Butterfly Network ("Butterfly")
Global Privacy FAQs

Last Updated: 26 March 2020

This FAQ is designed to answer frequently asked questions about Butterfly's approach to privacy, data protection and security, including how Butterfly addresses compliance with global data protection regulations such as the European Union's General Data Protection Regulation ("GDPR"), Australia and New Zealand’s Privacy Act. It also aims to better inform our customers, medical professionals (like you), regarding the patient data you provide to Butterfly.

We hope you find the FAQ useful. Please note however that this does not constitute legal advice nor is it intended to instruct your business on the necessary steps it should take to comply with your legal obligations.

Does Butterfly have a privacy program?

Yes, at Butterfly, we have a comprehensive privacy program in place. 

We cannot advise you on what privacy compliance looks like for you, but we can tell you about how our Services work and the security controls we have built in. We work hard to ensure that our Services employ industry leading security controls but, ultimately, it is up to you to assess whether your use of our Services is right for your business. At Butterfly, we aim to make that assessment easy for you by:

  • Having detailed data protection and security terms in our standard contracts, including (where we process EU and Swiss data), a GDPR compliant Data Processing Addendum.
  • Certifying under the EU-US and Swiss-US Privacy Shield Program to protect information in accordance with the Privacy Shield Principles.  To find out more about the Privacy Shield, see www.privacyshield.gov, or to view our Certification, see https://www.privacyshield.gov/participant?id=a2zt00000008hnlAAA&status=Active.  
  • Having technical and organizational security measures in place to protect personal information that you trust us with, including the measures described here.
  • Appointing a data protection officer (DPO) to oversee the continued development of Butterfly's commitment to privacy and data protection. You can contact our DPO here dpo@butterflynetinc.com.

If you have any further questions about Butterfly's data protection compliance, please email our DPO using the contact details above. 

Does Butterfly have a dedicated security team? 

Yes – information security is of paramount importance to us at Butterfly.  We expect all of our people to play a role in maintaining the security of information that our customers entrust us with. 

Our Security team is headed by our Chief Information Security Officer (CISO).  Our CISO is supported by a dedicated information security team whose job it is to ensure that we have appropriate technical and organizational security measures in place, including the measures described here.

What personal information do we process?

In connection with our Services, medical professionals can upload and host within the Butterfly Platform certain patient data ("Patient Data"). Our customers determine what Patient Data is uploaded to the Platform, but it may include the patient's name, gender, DOB as well as the MRN scans captured through the iQ Device. It may also include the medical professional’s clinical notes on the patient and their scans. 

All Patient Data processed by Butterfly within the Butterfly Platform is considered personal information and the EU, and many countries outside the EU such as Australia and New Zealand, have laws, which protect the collection, use, storage and transfer of the personal information of their residents. In fact, Patient Data is in many places treated as sensitive data (or "special category data") and is therefore subject to elevated protection and compliance requirements

Butterfly has taken a number of steps so that its customers can confidently and securely capture and store Patient Data within the Butterfly Platform. Butterfly is committed to processing all personal information that we receive in compliance with applicable data protection and privacy laws. 

Where is Patient Data stored?

Where your data is stored depends on the geographic location of your organization. We currently use the following AWS data centers to store data:

  • Europe: Your data is stored in the AWS eu-central-1 (Frankfurt) region.
  • Australia and New Zealand: Your data is stored in the AWS ap-southeast-2 (Sydney) region
  • North America and Rest of the World: Your data is stored in the AWS us-east-1 (Northern Virginia) and AWS us-west-2 (Oregon) region.
  • Canada: Your data is stored in the AWS (Montreal, QC) region.

The regions do not limit customer access to Butterfly Network: they only dictate the geographic location where data is stored and where compute resources are provisioned.  Note that while your data will be stored in the above regions, it may be accessed by Butterfly Network personnel located in the United States, but only to the extent necessary to support, secure and maintain the services in accordance with our contract with our customers. Data in pseudonymized or aggregated form may also be stored in our central storage and processing systems in the United States.

Is it true that public bodies in British Columbia and Nova Scotia must store all personal information they hold within Canada?

No, this is not the case. British Columbia’s Freedom of Information and Protection of Privacy Act (FOIPPA) and Nova Scotia’s Personal Information International Disclosure Protection Act (PIIDPA) contain exceptions whereby public bodies in those provinces can store personal information outside of Canada if the information has been identified to the individual and the individual who the information is about has consented to their information being accessed from or stored in another jurisdiction in accordance FOIPPA’s or PIIDPA’s regulations. PIIDPA provides further leeway to heads of Nova Scotian public bodies to allow the storage of personal information outside of Canada where the storage is to meet the necessary requirements of the public body's operation.

Does GDPR require EU personal data to stay in the EU?

No, GDPR does not require EU personal data stay in the EU. GDPR does restrict transfers of EU personal data outside the EU to countries like the United States, unless the recipient provides appropriate safeguards for such data. However, Butterfly Network's EU data processing addendum, which references our Privacy Shield certification, and the European Commission’s model clauses, enables our customers to lawfully transfer EU personal data to Butterfly Network located in the United States. You can find details of our Privacy Shield certification here.

What are the relevant roles of Butterfly, the patient, and medical professionals under GDPR?

When medical professionals transmit Patient Data to Butterfly they (or the hospital they work for) are the controller, Butterfly is typically the processor, and the patient is the data subject. As a processor, Butterfly commits to process EU Patient Data in compliance with the requirements of Article 28 GDPR in its standard data processing addendum (DPA), a copy of which is annexed to its standard terms (available upon request). 

Butterfly sometimes acts as a controller in its relationship with medical professionals, for example when Butterfly collects information about medical professionals for the purposes of marketing, sales and managing the relationship with the medical professional (or the hospital they work for).  

Butterfly may, where permitted by applicable law and its customers, also act as a controller with respect to certain Patient Data in connection with its deep learning activities. You can find out more about this by reviewing the Butterfly Patient Privacy Notice, which explains how we use Patient Data for such purposes. 

What is Butterfly doing to comply with and help its customers comply with the GDPR?

Butterfly has embarked on a compliance project with support from specialist external advisors to address GDPR compliance. Specific measures we have taken, in addition to those described above include:

  • Amending our contracts with vendors and customers to ensure the terms comply with the GDPR.
  • Ensuring our privacy policies and notices clearly explain Butterfly's commitment to GDPR and the rights which individuals have with respect to their data. You can review the Butterfly Privacy Notice here.
  • Formalizing our processes around data subject rights to ensure that we are able to more efficiently help our customers respond to data subject requests.
  • Ensuring the use of robust and appropriate security measures to safeguard any data collected and processed on systems owned or managed by Butterfly.
  • Carrying out Data Protection Impact Assessments to identify and minimize risks to Patient Data.
  • Maintaining accurate records of the personal information processing that we undertake. 

Butterfly Network is committed to GDPR compliance and understands the importance of this to its customers. 

How does Butterfly Network comply with EU data export laws?

EU data protection law prohibits the export of personal information outside of the European Economic Area ("EEA") to non-EEA recipients, unless certain safeguards are in place. 

Butterfly Network is headquartered in the United States, though it offers its Services to customers around the world, including medical professionals located in the EEA and Switzerland. Therefore, Butterfly will process personal information that originates from the EEA and Switzerland on its servers and facilities in the United States. 

To ensure compliance with EU data export laws, Butterfly has self-certified to the EU-US and Swiss-US Privacy Shield to facilitate the lawful transfer of data from the EEA and Switzerland to Butterfly for processing in the United States. To find out more about the Privacy Shield, see www.privacyshield.gov, or to view our Certification, see https://www.privacyshield.gov/participant?id=a2zt00000008hnlAAA&status=Active.  

In addition, where the transfer is not covered by Butterfly's Privacy Shield certification, Butterfly agrees to process EEA and Swiss data in compliance with the EU Standard Contractual Clauses (also sometimes called "Model Clauses"). These are standard form data export terms that have been pre-approved by the European Commission, and by signing them Butterfly commits to protect personal information (including Patient Data) it receives from its EU customers to EU data protection standards.

What about third parties who work with Butterfly?

When Butterfly contracts with a third party that in any way interacts with Patient Data, Butterfly first requires that these third parties pass a security and risk assessment to ensure they uphold the same standards as Butterfly with respect to personal information.  In addition, Butterfly ensures these companies are contractually obligated to implement and uphold equivalent security measures to protect Patient Data. 

Our current list of sub-processors is as follows, as our business grows and evolves, the subprocessors we engage may also change. Please check back frequently for updates.

Entity Name

Amazon Web Services, Inc. (AWS)
Aptible, Inc.
Auth0, Inc.
Avalara, Inc.
Celigo, Inc.
Google LLC (re: G-Suite, Google Cloud Platform)
Heap, Inc
Hotjar, Ltd.
New Relic, Inc.
Stitch Data.
Saleforce.com, Inc.
Slack Technologies, Inc.
Splunk Inc.
Zapier Inc.
Zendesk, Inc.

Do we need to provide notice to Patients about the processing Butterfly is doing? 

The data protection and privacy laws in some countries (require that patients be provided with information about how their data will be used and disclosed (including information about intended recipients of their information, and information about the agency that holds their information).  In some cases, this requires notice of the processing being undertaken by Butterfly. If this is a requirement in your jurisdiction, please provide patients with access to the Butterfly Patient Privacy Notice, to ensure that they understand how Butterfly may process and use their personal information in connection with the Butterfly Services. 

What if one of my patients asks for their Patient Data?

Certain privacy laws (including GDPR) give patients the right to request a copy of the data that you hold about them. This might be called a "data subject access request". If a patient makes a data subject access request directly to Butterfly, we will in our capacity as a processor pass the request on to you as soon as practicable and, where Butterfly holds the data requested, Butterfly will provide you with the relevant patient data in accordance with our contract with you. 

Can patients ask for anything else?

As well as the right to access data you hold about them, patients may also have other rights under applicable data protection and privacy laws (like GDPR in the EU). Such rights may include the right to have inaccurate or incomplete data rectified, have their data deleted or to ask that you stop processing their data. Patients may also be able to ask you to transfer the data that you hold about them to another medical professional. If a patient wishes to exercise any of their rights in relation to their Patient Data, we will provide you with reasonable assistance to facilitate your response to the patient's request.  If a patient contacts us directly seeking to exercise such rights, we will pass the request on to you as soon as practicable.  

What about the records Butterfly holds about medical professionals?

Butterfly also collects personal information about customers/medical professionals in order to promote Butterfly products, set them up with a Butterfly account, process orders, and respond to inquiries. These data are protected by the same security measures. Our Privacy Notice contains details of how Butterfly processes a medical professional’s personal information and the rights that they have with respect to it.

Where can I get more information?

If you have any questions or require assistance, please contact dpo@butterflynetinc.com