Butterfly Network ("Butterfly")
GDPR Customer FAQs

Last Updated: May 15, 2019

This FAQ contains important information about data protection, privacy, and, in particular, how Butterfly addresses compliance with the European Union's General Data Protection Regulation ("GDPR"). It also aims to better inform our customers, medical professionals (like you), regarding the patient data you provide to Butterfly.

What is the GDPR?

The General Data Protection Regulation ('GDPR') is the comprehensive European Union (EU) data protection law that took effect on May 25, 2018. The GDPR applies to persons or organizations processing personal data about EU data subjects, which includes Butterfly and its customers.

What personal data do we process?

In connection with our Services, medical professionals can upload and host within the Butterfly Platform certain patient data. This may include: the patient's name, gender, date of birth as well as the MRN scans captured through the IQ Device. It may also include the medical professional’s clinical notes on the patient and their scans. All patient data processed by Butterfly within its platform ("Patient Data") is considered personal data and the EU, and many countries outside the EU, have laws which protect the collection, use, storage and transfer of the personal data of their citizens. In fact, Patient Data is in many places treated as sensitive data (or "special category data") and is therefore subject to elevated protection and compliance requirements, including under the GDPR.

Butterfly has however taken steps so that its customers can confidently capture and store Patient Data using the Butterfly Services.

What are the relevant roles of Butterfly, the patient, and medical professionals under GDPR?

When medical professionals transmit Patient Data to Butterfly they (or the hospital they work for) are the controller, Butterfly is the processor, and the patient is the data subject.

Butterfly sometimes acts as a controller in its relationship with medical professionals, for example when Butterfly collects information about medical professionals for the purposes of marketing, sales and managing the relationship with the medical professional (or the hospital they work for).

What is Butterfly doing to comply with and help its customers comply with the GDPR?

Butterfly has embarked on a compliance project with support from specialist external advisors to address GDPR compliance. Specific measures we have taken include:

  • Appointing a data protection officer (DPO) to oversee the continued development of Butterfly's commitment to data protection.
  • Amending our contracts with vendors and customers to ensure the terms comply with the GDPR.
  • Ensuring our privacy policies and notices clearly explain Butterfly's commitment to the GDPR and the rights which individuals have with respect to their data. You can review the Butterfly Privacy Notice here.
  • Formalizing our processes around data subject rights to ensure that we are able to more efficiently help our customers respond to data subject requests.
  • Ensuring the use of robust and appropriate security measures to safeguard any data collected and processed on systems owned or managed by Butterfly.
  • Carrying out Data Protection Impact Assessments to identify and minimize risks to Patient Data.
  • We are in the process of self-certifying to the EU-US and Swiss-US Privacy Shield Frameworks to ensure that customers can lawfully transfer EEA and Swiss data to Butterfly for processing and storage in the United States.

Butterfly Network is committed to addressing GDPR compliance and understands the importance of this to its customers.

How does Butterfly Network comply with EU data export laws?

EU data protection law prohibits the export of personal data outside of the European Economic Area ("EEA") to non-EEE recipients, unless certain safeguards are in place.

Butterfly Network is headquartered in the United States, though it offers its Services to customers around the world, including medical professionals located in the EEA. Therefore, Butterfly will process personal data that originates from the EEA on its servers and facilities in the United States. To ensure compliance with EU data export laws, Butterfly signs the EU Standard Contractual Clauses (also sometimes called "Model Clauses") with its EU customers. These are standard form data export terms that have been pre-approved by the European Commission, and by signing them Butterfly commits to protect personal data (including Patient Data) it receives from its EU customers to EU data protection standards.

[In addition, Butterfly is currently in the process of self- certifying to the EU-US and Swiss-US Privacy Shield to facilitate the lawful transfer of data from the EEA and Switzerland to Butterfly for processing in the United States.]

What about third parties who work with Butterfly?

When Butterfly contracts with a third party that in any way interacts with Patient Data, Butterfly first requires that these third parties pass a security and risk assessment to ensure they uphold the same standards as Butterfly with respect to personal data.  In addition, GDPR requires that these companies are contractually obligated to implement and uphold equivalent security measures to protect Patient Data.

Our current list of sub-processors is as follows, as our business grows and evolves, the Subprocessors we engage may also change. Please check back frequently for updates.

Entity Name

Corporate
Location
Amazon Web Services, Inc. (AWS)
USA
Asana
USA
Aptible, Inc.
USA
Auth0, Inc.
USA
Avalara, Inc.
USA
Celigo, Inc.
USA
Crashlytics,
USA
DHL,
Global
Google LLC (re: G-Suite, Google Cloud Platform)
USA
Hotjar, Ltd.
USA
New Relic, Inc.
USA
Oracle,
USA
Stitch Data,
USA
Saleforce.com, Inc.
USA
Segment,
USA
Slack Technologies, Inc.
USA
Splunk Inc.
USA
Stripe,
USA
Webflow,
USA
Zapier Inc.
USA
Zendesk, Inc.
USA

What if one of my patients asks for their Patient Data?

Any patient has a right to see all the data that you hold about them. This is called a "subject access request". If a patient makes a subject access request directly to Butterfly, we will pass the request on to you as soon as practicable and, where Butterfly holds the data requested, Butterfly will assist you to provide the patient with the data requested.

Can patients ask for anything else?

As well as the right to access data you hold about them, patients may also have the right under GDPR to have inaccurate or incomplete data rectified, have their data deleted or to ask that you stop processing their data. Patients can also ask you to transfer the data that they have provided to you to another medical professional. If a patient wishes to exercise any of their rights in relation to their Patient Data, we will inform you of such a request and provide you with reasonable assistance in honoring those requests. Note that you are not always required to carry out such requests by patients as GDPR provides that you only need to comply in certain situations.

What about the records Butterfly holds about medical professionals?

Butterfly also collects personal data about customers/medical professionals in order to promote Butterfly products, set them up with a Butterfly account, handle orders, and respond to inquiries. These data are protected by the same security measures. Our Privacy Notice contains details of how Butterfly processes a medical professional’s personal data and the rights that they have under GDPR with respect to it.

Where can I get more information?

If you have any questions or require assistance, please contact dpo@butterflynetinc.com.


Reserve