Nourish Logo

PainChek UK Terms of Service

Last updated: April 2024

1. Background

A. PainChek UK Limited Company Number 12170151 (PainChek, we, our, us) owns, operates and licenses access to systems (PainChek Platform) and a mobile application (PainChek Application) through which it provides pain assessment services as described in this agreement (Services).

B. The PainChek Platform and the PainChek Application seek to improve a patient’s quality of life by providing real-time, point of care diagnostic information using facial recognition technology and other subjective measures that indicate the presence of pain.

C. The terms of this agreement (Service Terms) govern the Services offered by PainChek to you as a healthcare provider (Provider) located in United Kingdom.

D. On executing these Service Terms, you (and the entity you represent) agree to be bound by these Service Terms.

2. Overview of Services

2.1 As part of the Services, PainChek offers:

2.2 The scope and features of the Services (including part of the payment terms) are set out in Schedule 1.

3. Subscribing to the Services

3.1 When you first sign-up to receive the Services, a new user account will be created by PainChek (Your Account). After the creation of Your Account, you as a Provider, can use Your Account to access and manage the Services you have subscribed to and set up users of Your Account in accordance with these Service Terms (Your Subscription).

3.2 Your Subscription will commence on the Go-Live Date.

4. Your Account

4.1 You must keep confidential Your Account and password and are responsible for all activities that occur under Your Account.

4.2 In accordance with the scope and features of the Services set out in the

Schedule and clause 7:

5. Subscription Periods

5.1 Refer to Nourish Standard Terms and Conditions

6. Term and Termination

6.1 Refer to Nourish Standard Terms and Conditions

7. Fees

7.1 Refer to Nourish Standard Terms and Conditions.

8. Changes to Fees

8.1 We may change the Fees for the Services at any time by:

8.1.1 updating these Service Terms; and

8.1.2 supplying you with a Change Notice in accordance with clause 9.1.

8.2 Any change to the Fees for the Services will not take effect until after the 30 day period and opportunity for you to terminate referred to in clause 9.2 has passed.

8.3 Fees for the Services may be increased by up to 10% per annum, except in cases of significant change to the Services. Any changes are subject to clause 8.2.

9. Changes to the Service Terms

9.1 Refer to Nourish Standard Terms and Conditions

10. PainChek Platform Use

10.1 Your use of the PainChek Platform takes place through a non-exclusive and non-transferable licence to access and use the PainChek Platform we grant to you for the sole purpose of supplying the Services to you in accordance with their terms. In exchange for the grant of this licence and our supply of Services, you agree to pay the Fees applicable to Your Subscription for the Services promptly and on time.

10.2 You must, and agree to, in relation to your use of the PainChek Platform:

(a) comply with any restrictions notified by PainChek from time to time, including reasonable requirements in relation to security and data protection;

(b) comply with any terms of use for the Services which may be accessed on the PainChek Website, as amended from time to time;

(c) not:

(d) comply at your own expense with all reasonable directions of PainChek to establish and/or maintain access for you to the PainChek Platform and Services, assisting PainChek to negotiate and carry out any necessary adaptations to, or integration of, the PainChek Platform and any existing application or software used by you; and

(e) only use supported devices, operating systems and/or browsers to access the PainChek Platform and the PainChek Application.

11. Information and Intellectual Property

11.1 If either party receives any Confidential Information from the other, the receiving party must only use the other’s Confidential Information in a limited way to perform its respective obligations or exercise its respective rights under these Service Terms.

11.2 Each party must keep the other’s Confidential Information secret and safe, treat it as its own confidential information and return it to the other party within a reasonable time after Your Subscription to all Services which use such information has been cancelled or terminated in accordance with these Service Terms.

11.3 The obligations in clauses 11.1 and 11.2 do not:

(a) apply to Confidential Information that is:

(b) prevent PainChek from including your Confidential Information in any report requested by a Government Agency, provided that to the extent permitted, PainChek gives you prior notice and consults with you as to any reasonable effort to object to the inclusion.

11.4 The Services, the PainChek Application, the PainChek Platform and all materials we provide to you are and remain the intellectual property of PainChek and all rights not expressly granted to you under these Service Terms are expressly reserved to PainChek. PainChek may store, access, modify, disclose and otherwise use the Aggregated Data for any purpose, and you agree to obtain all necessary consents to facilitate the same.

11.5 PainChek shall indemnify the Provider in full against any sums awarded by a court against the Provider arising out of or in connection with any claim brought against the Provider for infringement of a third party’s rights (including any Intellectual Property Rights) arising out of or in connection with the receipt or use of the Services by the Provider.

11.6 Neither party may issue any media release, promotional material or publicity in connection with its relationship with the other party, or otherwise refer to the other party or any trade mark of the other party without the prior written approval of the other party, not to be unreasonably withheld.

12. Data Processing

12.1 PainChek confirm that, in their capacity as a data processor, the nature and the purpose of the processing is to supply services to the Provider in their capacity as a data Controller as instructed from time to time in accordance with this Agreement. Schedule 2 to this agreement sets out the categories of data subjects, categories of processing carried out by PainChek, and the purpose for which PainChek processes the Controller’s personal data.

12.2 For so long as PainChek is processing personal data on the Controller’s behalf in a capacity as data processor, the Controller will:

a. be the data controller for the purposes of Data Protection Laws;

b. provide PainChek with any details of the types of personal data that it provides to PainChek for processing from time to time (inclusive of details about any special categories of personal data);

c. ensure that it has secured all necessary appropriate consents, registrations and notifications as may be required to enable the lawful transfer of the personal data to PainChek (and to make such further transfers to third parties as envisaged under clause 12), and in order for PainChek to process such personal data to the extent required for, and for the duration of, our provision of services to the Controller;

d. provide PainChek with documented instructions for processing of the personal data; and

e. be accountable to PainChek for all costs, claims, damages and expenses (including legal costs) arising out of, or in connection with, any failure to comply with the requirements of this clause 12.

12.3 In relation to any personal data processed by PainChek where we are acting in the capacity as data processor, without prejudice to our rights and obligations where we are a data controller, we shall:

a. process that personal data only on the Controller’s reasonable and lawfully given written instructions unless we are required otherwise under any applicable law. Where we are relying on applicable law as the basis for processing personal data outside of the Controller’s instructions, we shall promptly notify the Controller of this unless such laws prohibit PainChek from doing so;

b. not process personal such data for our own purposes without the Controller’s prior written consent. For the avoidance of doubt, this shall not apply to PainChek where we are the data controller of any personal data; c. ensure that we have in place appropriate technical and organisational measures to ensure a level of security appropriate to the data security risks presented by processing such personal data, including (without limitation) the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed, having regard to the state of technological development and the cost of implementing any measures (those measures may include, where appropriate, pseudonymising and encrypting personal data, ensuring confidentiality, integrity, availability and resilience of its systems and services, ensuring that availability of and access to personal data can be restored in a timely manner after an incident, and regularly assessing and evaluating the effectiveness of the technical and organisational measures adopted by PainChek);

d. regularly review and update the technical and organisational measures implemented in order to demonstrate to the Controller that the processing of the personal data is performed in accordance with the Data Protection Laws upon request;

e. ensure that all personnel who have access to and/or process personal data are obliged to keep the personal data confidential;

f. put in place appropriate safeguards to protect the personal data including (without limitation), executing with the Controllers such further documentation as may be necessary for the transfers to be lawful, such as standard contractual clauses in the form approved by the European Commission as such contractual clauses are from time to time amended and updated;

g. put in place enforceable data subject rights and effective legal remedies for data subjects as required by the Data Protection Laws;

h. notify the Controller without undue delay on becoming aware of a personal data breach;

i. promptly inform the Controller of any complaints, requests or enquiries received from data subjects, including but not limited to requests to access, correct, delete, block or restrict access to their personal data or receive a machine-readable copy thereof;

j. at the Controller’s request and sole cost, assist the Controller in responding to any request from a data subject with respect to any complaints, requests or enquiries security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;

k. immediately inform the Controller if, in our opinion, an instruction infringes Data Protection Laws;

l. at the Controller’s written direction, delete or return personal data and copies thereof to the Controller on termination of the agreement unless we are separately a data controller of such information or are required by applicable law to retain the personal data. Where the Controller terminates part only of the services that we provide to it, then this clause 12.4(l) shall only apply to the part of the services that have been terminated;

m. allow for limited audits, at the Controller’s sole cost (including in respect of any of our own associated costs), which shall be strictly limited to the specific documents or information or part of any document or information that are reasonably necessary (as determined by PainChek acting reasonably) to demonstrate our compliance with the obligations of the Data Protection Laws as they directly relate to personal data that the Controller is the data controller of. Such audits shall be carried out no more than once in any twelve month period by the Controller or such designated auditor that we are satisfied is not our competitor (as we determine, acting reasonably) and audits shall be on not less than 30 business days’ notice on a date agreed with PainChek and shall be carried out during normal working hours on a business day and shall not unreasonably disturb our operations; and

n. maintain a written record of processing activities to demonstrate our compliance with clause 12, for which Schedule 2 to this agreement shall constitute a part thereof as at the date that the agreement for services between PainChek and the Controller have been entered into, and which shall include, as a minimum:

12.4 Where the Controller submits personal data to PainChek from within the European Economic Area (EEA), such information may be transferred to countries outside the EEA. By way of example, this may happen if one or more of our third party service providers with whom we share personal data in accordance clause 12.5 are located, or have their servers located, outside the Controller’s country or the country from which the data were provided. If we transfer personal data that the Controller provides to PainChek (in our capacity as a data processor) outside the EEA then we will take steps to ensure an adequate level of protection to any personal data that is transferred. We will use our reasonable endeavours to work with the Controller to apply for and obtain any permit, authorisation or consent that may be required under Applicable Data Protection Law in respect of the implementation of this clause 12.4.

12.5 The Controller acknowledges and agrees that PainChek may in the course of providing services, process, access and/or store (permit affiliates or third party subcontractors to process, access and/or store) the Controller’s personal data in one or more countries which are outside of the EEA and for which there are not adequate safeguards otherwise in place, provided that such processing takes place in accordance with the requirements of clause 12.4 and applicable Data Protection Laws. The Controller hereby grants PainChek a mandate to enter into the Standard Data Protection Clauses with third party subcontractors or affiliates on behalf of and as agent for the Controller. Where we add or replace our third party subcontractors from we will provide written notification, which may be as part of a supplier list on our website, which the Controller should check regularly. The Controller has the right to object to any such changes that we may introduce appointed subcontractors.

12.6 As between the Controller and PainChek, we may remain liable for acts or omissions of any third-party processor appointed by PainChek pursuant to clause 12.4, however please note that where the Controller enters into contract directly with any third parties, then they may have their own privacy policies and terms and conditions, which we have no control over, accept no responsibility for, and shall have no liability for.

12.7 We may, at any time on not less than 30 days’ notice, revise this clause 12 by replacing it with any applicable controller to processor standard clauses or similar terms forming part of an applicable certification scheme (which shall apply when replaced by attachment to this agreement).

12.8 Save to the extent expressly stated otherwise, the Controller shall bear all costs associated with PainChek’s compliance with the terms set out in this agreement; and shall indemnify PainChek from and against all costs, expenses (including legal and other professional fees and expenses), losses, damages and other liabilities of whatever nature (whether contractual, tortious or otherwise) suffered or incurred by us which arise out of or in connection with any breach of the terms set out in this agreement.

13. Liability

13.1 You acknowledge and agree that:

13.2 Otherwise Refer to Nourish Standard Terms and Conditions

14. General

14.1 Refer to Nourish Standard Terms and Conditions.

15. Contact

15.1 Refer to Nourish Standard Terms and Conditions.

16. Notices

16.1 Refer to Nourish Standard Terms and Conditions.

17. Definitions

17.1 The following definitions apply in this document (unless context requires otherwise):

Aggregated Datameans any data collected or generated by PainChek in the course of supplying the Services which is a form that does not permit you or any natural persons to be identified as the source or the subject of that data.
Business Daymeans a day on which banks are open in England. It does not include a public or bank holiday, in England
Data Protection Law(s)means (a) EU or Member State laws applicable to any Controller Personal Data in respect of which PainChek is subject including, without limitation, the GDPR for so long as it remains in legal effect; and (b) any other Applicable Law with respect to Controller Personal Data in respect of which is subject.
Go-Live Datemeans the date on which PainChek commences making the Services available in accordance with these Service Terms, as advised to you by PainChek in writing.
Government Agencymeans any government or any governmental, semi-governmental, administrative or fiscal body, court or other judicial body, department, commission, authority, agency or entity.
PainChekhas the meaning given in Background A.
PainChek Applicationhas the meaning given in Background A.
PainChek Application Expansionhas the meaning given in Background A.
PainChek Application Traininghas the meaning given in Background A.
PainChek Platformhas the meaning given in Background A.
PainChek Software Updates and Backend Supportmeans Services of that name described in the Schedule, as amended from time to time
PainChek Websitemeans a person that is a current resident at the Provider at that point in time.
Patient (or Resident)means a person that is subject of the PainChek Platform and PainChek Application’s assessment
Providerhas the meaning given in Background C and extends to providers of health care or related goods or services.
Schedulemeans the schedule to this document.
Service Termshas the meaning given in Background C and means these PainChek Application Services – Service Terms, as amended from time to time
Serviceshas the meaning given in Background A and extends to those services set out in clause 2.1 and more fully described in the Schedule, as updated from time to time.
Training Packagemeans the number of training sessions which are included in the scope and features of the Services, as specified in the Schedule
Your Accounthas the meaning given in clause 3.1
Your Subscriptionhas the meaning given in clause 3.1.

Schedule 1 – Services and Payment Schedule

The scope and features of the Services (including part of the payment terms) are as follows:


(a) Access to PainChek Application and Use of PainChek Platform:

• Unless otherwise agreed by parties, access to the PainChek Application and use of the PainChek Platform for up to the number of Approved Places listed on your PainChek Order Form.

• Access to the PainChek Application, running on supported devices, owned by you. The PainChek Application allows for patient

management, including creating and updating Patient records and preforming and reviewing pain assessments.

(b) PainChek Training Package:

(c) PainChek E-learning Platform

(d) PainChek Software Updates and Backend Support:

(e) PainChek Application Expansion:

Schedule 2 – Description of the Processing and Content of Processing

This Schedule on description of Processing (“Schedule 2”) is a Schedule to and forms an inseparable part of the agreement to this agreement.

The purpose of this Schedule 2 is to supplement this agreement with more detailed description of the type of personal data provided by the Controller to PainChek and categories of the Data Subjects included thereto.

Unless expressly otherwise stated, the applicable definitions provided in this agreement shall be applied to this Schedule 2.

Categories of data
Please specify the personal data that is processed
Resident data: first names, last names, nicknames, gender, dates of birth and avatars.

Care home data: institution name, ward, room and bed number.

Care home staff members: names, phone number, email addresses and avatars.
Special Category data
Please specify the special category personal data that is processed
score data for each pain assessment. Resident comments (care home staff entered comments about a resident). Resident pain relief (recording of pain relief, i.e. medications or therapies administered to a resident).
Categories of Data Subjects
Please specify the categories of data subjects whose personal data is processed
Resident data, care home staff data, care home institution data.
Processing Operations
Please specify all processing activities conducted
Residents operations:

Registration, Admission management, Pain Assessment recording, Comment recording, Pain Relief recording

Care home staff member operations:

Registration, User management (including emailing activation and password notifcations) PainChek update notifications (infrequent notifications of updates to the PainChek system)

Care Home operations:

Please specify all purposes for which the personal data is processed
To perform the services set out in this agreement.
Please specify the length of time for which data processing activities will be carried out
The duration of this agreement only.

Technical and Organisational Data Security Measures

PainChek is obliged to maintain the confidentiality and security of any personal data provided to it by the supplier, and has implemented and will maintain appropriate technical and organisational measures and information security routines intended to protect personal data.

PainChek will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of personal data processed by PainChek as part of the services, in accordance with PainChek’s security policy which is available on request. PainChek will not materially decrease the overall security of the services provided during the term of this agreement.