Last amended on 31 May 2017
Buddi Limited of Talbot House, 17 Church St, Rickmansworth WD3 1DE, England (“we”) will keep your data safe, never sell your personal data and give you the decision about how your information is shared. We are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. Z9274127), and have in place a comprehensive company data protection policy and code of practice. We will process your data in accordance with the Data Protection Act. We can be contacted at firstname.lastname@example.org.
What is the purpose of this policy?
The Nujjer programme provides you with access to the mobile services including the nujjer mobile application (the “App”) and the nujjer wristband (the “Wristband”), collectively the “System”.
How do we use your information?
We analyse information gathered from your nujjer band (your activity, sleep data and eating frequency) and information gathered from you nujjer app (events such as craves, lapses and achievements) in order to provide you with personalised feedback based on this data.
We analyse information to see what is most effective about our solution to help us identify ways to improve it and to make it more effective. We may also collect information for other purposes, which we would describe to you at the point when we collect the information. This applies to all personal data collected, which might include some of the following uses:
· Creating and maintaining customer account
· Offering goods and providing services in a personalised way
· Handling and fulfilling orders
· Obtaining payment
· Resolving any returns / refunds
· Developing and improving products and services
· Sending personalised marketing
· Enabling suppliers or service providers to carry out certain functions
· To comply with applicable law.
What information do we collect when you use nujjer?
We may collect and process information provided by filling in forms on the Website or App, including information provided during completion of surveys and other online tools, entering a competition or promotion and when you report a problem with our System. If you contact us, we may also keep a record of that correspondence.
Through the use of the System, we may collect and process information such as: personal information (name, age, address, email, telephone number, height, weight, BMI, daily level of activity, sleep data, eating frequency); other health profile information and details of your visits to our System including, but not limited to, traffic data, location data, weblogs, other communication data and the resources that you access. The information described in this Policy is known as “personal data”.
We are required by law to maintain the privacy of your personal data and to provide you with this notice of our legal duties and privacy practices with respect to your personal data. When we use or disclose your personal data, we are required to abide by the terms of this Policy (or other Policy in effect at the time of the use or disclosure).
We collect information from your Nujjer Wristband and App so that we can provide you with information and feedback to help you achieve your goals. All sensitive personal data will only be processed fairly and lawfully if it meets certain conditions. When you set up your device we ask for information such as your weight to personalise your profile. When you use the Nujjer Service, we collect data from your wristband: your activity, sleep and eating frequency. We also collect data from the app such as events you have selected: craves, lapses and achievements. This allows us to show you progress towards your goals, provide feedback and motivation to achieve these. When you connect your nujjer wristband to your nujjer app we collect data like battery level and status to ensure that it is working correctly. When you purchase your Nujjer Service, we will ask for your consent to process the above data.
When you visit our website, we collect your IP address. This is commonplace across all internet services to both enable the investigation of issues such as malicious use, but also to make sure that you’re getting the content that’s relevant to you and your location. For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your device. Cookies help us to give you a smooth user experience, improve the System and deliver a better and more personalized service. They enable us: To recognize you when you return to our site. To maintain data you have entered e.g. during completion of a survey. To speed up your searches. To estimate our audience size and usage pattern. To store information about your preferences, and so allow us to customise our site according to your individual interests.
Both Buddi and third-party vendors, including Google, may use first-party cookies (such as the Google Analytics cookie) to inform, optimize, and serve ads based on your past visits to the Website or App on sites across the Internet (also known as 'remarketing'). If you would like to opt out of this you can do so via your Google Ads Preferences Manager.
Some features require us to collect location data like GPS signals and Wi-Fi access points but we will only collect that data when you are using specific features.
If you contact the team at Buddi for help about your nujjer product, we will collect your name, email, telephone number and the details of your request to make sure we can provide a solution for your issue.
How long do we hold this information?
As per the ICO's 'Principle 5', we retain personal data no longer than is necessary for the purpose we obtained it for. With that in mind, Buddi will retain any information held on an individual for a maximum of 10 years after that individual has ceased use of the System. At that point, the information will be destroyed according to the then current data destruction policy.
Will we disclose your information to, or share it with, other organisations?
We will not share personally identifiable information (information that contains a personal identifier like your name, address or email address). At times we might make your anonymised data available to other systems used by healthcare professionals, such as the systems used by your GP.
You can explicitly direct us to share your data with other parties, such as the clinical trial team in a clinical trial or your employer as part of a corporate wellness programme.
Buddi is dedicated to maintaining the privacy and integrity of your personal data. As such, we have policies and procedures and other safeguards to help protect your personal data from improper use and disclosure.
We follow a Minimum Necessary Access Policy so any required disclosure of your identifiable health information is minimised. The following categories describe different ways that we use your personal data within Buddi and disclose your personal data to persons and entities outside of Buddi. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.
How much personal data is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure.
Disclosure at your request: We may disclose information relating to your use of the System when requested by you. This disclosure at your request may require written authorisation by you.
Payment: We fully comply with all applicable UK Data Protection legislation, and protect the security of your information with Secure Sockets Layer (SSL) encryption. We do not share customer details with any third parties other than those details required by third parties for the purposes of taking payments.
Operations: We may use and disclose your personal data for our internal operations, which include administration, planning and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, satisfaction surveys, de-identifying health information, customer services and internal training.
Reminders and notifications: We may use and disclose your personal data to contact you as a reminder to interact with, or complete tasks relating to your use of the System.
Business associates: There are some services provided in our organization through contracts with business associates. Examples of business associates include accounting services, server hosting and email delivery. We may disclose your personal data to our business associates so that they can perform the job we have asked them to do. To protect your personal data, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your personal data.
Threat to health or safety: We may use and disclose your personal data when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
As required by law: Certain laws permit or require certain uses and disclosures of personal data for example, for public health activities, health oversight activities and law enforcement. In these instances, Buddi will only use or disclose your personal data to the extent the law requires.
For research and publicity purposes: We may use personal data for internal and external research and publicity purposes. This may include publishing aggregate anonymised information about our users in the context of providing public health information and conducting academic research.
Transfer of business assets: In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If Buddi or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets.
Where your personal data is stored
All information and data you provide to us is stored on secure servers with trusted 3rd party suppliers, Amazon Web Services (‘AWS’) within the European Economic Area ('EEA'). AWS complies with EU Data Protection Directive(‘Directive 95/46/EC’), which sets out a number of data protection requirements, which apply when personal data is being processed.
All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via SSL by default. However, it may be possible that your data is transferred to, and stored at, a destination outside the EEA by or to staff who work for one of our suppliers. Such staff may be engaged in, among other things the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.
Unfortunately, despite these measures, the transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the System, and any transmission is at your own risk. Once we have received your information, we will use strict procedures to try to prevent unauthorized access in accordance with our Company data protection policy and code of practice, and responsibilities as a registered Data Controller in the UK.
What are my rights regarding my personal data?
You have certain rights with respect to your personal data. If we do not agree to a request by you with respect to your personal data, please consult the Buddi Privacy and Security Officer whose contact information is below.
Restrictions: You have the right to request in writing that we do not disclose certain information about you. We do not have to agree to any restriction that you request. To request a restriction, please contact the Privacy and Security Officer whose contact information is below.
Confidential Communications: You have the right to request in writing that we restrict the way in which we communicate information regarding your health and health care services, such as ceasing to send email, SMS messages or instant messages through the App to notify or remind you about aspects of the System or your progress through the nujjer programme. We will make reasonable efforts to accommodate your request.
Access: You have the right to inspect and copy your Information maintained by us. Normally, we will provide you with access within 21 days of your request. We may charge a reasonable fee for doing this.
Deletion: You have the right to ask that we delete all personal data that the System has collected on you. You may make this request via email to the Buddi Privacy and Security Officer at email@example.com. We will comply with this request unless there is a lawful reason for not doing so. You may withdraw consent to the processing of your personal data at any time, or object to the processing of your personal data.
Amendment: You have the right to request that we amend your written personal data. For instance, you can request that we correct an incorrect date of birth in your records. We will generally amend your information within 60 days of your request, and will notify you when we have amended your information. We can deny your request in certain circumstances, such as when we believe that your information is accurate and complete.
Accounting: You have the right to request an accounting from us of certain disclosures made by us. We will generally provide you with your accounting within 60 days of your request. In addition, we will notify you as required by law if there has been a breach of the security of your personal data.
The System and Nujjer Service is not intended for anyone under the age of 18.
Any linked websites or applications may be subject to their own privacy policies.
What do I do if I have a concerns or complaint?
If you believe that any of your rights with respect to your personal data have been violated by us, our employees or agents, please communicate with the Buddi Privacy and Security Officer at: firstname.lastname@example.org.
Amending this Policy
We reserve the right to revise this Policy and to make the revised Policy effective for all Nujjer Accounts that we created or received prior to the effective date of the revised Policy.
Questions relating to revisions to this Policy may be addressed to the Privacy and Security Officer whose contact information is above. This Policy will be promptly revised if there is a material change to a policy described herein.
Effective Date: This Policy is effective as of 31 May 2017.