Butterfly Network Patient Privacy Notice
Last Updated: 13 October 2022
Butterfly Network, Inc. ("Butterfly", “we”, “us” or “our”) has developed a whole-body portable ultrasound scanner ("Device") to allow physicians and other licensed health care providers (each a "Customer") to perform certain diagnostic imaging, measurements and medical examinations on their patients. In connection with the use of the Device by our Customers on their patients, certain personal information relating to the Customers' patients (such as the ultrasound scan data) will be collected and processed by Butterfly.
This Patient Privacy Notice ("Patient Notice") supplements Butterfly's General Privacy Notice (which is available here) and explains how we generally collect and use data to improve the use and operation of the Device and related services.
Please note that this Patient Notice only applies to patients of our Customers. This Patient Notice does not apply to our Customers, whose license and use of the Device and related services are governed by a separate legal agreement with Butterfly.
Scope of this Patient Notice
Our Device and related hosted services are intended for use by our Customers. This means that in most cases, we are collecting and processing your personal information on behalf of our Customers as a 'data processor'. This means that it is primarily our Customers (the 'data controllers'), who control what personal information we process and how we use it.
Therefore, if you are a patient of one of our Customers (the provider), and have questions or concerns about the privacy practices of that provider, you should contact them directly.
Please note that we are not responsible for the privacy or security practices of our Customers, which may differ from those set out in this Patient Notice. For the avoidance of doubt, this Patient Notice does not apply to the extent we process patient data as a data processor on behalf of our Customers.
Who are we?
We are a company headquartered in the United States. In support of our mission to democratize healthcare by making medical imaging accessible to everyone around the world, we have developed and provide to our Customers the Device and related services, including a web-based application, application programming interfaces and platform services. In particular, the Device allows our Customers to perform ultrasound imaging.
How does Butterfly collect and use your personal information?
As described above, in most cases, we only process patient data on behalf of and as instructed by our Customers (your physician or health care provider), who are the 'data controllers' of the personal information collected.
However, where permitted by our Customers and applicable law, we combine and leverage certain patient data (including sensitive health data) collected through our Customers' operation of the Device for our internal purposes in order to develop and improve the use and operation of the Device and related Butterfly services. Such purposes include, but are not limited to:
- To train our models and algorithms and therefore to improve the functionality of our services; and
- To allow Customers with less training to be able to operate the Device more easily.
We take a number of steps to ensure that patient data is first de-identified so that it does not specifically identify any particular patient by reference to their name or other directly identifying information. In particular, we remove all directly identifying data (such as the patients contact information and the unique study ID or organization ID assigned to the image scans) and replace such data with new unique randomized IDs that do not trace back to a specific patient. To the extent the de-identified patient data is still considered personal information under applicable data protection laws, we ensure that such data is processed and protected in compliance with such laws.
What personal information does Butterfly collect for such purposes?
We process the following patient personal information for our internal learning purposes:
- Image scans, including ultrasound images, collected from Customer's use of the Device.
- A unique randomized image ID, which we assign to an image scan so we can identify the image without tracing the image back to a specific patient or Customer.
- The metadata related to the image scans, such as scanning mode selected, physical pixel size of an ultrasound study.
- A randomized study ID, which we use to identify which image scans form part of the same group.
- The country in which the patient is located.
Some of this information may be considered sensitive data or "special category data" under some data protection laws and regulations. For example, the image scans will qualify as sensitive health data under certain data protection laws and regulations.
We do not process any patient contact or other identification information (such as their name or contact details) or any information that identifies the Customer for our learning purposes. As described above, we take steps to ensure that all personal information is first de-identified so that it is not possible for Butterfly to specifically identify any particular patient or identify the Customer as the source.
Who is the data controller of my data?
If you are resident in the European Economic Area ("EEA"), United Kingdom or Switzerland, we act as a 'data processor' on behalf of our Customers (the 'data controllers') in most cases.
What is Butterfly's legal basis to process your personal information (for EEA, Switzerland and UK residents only)?
We will process your personal information for the purposes described in this Patient Notice to the extent that such processing is necessary for our legitimate interest to develop and improve the Device and related services. For example, to better interpret the images captured from the Device or to facilitate more precise and consistent measurements.
In cases where sensitive data or ‘special category data’ is processed, it may be done so in order to satisfy a public interest in public health (such as to ensure a high standard of safety of the Device) or for scientific research purposes. This type of processing is done in accordance with applicable law, while safeguarding the privacy of the patient.
In some circumstances, where local data protection law requires, we will seek your consent to use your personal information for the purposes described in this Patient Notice. If you have further questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided below.
With whom will Butterfly share your personal information?
We will not share your information with anyone except with other Butterfly entities for the purposes described in this Patient Notice, our third-party service providers, and as may be required by law and for protecting our rights.
Our third-party service providers who store or process PHI are not authorized to retain, share, store or use your personal information for any purposes other than to provide the services they have been hired to provide.
For more information, please see the section titled "Who Do We Share Your Information With?" of our Privacy Notice available here.
Where is my personal information stored?
For information on how your information is stored or processed, please see the Global Privacy FAQs here.
How long do we keep your personal information?
We retain your personal information where we have an ongoing legitimate business need to do so.
When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it or, if this is not possible, then we will securely store your personal information and isolate it from any further processing until deletion is possible.
How does Butterfly protect my personal information?
We take the security of your personal information very seriously. For more information about our security practices, please see the section titled “Security of the Site and Services” of our Privacy Notice, which is available here
What are my data protection rights?
You have certain rights concerning the personal information that we process, as further explained in the section titled "Your Privacy Rights" of our Privacy Notice, which is available here.
As stated above, in most cases, we only process patient data on behalf of and as instructed by our Customers who are the data controllers of the personal information. Therefore, if you are a patient of one of our Customers, please contact the applicable Customer directly with your request to access or limit the use or disclosure of your information. If you contact us with the name of the Customer to whom you provided your personal information, we will refer your request to that Customer and support them in responding to your access request. You also have the right to complain to your data protection supervisory authority if you feel that any of your personal information is not being processed in accordance with applicable data protection laws.
If you wish to contact us with your questions or comments regarding this Notice, please email us at: firstname.lastname@example.org.
Alternatively, you can contact us in writing at: 1600 District Ave, Burlington, MA 01803 ATT: Data Protection Officer.