Last updated: 1st of August 2023
1.1. Happio Limited (the "Company", "we", "us" or "our”) respects your privacy and is committed to treating any information that we obtain about you with as much care as possible and in a manner that is compliant with all applicable data protection legislation including the EU General Data Protection Regulation 2016/679 (GDPR") and any national implementing laws in relation to the same including the Data Protection Act 2018 (collectively. "Data Protection Legislation").
1.2. We have appointed Dr Michael Temchin, as our data protection officer (DPO). If you have any questions about this privacy policy, please contact us by email at hello@happio.io or by post at Happio Ltd, Data Protection Enquiries, 83 Baker Street, London, England, W1U 6AG.
1.3. Please read this data protection and privacy policy (the "policy") carefully as it contains important information relating to your personal data.
1.4. This policy applies to your use of:
– the website software known as Happio website (as it may be rebranded, renamed or localised from time to time), the data supplied with such software, and any updates or supplements to it (the "Website")
– our mobile application software available on iOS and Android known in different forms as Happio (as it may be rebranded, renamed or localised from time to time) and any updates or supplements to it the "App");
– our web-based applications known as Happio Admin Dashboard (as it may be rebranded, renamed or localised from time to time) and any updates or supplements to it (the "Dashboard" and, together with the App, and Website, the"Software");
– any of the services accessible through the Software, including the tools which the Software provides to help mental healthcare professionals and the users to run therapy programmes and monitor various health data metrics (the "Services").
1.5. This policy sets out the basis by which any personal data we collect from you, or that you provide to us, will be processed. Among other things, it explains:
1.5.1. what personal data we may collect about you in connection with:
– providing you with access to, and your use of, our Software and Services;
– your online interaction with us (including via the App, Dashboard, Website, via email, or via telephone);
– any other interaction between you and us through any other channels related or ancillary to the foregoing (collectively, the "Data Processing Channels");
1.5.2. how we collect, store, disclose, transfer, protect and otherwise process that personal data (and for what purposes); and
1.5.3. other important information, such as the lawful basis or bases by which we process your personal data, how long we retain your personal data, and the rights you have in relation to the personal data we hold about you.
1.6. This policy supplements (and its terms apply in addition to) any other Terms of Service or other terms and conditions agreed between you and the Company from time to time, including our Terms of Service.
1.7. In this policy, terms defined in the GDPR, including "data subject", "personal data", and "processing", have the same meaning when used in this policy. The words "include", "including", "such as" and similar words and phrases shall be construed to mean "including without limitation".
1.8. This policy is intended to be communicated to you in a concise, transparent, intelligible and easily accessible manner, but we appreciate that you may have queries or want to seek clarification as to its terms. If so, please contact us and we will endeavour to respond as soon as possible.
1.9. The Company reserves the right to make changes to this policy from time to time including as may be necessary or desirable to reflect any changes in: (i) the ways in which we gather and process personal data: Data Protection Legislation; or (ii) best practice. The Company will endeavour to notify you of such changes but you are advised to check for an updated version of this policy at https://privacy.happio.io each time you interact with us through the Data Processing Channels.
1.10. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
2.1. We collect personal data about you through the Data Processing Channels when you:
2.1.1. access and use our Software and Services (including automatically by way of cookies or similar technologies - please refer to paragraph 10 below for more information);
2.1.2. send messages or submit information via the Software or otherwise interact with other users of the Software (including your therapist or other therapy group members, as the case may be);
2.1.3. register for an account on our Software or Services, or subscribe for or participate in other services, competitions, contests, special events, or our mailing list.
2.1.4. contact us (whether in writing, by email, by telephone or otherwise), including via any contact form available through the Data Processing Channels;
2.1.5. make any enquiry or application with respect to careers, vacancies or opportunities at the Company;
2.1.6. purchase, request or subscribe for a product (including the Software) or service (including the Services);
2.1.7. request technical support or other customer care support;
2.1.8. participate in polls, surveys and questionnaires on or related to the Data Processing Channels; or
2.1.9. otherwise interact with us through the Data Processing Channels.
2.2. Where lawful, we may also obtain personal data from third parties or public sources and we may process that information where it is an essential component of the products and services we offer you.
2.3. The type of personal data we process may include (if and as applicable depending on your use of the Software and Services):
2.3.1. technical data including the information obtained through the use of cookies or similar technologies when you use the Software ("Technical Data");
2.3.2. any information that you voluntarily provide (whether manually or automatically) through your use of the Software and Services, which is used to assist us in delivering the Services. For users, this is likely to include your medical history, your responses to questions asked during digital therapy with chat bot; and clinical questionnaire scores ("Health Data");
2.3.3. in relation to therapists, the identity and contact information of the therapist and the clinic where the therapist is employed, details relating to therapist specialisation and the therapist account password (which will be stored in a hashed/obscured manner) ("Therapist Data);
2.3.4. your identity and contact information, such as your name, user name, email address, date of birth, gender and other information provided by you when you register for an account on our Software or Services, or subscribe for other services, contests, special events or our mailing list ("Identity and Contact Data");
2.3.5. other information which you provide in any correspondence with us ("Correspondence Data );
2.3.6. if you enquire or apply for any vacancies or opportunities at the Company, your CV, educational background, employment history and any other information you provide in connection with the same ("CV Data");
2.3.7. in relation to any order, purchase or subscription made by you, your order details, payment information, preferences and other transaction information provided on obtained in connection with any product or service you have requested, bought or subscribed for ("Product and Service Data");
2.3.8. your responses to any polls, surveys and questionnaires we may run from time to time ("Response Data");
2.3.9. marketing and communications data, which includes your preferences in receiving marketing from us and our third parties and your communication preferences ("Marketing and Communications Data"); and
2.3.10. information ascertained by your other interaction with us through the Data Processing Channels, such as your usage history ("Usage Data").
2.4. We do not process:
2.4.1. any information about criminal convictions and offences, or
2.4.2. any information about children under the age of 13, and you should not provide us with any such information through any of the Data Processing Channels.
3.1. We use the personal data referred to in paragraph 2 above for the purposes of (if and as applicable):
3.1.1. providing you with access to, and facilitating your use of, our Software and the Services. For the avoidance of doubt, this means in the case of users allowing your nominated therapist to access, filter and process your personal data, including Health Data;
3.1.2. applying our proprietary algorithm to Health Data in order to derive new data which can be used to provide a more precise programme, exercises, referrals and recommendations for you,
3.1.3. personalising content on the Software, Services or through our other Data Processing Channels;
3.1.4. sending you promotional and marketing materials, notifications, updates and exclusive news (in accordance with your Marketing Communications Data preferences);
3.1.5. processing payments and fulfilling orders for products and/or services;
3.1.6. conducting internal training and other internal uses to improve our services and customer experience (including improving our marketing and promotional efforts, analysing channel usage statistics, improving content and product offerings and customising the content and layout of our Software and Services);
3.1.7. responding to any correspondence from you including enquiries, comments, complaints and request for technical assistance;
3.1.8. if your data was provided in connection with a career opportunity or vacancy, assessing your eligibility for any particular role;
3.1.9. administering any polls, services, questionnaires, competitions, contests, or special events which you may have subscribed for or participated in;
3.1.10. recording your purchase or usage history and administering your account with us;
3.1.11. market research and demographic studies;
3.1.12. complying with any legal obligation; and
3.1.13. otherwise carrying out our business activities in circumstances where you ought reasonably to have an expectation that we will process your personal data for a particular purpose including as may be provided for in our Terms of Service or any other agreement between us.
3.2. We may process your personal data for the purposes set out in paragraph 3.1 ourselves or with the help of our third party service providers in accordance with paragraph 6. You are reminded that, if you use the Software, your data will be accessible through the Dashboard to your nominated healthcare professionals.
4.1. Health Data
4.1.1. Because elements of your Health Data will constitute special categories of personal data for the purposes of the Data Protection Legislation, our lawful basis for processing your Health Data will usually be your explicit consent. Where you are asked to give such explicit consent, such consent refers to the processing of your Health Data for the specific purposes set out in clause 3.1 or such other specific purposes as may be communicated to you within the Software when you give such consent. You should not consent to such processing including by accepting the terms of this policy), unless you wish to give the Company your express, freely given consent to process your Health Data in accordance with the terms of this policy.
4.1.2. In certain circumstances, we may also process Health Data on the following lawful bases, if permitted by Data Protection Legislation:
4.1.2.1. processing for the purposes of preventative or occupational medicine; or
4.1.2.2. processing where necessary for reasons of public interest in the area of public health.
4.2. Marketing
For marketing emails which relate to your use of our Software or Services and may reasonably be considered to be service communications, we may rely on our legitimate interests and the performance of our agreement with you. Occasionally, however, we will obtain your consent before sending marketing communications to you (e.g via email or text message).
4.3. Consent
4.3.1. Where your consent is our lawful basis for processing your personal data (e.g. under clauses 4.1.1 and 4.2), you may withdraw your consent at any time by contacting us at hello@happio.io. You can also unsubscribe from certain marketing emails by following the unsubscribe link displayed at the bottom of each email.
The withdrawal of your consent does not affect the lawfulness of processing based on consent before withdrawal or the lawfulness of processing based on other lawful grounds.
4.4. Other lawful bases
The Company may process your personal data in any circumstances where such processing is necessary:
4.4.1. in order to perform any agreement between us (including pursuant to our Terms of Service or any other agreement between us);
4.4.2. to comply with any applicable law or regulation; or
4.4.3. for the purposes of the legitimate interests pursued by us or third parties. These legitimate interests include the purposes identified above in paragraph 3.1 but also include other commercial interests and our internal administrative purposes.
4.5. We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data.
4.6. More information about which lawful basis is used for which data processing activity is set out in the table below:
Purpose/Activity | Lawful basis for processing including basis of legitimate interest |
---|---|
To register you as a new user | (a) Your consent (in the case of special categories of personal data) (b) Performance of a contract with you |
To process in-App purchases and deliver Services including managing payments and collecting money owed to us | (a) Performance of a contract with you (b) Necessary for our legitimate interests (to recover debts due to us) |
To provide, personalise and improve the Services (including sharing information with nominated clinicians) | (a) Your consent (in the case of special categories of personal data) (b) Performance of a contract with you (c) Legitimate interest to develop the Services, improve user accessibility and tailor the user experience) |
To promote safety, integrity and security (a) Performance of a contract with you | (b) Legitimate interest (to provide security of the Software) (c) if applicable, the lawful bases mentioned in clause 4.1.2. |
To manage our relationship with you which include: (a) Notifying you about changes to our terms (b) Asking you to leave a review or to keep our survey records updated and to study how you use our products/services | (a) Your consent (where special categories of personal data are concerned) (b) Performance of a contract with you or privacy policy (c) Necessary to comply with a legal obligation |
To administer and protect our business and Software, to prevent fraud (including our business provision of administration and IT troubleshooting, data analysis, testing services, network security, the system maintenance, support, hosting of data) | (a) Necessary for our legitimate interests (b) Necessary to comply with a legal obligation |
To deliver relevant Software content | (a) Necessary for our legitimate interests (to study and measure how customers use our products/services, to develop better user experience) |
To use data analytics to improve our products/services, to keep our Software updated and relevant | (a) Necessary for our legitimate interests (to define types of customers for our products and services, to improve marketing) |
To make suggestions and recommendations about services that may be of interest to you | (a) Necessary for our legitimate interests (to develop products/services and grow our business) |
4.7. We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
4.8. If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
4.9. Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5.1. Where we need to collect personal data by law, or under the terms of an agreement we have with you, and you fail to provide that data when requested (or fail to consent to the processing of that data, if necessary), we may not be able to perform the contract or arrangement we have or are trying to enter into with you (for example, to provide you with products or services). In this case, we may have to cancel a product or service you have with us but we will endeavour to notify you if this is the case at the time.
5.2. Whilst we may be able to provide you with certain products and services notwithstanding your refusal to submit personal data, this may limit your ability to participate in some activities, or use certain features, services or functionality.
5.3. Because our Software and the Services we offer are dependent on being able to process your Health Data, if you withdraw your consent you acknowledge and agree that we may be unable to provide you with all or any part of our Software and Services.
6.1. We will not share any of your personal data with third parties except as set out in this paragraph 6 or otherwise notified to you or agreed between you and us from time to time.
6.2. Where you are enrolled in a programme, you might be contacted by a nominated specialist (psychologist, therapist or coaching expert) to support you during the course of the programme.
6.3. From time to time, we will also need to share personal data with the following types of third party service providers who we engage to provide services which facilitate our business and who may need to process your personal data to the extent necessary to provide those services:
6.3.1. Amazon Web Services, the servers we use for data hosting;
6.3.2. Payment Systems, the payment processing systems we use for our apps and websites;
6.3.3. Any similar or replacement third parties from time to time.
6.4. We seek to ensure that any third party engaged by us who processes your personal data in connection with the purposes listed above has policies and procedures in place to ensure compliance with the Data Protection Legislation.
6.5. For any third parties that are based, or process data, overseas, we only engage such third parties in accordance with GDPR legislation.
6.6. Unless otherwise disclosed to you from time to time, we will remain the data controller in respect of your personal data notwithstanding that third parties may be engaged as data processors.
We may also share your personal information with third parties where we are required to do so by law or regulation (such as in connection with an investigation of fraud or other legal enquiry) or in connection with other legal proceedings (including where we believe that your actions violate applicable laws, our Terms of Service or any other arrangement between us, or any usage guidelines for specific products or services, or threaten the rights, property, or safety of our Company, our users, or others).
Subject to any conditions or requirements set out in the relevant Data Protection Legislation, you may have some or all of the following rights in relation to the personal data we hold about you:
7.1. the right to request a copy of your personal data held by us;
7.2. the right to correct any inaccurate or incomplete personal data held by us;
7.3. the right to request that we erase the personal data we hold about you;
7.4. the right to request that we restrict the processing of your data;
7.5. the right to have your personal data transferred to another organisation,
7.6. the right to object to certain types of processing of your personal data by us; and
7.7. the right to complain (please see paragraph 12 of this policy).
Please note, however, that these rights are not absolute and may be subject to conditions and provisos set out in relevant Data Protection Legislation. The Company cannot therefore guarantee that any request from you in connection with the rights set out above will be agreed to. For further information, or to see if you can exercise any particular right, please contact us at hello@happio.io.
8.1. As a minimum, we need to store your data for as long as is necessary to enable us to provide you with access to our Software and the Services (or to support your use of our Software and Services, such as maintaining your account). However, we will retain certain of your personal data for longer if we think it is reasonably necessary to do so in the circumstances, taking into consideration factors such as:
8.1.1. our need to perform any agreements between you and us;
8.1.2. our need to answer any queries or resolve any problems you may have;
8.1.3. your continued consent;
8.1.4. your continued use of the Software;
8.1.5. our continued provision of Services to you; and
8.1.6. our need to comply with legal requirements (e.g. relating to record keeping).
8.2. Information about you that is no longer necessary and relevant to provide our Services may be de-identified or aggregated with other non-personal data to provide insights which are commercially valuable to us, such as statistics of the use of the Services. For example, we may retain anonymised Health Data and other anonymised information to continue to improve the Services.
8.3. If you tell us that you would like to delete your account, we will take steps to delete all the personal data we hold about you once it is no longer necessary for us to hold it. Your personal data will also be deleted from the Software.
8.4. For as long as we do store your data, the Company follows generally accepted industry standards and maintains reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided.
8.5. Information you provide is stored on Amazon Web Services (AWS) servers. AWS employs a high level of data protection safeguards, more information of which can be seen here: https://docs.aws.amazon.com/whitepapers/latest/aws-overview/security-and-compliance.html
8.6. The Company has security measures in place designed to protect against the loss, misuse, and alteration of the information under our control. Personal data collected by the Company in connection with this policy is stored in secure operating environments that are not available to the public. The Company maintains information behind a firewall-protected server and uses SSL encryption for purchases made through our online store. All password information is hashed and never stored in plain text.
8.7. Notwithstanding our efforts to keep your personal data secure, no system can be 100% reliable. To the extent permitted by law, we cannot be held liable for any loss you may suffer if a third party procures unauthorised access to any data you provide through the Data Processing Channels. In addition, you are responsible for maintaining the strength and confidentiality of any login credentials.
8.8. We will notify you as soon as reasonably practicable if we have reason to believe that there has been a personal data breach by us which could adversely affect your rights and freedoms.
9.1. Our Software may contain links or redirections to other websites that are beyond our control. Such links or redirections are not endorsements of such websites or representation of our affiliation with them in any way and such third party websites are outside the scope of this policy.
9.2. If you access such third party websites, please ensure that you are with their respective privacy policies before you provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website operated by any third party.
A cookie is a small file of letters and numbers stored on your browser or the hard drive of your computer or your device. Cookies contain information that is transferred to your computer's hard drive or device.
10.1. Our Software uses cookies to distinguish you from other users of our Software. This helps us to provide you with a better experience when you browse our Software and also allows us to improve our Software.
10.2. Some data collected by cookies is collected on an anonymous and/or aggregated basis. Where we use cookies that contain personal data, we will only process that personal data as set out in this policy.
10.3. Our Software uses some or all of the following cookies:
10.5. Please note third parties (including, for example, providers of external services like web traffic analysis services) may also use cookies and other technology (e-E-web beacons), over which we have no control.
10.6. Your browser may give you the ability to block all or some cookies by activating a setting in your browser's options. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our Software or Services.
10.7. Except for essential cookies, all cookies will remain unless the cookie cache is cleared.
11.1 For all questions or complaints about this policy, we would appreciate the chance to deal with your concerns before you approach the relevant data protection authority. Please contact us in the first instance via email at hello@happio.io or write to Happio Ltd, Happio Ltd, Data Protection Enquiries, 83 Baker Street, London, England, W1U 6AG.
11.2 You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues, which in the UK is the Information Commissioner's Office (ICO) (www.ico.org.uk).