and that any such transmission is at your own risk. However, we are subject to POPIA which we comply with.
- We will notify you and the relevant regulatory authorities of any data breaches where we are legally required to do so and within the prescribed period.
- Where we have given you (or where you have chosen) a password that enables you to access the Services, you are responsible for keeping this password confidential. We ask you not to share your password with anyone. The data you share in public areas may be viewed by any User of the Services.
- We will only retain your Personal Data for as long as it is necessary to fulfil the purposes explicitly set out in this policy, unless:
- retention of the record is required or authorised by law; or
- you have consented to the retention of the record.
- The length of time for which we retain data depends on the purposes for which we collected and use it and/or as required to comply with applicable laws.
- If there are no other lawful grounds for us to continue processing your Personal Data, we will destroy such data using secure methods.
- Where we act as a Responsible Party, we are required to take all necessary steps to ensure that your Personal Data is accurate, complete, not misleading and up to date.
- Anyone about whom we maintain Personal Data may request to inspect and, if appropriate, correct the Personal Data held by us. It is your responsibility to inform us, or the relevant Healthcare Practitioner/healthcare provider, should your Personal Data be incorrect, incomplete, misleading or out-of-date by contacting us. We may require additional data from the requesting party to confirm the legitimate basis for the request and the identity and authority of the requestor. Upon receipt and verification of the corrected Personal Data, we will adjust our data or records accordingly.
- A request for correction/deletion of Personal Data or destruction/deletion of a record of Personal Data must be submitted using the prescribed Form 2 which is available on the Information Regulator’s website.
- Data protection laws may grant you, among others, the following rights:
- Request access to your Personal Data – enabling you to receive a copy of the Personal Data retained about you;
- Request the correction of your Personal Data – to ensure any incomplete or inaccurate Personal Data is corrected;
- Request erasure of your Personal Data – where there is no lawful basis for the retention or continued processing of your Personal Data;
- Object to the processing of your Personal Data for a legitimate interest (or those of a third party) – under certain conditions where you feel it impacts your fundamental rights and freedoms;
- Request restriction of processing of your Personal Data – to restrict or suspend the processing of your Personal Data to limited circumstances;
- Withdraw consent given in respect of the processing of your Personal Data at any time – withdrawal of consent will not affect the lawfulness of any processing carried out before your withdrawal notice. But may not affect the continued processing of your Personal Data in instances where your consent is not required.
- If an above request/objection is to be made, please use the contact details in clause 2 above and we will revert within 30 calendar days.
Please Note: We may keep your Personal Data even if you no longer have a relationship with us or if you request we delete or destroy it, if the law permits or requires.
Our Website and our Services are not targeted at and do not collect Personal Data from people under the age of 18. We will not knowingly collect Personal Data in respect of persons in this age group without express permission to do so, unless permitted by law.16. THIRD-PARTY OPERATORS AND SUB-OPERATORS
- We use external processors (“Operators”) and sub-processors (“Sub-Operators”) for certain processing activities and to assist in the delivery of Services.
- We reserve the right to change our Operators at any time without further notice to you, but we will ensure these persons have an obligation to keep your Personal Data secure and confidential.
- Such external processing activities include, but are not limited to:
- IT systems, servers and infrastructure;
- Debit order service providers and debt collection services;
- Human resources;
- Shipping couriers;
- Hosting and email infrastructure;
- eCommerce platform and record-keeping infrastructure;
- Direct marketing / mailing services.
- We conduct due diligence in respect of our external Operators before forming a business relationship. We obtain company documents and references to ensure the Operator is adequate, appropriate and effective for the task we employ them for.
- Any forms which are available on our website are powered by JotForm who is subject to the GDPR.
- When you fill out a form, the data that you submit will be forwarded to JotForm and will be collated into an email and sent to us.
- The data that you submit via the form will not be stored within our Website’s own database or in any of our internal computer systems.
- Your data will remain within JotForm’s secure database in the European Union for as long as we continue to use JotForm’s services or until you specifically request removal by emailing us.
- &BAM would like to send you information about our product and service offerings we believe may be of interest to you.
- We may send marketing materials to our customers’ email addresses (including individuals who enquire about our Services with or through us as permitted by POPIA, provided that:
- your name and contact details were obtained in the context of the sale of our products or Services (including any inquiries, requests or bookings concerning our products and Services);
- we contact you to market our similar products or Services.
- you may opt-out at any time and free of charge on any of our marketing communications by clicking unsubscribe on any email sent to you or by emailing firstname.lastname@example.org.
- If you are not our customer, we may send marketing materials to where you give us your express “opt-in” consent (either digitally or in-person) to send you marketing materials through your preferred electronic channels of communication, provided that we shall keep a record of your consent and you may opt-out any time and free of charge on any of our subsequent marketing communications.
- Once you have chosen to opt-out, we may send you written confirmation of receipt of your opt-out request (which may be in electronic form), and we will thereafter not send any further direct marketing communication to you. However, you may continue to receive communication from us on matters of a regulatory nature, which are not marketing related.
- We may place small text files called “cookies” on your device when you visit our Website. Cookies do not contain Personal Data, but they do contain a personal identifier allowing us to Affiliate your Personal Data with a certain device. Cookies serve useful purposes for you, including:
- Remembering who you are as a User of our Website to remember any preferences you may have selected on our Website, such as saving your username and password, or settings (“functional cookies”);
- allowing our Website to perform its essential functions. Without these cookies, some parts of our Website would stop working (“essential cookies”). For example, data on error messages displayed to Users will be collected and the developer team will assess and solve it.
- monitoring how our Website is performing, and how you interact with it to understand how to improve our website or Services (“site analytics”).
- Your internet browser may accept cookies automatically and you can delete cookies manually. However, no longer accepting cookies or deleting them may prevent you from accessing certain aspects of our Website where cookies are necessary.
- As cookies are stored in the web browser used to access our Website, to disable cookies Users need to change the settings on that browser in particular.
- If your Personal Data is collected and processed by third parties including Healthcare Practitioners and other healthcare providers, you should read their relevant privacy notice, terms and conditions, and other data protection policies. We are not responsible for their data protection policies and practices where they act as Responsible Parties. Any Personal Data you give to those organizations will be dealt with under their privacy notice, terms and conditions, and data protection policies.
- IF YOU DISCLOSE YOUR PERSONAL DATA DIRECTLY TO ANY THIRD PARTY OTHER THAN &BAM, WE SHALL NOT BE LIABLE FOR ANY LOSS OR DAMAGE, HOWSOEVER ARISING, SUFFERED BY YOU AS A RESULT OF YOUR DISCLOSURE OF YOUR DATA TO SUCH THIRD PARTIES.
ANNEXURE A – DEFINITIONS
General Data Protection Regulation 2016/679.
The healthcare practitioners listed in the Terms and Conditions as amended from time to time, including HPCSA registered medical doctors, SANC registered nurses, and pharmacists.
Health Professions Council of South Africa.
persons tasked with the prevention and prosecution of crime, and registered security providers.
any person or entity that Processes Personal Data on behalf of a Responsible Party.
information or data relating to an identifiable, living, natural person, and where it is applicable, an identifiable, existing juristic person, including, but not limited to information relating to –
· race, gender, sex, pregnancy, marital status, national, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person;
· education or the medical, financial, criminal or employment history of the person;
· any identifying number, symbol, e-mail address, physical address, telephone number, location information, online identifier or other particular assignment to the person;
· the biometric information of the person.
Protection of Personal Information Act 4 of 2013.
compounded pharmaceutical products from a registered partner pharmacy, and non-pharmaceutical products manufactured by &BAM.
the person that decides how and why Personal Data is Processed. Responsible Parties may instruct Operators to processes Personal Data on their behalf.
third party providers of various services to us or on our behalf, including, billing, sales, shipping, marketing, advertising, analytics, research, customer service, payment processing, providers of information technology, communication, file storage, data storage, IT and security, videoconferencing, fraud prevention, accounting, auditing and legal services, our insurers and professional advisors.
“Sensitive Personal Data”
Personal Data about race or ethnicity, political opinions, religious or philosophical beliefs, trade union membership, physical or mental health, sexual life, any actual or alleged criminal offences or penalties, national identification number, or any other data that may be deemed to be sensitive under applicable law.
South African Nursing Council.
|"User"||persons accessing the Website.|