SRT Privacy Policy

Treatment of personal data collected through the Endometriosis Cymru Symptom Reporting Tool (EC-SRT) 

Types of personal data processed and the purpose of processing  

For the purposes of this privacy policy, the Cardiff Fertility and Reproductive Research Group at Cardiff University will handle two types of data related to the EC-SRT: (1) anonymous individual data from the EC-SRT Tool, and (2) anonymous aggregated data on website use. 

1. Data Collected through the EC-SRT Tool 

For the purposes of this privacy policy, the Cardiff Fertility Studies Research Group will only handle data related to your responses to the questions that the EC-SRT asks you, be it multiple choice, scales or open text questions. 

Our developers will have access to the personal data that you choose to provide, including: the name that you provide in the tool, your email address, birth date, and phone number. Our developer has access to this information only for the purpose of facilitating the log-in process for the tool. Personal data will not be shared outside of the immediate project team.

Your anonymous responses to the EC-SRT questions will be used by the team of researchers who developed the EC-SRT (Cardiff Fertility and Reproductive Research Group) for research purposes only, with the aim of supporting the functionality of the EC-SRT, continuing to improve the EC-SRT, to measure its usefulness, and to better understand endometriosis symptoms. The legal basis to process this data is ‘public task’.   

The data stored for research purposes will not include any information that can identify the users of EC-SRT (i.e., all stored data will be anonymized). The data will be stored for a period of 5 years after its collection, or for a longer period, if justified by the research objectives. By using the EC-SRT, you are authorising the use of the data collected, in the terms described above.  

Anonymous Aggregate Data 

Please note there are third-party services used on the website that hosts the EC-SRT (Endometriosis Cymru) that are for statistical purposes only and that aim to complement the information collected from your responses to questions within the EC-SRT, i.e., Google Analytics, which are governed by their own privacy policies (which can be consulted here: https://www.google.com/analytics/terms/en.html). Information collected from Google Analytics will be at the aggregate level (e.g., how many people visited the website in total).  

2. Data security  

The EC-SRT team recognizes the importance of your privacy and is committed to protecting the integrity of your personal data and keeping it safe. Various technical and organisational security measures have been adopted to protect your personal data against its dissemination, loss, misuse, alteration, treatment or unauthorised access, as well as against any other form of illicit treatment. You can contribute to the security of your personal data by not sharing your EC-SRT registration information (i.e., log-in email and password) with other people.  

Rights as a holder of personal data  

As the holder of your personal data, you have the following rights:  

  • To access: you can access your data anytime directly through the EC-SRT.  
  • Rectification: whenever you consider that your personal data are incomplete or inaccurate, you can change this yourself within the EC-SRT tool.  
  • Right to delete data: you can delete your data at any time within the Profile section of the EC-SRT. Anonymous data that have been included in a published research article, however, cannot be removed as we are unable to make changes to published research results and we will not be able to identify which data are yours.  
  • Portability: you can create a summary of your personal data that are stored in the EC-SRT, using the report function. You are free to give your personal data (via the report) to any other entity or subject without having to inform the Cardiff Fertility and Reproductive Research Group.   
  • Notification: you have the right to be notified in the event of a data breach likely to imply a high risk to their rights and freedoms, as stipulated in article 34 of the GDPR.  

The contact so that, as the holder of your personal data, you can exercise your rights is: CFRR@cardiff.ac.uk. If you want to submit a complaint regarding matters related to the processing of your personal data, you can do so to the data protection officer (inforequest@cardiff.ac.uk) at Cardiff University.   

3. What security measures have been put in place?  

The EC-SRT and database all work over authenticated HTTPS connection. Data collected from the EC-SRT, including personal data, will be hosted on Google Firebase. The data centre for Google Firebase is in London, and information about its privacy and security features can be viewed here: https://firebase.google.com/support/privacy.  All data will be encrypted for storage and transfer.