Nujjer Privacy Notice
Last amended on 10 December 2019
Buddi Limited is committed to protecting your personal data (personally identifiable information) and upholding your right to privacy. This privacy notice describes the collection and processing of personal data by Buddi as well as an overview of the rights which you have in relation to your personal data. It applies to information which you may provide directly to us or via third parties.
Our policy is to be as transparent as possible about how and why we process your personal data. However, should you have any queries please contact us at either privacy@buddi.co.uk or write to the Data Protection Officer, Buddi Limited, Talbot House, 17 Church St, Rickmansworth WD3 1DE, UK.
Buddi is registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. Z9274127) and has in place a comprehensive Data Protection Policy.
What information do we collect?
We use different methods for collecting your personal data, including:
Direct interactions: by your signing up to or purchasing one of our products and/or services, corresponding with us via any method, or downloading a Buddi or nujjer App. We collect and process information provided when you when you fill out forms on our websites or use our web portals or Apps. This may include information provided during completion of surveys and other online tools, entering a competition or promotion and if you report a problem with our Solution.
Indirect interactions: by signing up to one of our products and/or services via a third party (e.g. GP) in which case we take steps to ensure that this personal information is transmitted securely into our system.
Automated technologies: As you interact with a Buddi or nujjer website or App, we may automatically collect technical data about your equipment, browsing actions and patterns, traffic data, location data, weblogs and the resources that you access.
Information collected as part of the nujjer programme
The nujjer programme provides access to the nujjer mobile application (App) and a nujjer wristband, collectively the nujjer system.
Information collected for nujjer programme users shall include some, or all, of the following:
· NHS Number
· Age/Date of Birth
· Gender
· Ethnic origin
· Address
· Telephone number
· Email address
· Highest educational qualification
· Height at baseline
· Weight at baseline, 6 months and 12 months
· BMI at baseline, 6 months and 12 months
· HbA1C blood tests result at baseline, 6 months and 12 months
· Reason for referral
· Number of activities completed
· Personalised texts, emails and phone calls (if applicable)
· Goals and targets set
· Daily physical activity and rested hours
· Eating times and frequency
· Events including crave, lapse and achievements
· Responses from baseline, 6-month and 12-month surveys
· Band registration
· Battery level and status
· Details of direct interactions with the nujjer team
· Other information that may from time to time be determined as required as part of our ongoing programme development and improvement
Data including ethnicity, level of education and address is collected for the purpose of statistical analysis. This will allow providers, CCGs and NHSE, in the long run, to better serve patients and the community by addressing patient needs. Furthermore, collecting demographic data is used as a way to tackle health inequalities by identifying those that are under-served and/or at risk.
Information collected via our App
Data is collected from the user’s wristband and App to support the requirements of the nujjer programme.
Automated technologies record physical activity and resting time, as well as crucial system information e.g. battery levels.
Direct inputs as a result of physical interactions with the wristband or App are also recorded, e.g. logging of craves, lapses and achievements.
The App needs to be able to communicate with, and control some functions of, the mobile device it is installed upon. In order to do this, Trackers and Permissions are embedded in the App.
Permissions are actions that the mobile App is able to perform. For example, you will be required to agree to:
· receive push notifications
· use Bluetooth
· access the camera (optional)
Trackers are used to collect data about App usage and to record information about crashes that may occur. This data helps us to continually develop and improve our product.
Information collected via our websites and web portals
When you visit our websites or web portals, we collect your IP address. This is commonplace across all Internet services to both enable the investigation of issues such as malicious use, but also to ensure that you see content that is relevant to you and your location. Cookies (a cookie file stored on your hard drive) may also be used to store log in and session information to help give you a smooth user experience, improve the system and deliver a better and more personalised service.
Buddi Limited uses cookies for essential functional purposes to provide users with the best experience of our website. This usage does not identify the user in any way and is not used for tracking, analytical or any unlawful purposes.
For your privacy Buddi Limited does not use cookies on www.nujjer.com to store your data, or for marketing purposes.
You may refuse to accept cookies by changing the settings on your device. However, this may affect your ability to access certain parts of the system. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you visit the website/web portal.
How do we use your information?
We shall only use your personal data when the law allows us to do so.
When you set up the nujjer system we may ask for personal information to personalise your profile and to identify you. We process information gathered to provide the service which you, or someone on your behalf, have contracted us to supply.
We may also analyse information to see what is most effective about our solution to help us identify whether it is functioning correctly, ways to improve it and to make it more effective.
We may also collect information for other purposes, which we would describe to you at the point when we collect the information. This applies to all personal data collected, which might include some of the following:
· The performance of a contract we are about to enter into, or have entered into, with you
· Enabling suppliers or service providers to carry out certain functions
· To comply with applicable law
· Where you have consented to our collection and use
Please note that in instances where we refer to ‘performance of a contract’ this may include performance of a contract which has been entered into via a third-party. In such circumstances we are either relying upon our legitimate interests or expect the third-party has suitable authority for us to carry out such activity.
How long do we hold this information?
Your personal information may be retained for a maximum of 21 years following completion of the nujjer programme or pilot. At that point, the information will be destroyed according to the then-current data destruction policy.
You have the right to request deletion of your personal data – please refer to the section “What are my rights regarding my personal data?” below.
Will we disclose your information to, or share it with, other organisations?
We will not share personally identifiable information (information that contains a personal identifier like your name, address or email address).
Buddi is dedicated to maintaining the privacy and integrity of your personal data. As such, we have policies and procedures and other safeguards to help protect your personal data from improper use and disclosure.
We follow a Minimum Necessary Access Policy so any required disclosure of your identifiable information is minimised.
Any data shared as part of a pilot, e.g. when we are working in partnership with other organisations and medical practitioners, shall be non-identifiable with all personal details (e.g. name, address and date of birth) removed, unless you have separately consented for your personal details to shared with a specific third-party. In some cases, data may be pseudonymised.
How much personal data is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure.
The following categories describe different ways that we use your personal data within Buddi and disclose your personal data to persons and entities outside of Buddi. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorisation.
Disclosure at your request: We may disclose information when requested by you. This disclosure at your request may require written authorisation by you.
Payment: We protect the security of your information with encryption. We do not share customer details with any third parties other than those details required by third parties for the purposes of processing payments.
Operations: We may use and disclose your personal data for our internal operations, which include administration, planning and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, monitor customer satisfaction and internal training.
Reminders and notifications: We may use and disclose your personal data to contact you as a reminder to interact with, or complete tasks relating to your use of the nujjer system.
Business associates: There are some services provided in our organisation through contracts with business associates. Examples of business associates include accounting services, monitoring services, server hosting and email delivery. We may disclose your personal data to our business associates so that they can perform the job we have asked them to do. To protect your personal data, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your personal data.
Threat to health or safety: We may use and disclose your personal data when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
As required by law: Certain laws permit or require certain use and disclosures of personal data for example, for public health activities, health oversight activities and law enforcement. In these instances, Buddi will only use or disclose your personal data to the extent the law requires.
For research and publicity purposes: We may use personal data for internal and external research and publicity purposes. This may include publishing aggregate anonymised information about our users in the context of providing public health information and conducting academic research.
Transfer of business assets: If Buddi Limited or substantially all of its assets are acquired by a third-party, personal data held about our customers may be one of the transferred assets.
Where your personal data is stored
All information and data you provide to us is stored on secure servers with trusted third-party suppliers located within the European Economic Area. Our suppliers also comply with the EU General Data Protection Regulation (GDPR) which sets out a number of data protection requirements, which apply when personal data is being processed.
All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via secure methods. However, it may be possible that your data is transferred to, and stored at, a destination outside the EEA by or to staff who work for one of our suppliers. Such staff may be engaged in, among other things the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.
Unfortunately, despite these measures, the transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted and any transmission is at your own risk. Once we have received your information, we will use strict procedures to try to prevent unauthorised access in accordance with our Data Protection Policy and responsibilities as a registered Data Controller in the UK.
What are my rights regarding my personal data?
You have certain rights with respect to your personal data. If we do not agree to a request by you with respect to privacy or your personal data, please contact the Data Protection Officer.
It will be necessary for Buddi Limited to verify your identity in order to respond to any request.
Right to be informed: You have the right to receive details of a privacy notice which is concise, transparent, intelligible and easily accessible, free of charge, written in clear and plain language. Depending on which product or service you use, more than one privacy notice may apply. You have the right to request an accounting from us of certain disclosures made by us. We will generally provide you with your accounting within 30 days of your request. In addition, we will notify you as required by law if there has been a breach of the security of your personal data which may put you or your privacy at risk. Where the breach relates to a pilot, the report may be required to be shared with the relevant interested parties, with the report in turn being anonymised. Where required, the breach shall also be reported to the Information Commissioner’s Office.
Right of Access: You have the right to inspect the personal information maintained by us. Normally, we will provide you with access within 30 days of your request. There will be no charge for any initial request, but subsequent requests may be subject to an administration fee.
Right to rectification: You have the right to request that we amend your written personal data. For instance, you can request that we correct an incorrect date of birth in your records. We will generally amend your information within 30 days of your request and will notify you when we have amended your information. We can deny your request in certain circumstances, such as when we believe that your information is accurate and complete.
Right to erasure: You have the right to ask that we delete all personal data that Buddi has collected on you. You may make this request via email to the Data Protection Officer. We will comply with this request unless there is a lawful reason for not doing so.
Right to restrict processing: You have the right to request in writing that we do not disclose certain information about you. We do not have to agree to any restriction that you request. To request a restriction, please contact the Data Protection Officer. You have the right to request in writing that we restrict the way in which we communicate information, such as ceasing to send email, SMS messages or instant messages to notify or remind you about aspects of the Buddi product and associated service. We will make reasonable efforts to accommodate your request.
Right to data portability: You have the right to request your personal information so that you can reuse it for your own purpose or for a different service. Data shall be provided in a commonly used, machine-readable format, and sent directly in a safe and secure manner to another controller if requested, and where this is possible.
Right to object: You may withdraw consent to the processing of your personal data at any time, or object to the processing of your personal data. Where personal data is maintained in connected with a pilot or trial, you shall be informed whether all parties are able to comply with your request, or, if they are unable to, what legitimate and legal grounds are used to retain your personal data.
Under current data protection legislation there are exemptions to these individual rights where it is determined that the restriction is a necessary and proportionate measure, for example to safeguard the prevention, investigation, detection or prosecution of criminal offences.
We process data provided to us by users directly or submitted to us via their GPs on the NHS DDPP (under a signed information sharing agreement). We are processers of this data, we do not diagnose, modify treatment or manipulate this data in anyway. Users have the right to request or delete their data at any time.
In addition to requesting that their data is deleted, users have the right to request that:
1. They are informed of the way in which their data is going to be processed and shared
2. Their data is made accessible to them i.e. sent to them in a safe and secure manner
3. Their data is no longer processed (withdrawal of consent)
4. Their data is rectified
5. Their data is transferred to another IT environment in a safe and secure manner (data portability)
In order to be able to respond to a user’s request, and to ensure that the user is able to exercise their rights, Buddi Limited will have to verify the user’s identity.
If required, participants have the right to make a complaint to the Information Commissioner’s Office (ICO).
What do I do if I have a concerns or complaint?
If you believe that any of your rights with respect to your personal data have been violated by us, our employees or agents, please communicate with the Buddi Data Protection Officer via privacy@buddi.co.uk
Amending this Notice
We reserve the right to revise this notice and to make the revised notice effective for all individuals for which data is processed.
Questions relating to revisions to this Privacy Notice may be addressed to the Data Protection Officer. The Privacy Notice will be promptly revised if there is a material change to a policy described herein.
Contact details
All queries should be addressed to: The Data Protection Officer, Buddi Limited, Talbot House, 17 Church Street, Rickmansworth, Hertfordshire WD3 1DE, United Kingdom.
Email: privacy@buddi.co.uk
Effective Date: This Privacy Notice is effective as of 10th December 2019.