2. Data Protection Framework
3. What is the Purpose of this Service?
The purpose of this Service for users to learn about self help tools that can promote overall emotional well-being.
4. Age restrictions
The Services are not directed to children under 18. You should not use the Iona Mind App if you are under the age of 18. We do not knowingly collect personal data from anyone under the age of 18. If we learn that we have collected any personal data from someone under the age of 18 then we will promptly take steps to delete this personal data and remove the associated account.
5. Where do we collect personal data about you from?
The following are the different sources We may collect personal data about you:
- Directly from you. This is information you have voluntarily provided whilst entering your personal details on the App.
We do not collect personal data:
- From an agent/third party acting on your behalf.
- Through publicly available sources such as Facebook, Twitter or LinkedIn.
6. What Information Do We Collect and Why?
We will only ever collect the information We need to enable us to undertake the specific information processing activities noted later in this section. We collect and process two distinct kinds of information:
- non-personal information such as the pages and exercises you have accessed, helping Us to determine how many people use Our Service, how many people visit on a regular basis, and how popular each of Our pages and exercises are. This information doesn't tell Us anything about who you are or where you live. It simply allows Us to monitor and improve Our service.
- personal information such as your IP address, email address, username, password, approximate location and any optional information you may choose to provide to Us as part of your experience within the Service (e.g. text). When you first open the App, you will be invited to register.
Should you decide to register we collect the following information:
- Email address – we use this to send you an invitation to the App, a welcome email, and any service related communications such as resetting your password or verifying your email address. We may also use this address to send you information on how to make the most out of the app.
- A password – we store this in a secure one-way encrypted system. If you forget your password, you may request that it be reset, and we will send an email to you with instructions on how to do so.
As you use the app We will keep track of what sections you have visited, so that We can highlight sections or content to you that you may have missed. We also use this data in an aggregated form to understand how popular the app and its different sections are so that We can improve the service. This data is never shared with anyone outside of the organisation and is only used for Our internal purposes and acadmic research. We record the last IP address you accessed the service from so that We can protect the service from malicious access. As part of this We may look up the approximate location of the IP address such as country and city.
Your decision to disclose your personal information to Us is entirely voluntary. If you do not provide the personal data necessary, or withdraw your consent for the processing of your personal data, you may not be able to access or use the app.
We will only retain your personal information for as long as you are a registered user of the Channel. We comply with all legislative and regulatory information retention requirements and will securely and permanently delete your personal information when there is (a) no justification for its further retention, or (b) you have asked Us to delete it. We will not use your personal information for any other purposes. We will not share your personal information with any other organisation, other than the declared Data Processors recorded in Section 11.
If you choose to purchase the premium version of the app then we will collect financial and billing information (including billing name, address and credit card number), as applicable.
7. What legal basis do we have for using your personal data?
The legal basis we have for processing your data is based around the consent you have voluntarily provided us.
8. Sensitive Personal Data
GDPR Article 9 specifies a set of special categories which are considered to be “sensitive personal data” (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership) and which require special consideration by Data Controllers. When this Service knowingly collects or processes any sensitive personal information it complies with the relevant regulations.
9. User Data Rights
As prescribed within the EU General Data Protection Regulation, you have several rights connected to the provision of your personal information to Us from using the Service.
3. The right to rectification: You are entitled to have your information corrected if it’s inaccurate or incomplete.
4. The right to erasure: This is also known as ‘the right to be forgotten’ and, in simple terms, enables you to request the deletion or removal of your information where there’s no compelling reason for Us to keep using it. This is not a general right to erasure; there are exceptions.
5. The right to restrict processing: You have rights to ‘block’ or suppress further use of your personal information. When processing is restricted We can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future.
6. The right to object to processing: You have the right to object to certain types of processing.
7. The right to lodge a complaint: You have the right to lodge a complaint about the way We handle or process your personal data with your national data protection regulator.
8. The right to withdraw consent: If you have given your consent to anything We do with your personal data, you have the right to withdraw your consent at any time (although if you do so, it does not mean that anything We have done with your personal data with your consent up to that point is unlawful). This includes your right to withdraw your consent to Us using your personal data for marketing purposes.
We usually act on requests and provide information free of charge, but may charge a reasonable fee to cover Our administrative costs of providing the information for:
- baseless or excessive/repeated requests, or
- further copies of the same information.
Alternatively, We may be entitled to refuse to act on the request. Please consider your request responsibly before submitting it. We’ll respond as soon as We can. Generally, this will be within one month from when We receive your validated request but, if the request is going to take longer to deal with, We will come back to you and let you know. To contact Us please see Section 16 below. If We do not address your request or fail to provide you with a valid reason why We are unable to do so, you have the right to contact the Information Commissioner’s Office to make a complaint. They can be contacted via their website (www.ico.org.uk) or by telephone 0303 123 1113.
10. Personal Data Breach Reporting
You have the right to be promptly informed by Us of any personal data loss, theft or compromise arising directly or indirectly from the Service, and any supporting systems or declared Data Processors (see Section 11) involved with delivering, supporting, maintaining, monitoring or improving the Service. Similarly, We are required to notify the Information Commissioner’s Office promptly, as the supervisory authority for the United Kingdom. As a user of the Service, you have a responsibility to safeguard and manage your Service login credentials securely. This requires you to ensure that they are changed frequently, of sufficient strength and complexity, different from any other passwords you may use, and not recorded in a format which could be accessed or guessed by others. If you suspect that your credentials have been compromised, you should notify Us immediately (see Section 16 below). We will not be liable for any personal information loss, theft or compromise where this can be attributed to your failure to secure your Service login credentials.
11. Declaration of Personal Data Sub-Processors
To make an informed decision on whether to provide your personal data to Us when using this Service, we need to make you aware of the organisations that act as Data Sub-Processors for Us, helping in the provision of the Service and its functionality. These partners are as follows:
• MailChimp: Used to send Administration of Service emails such as Email Verification, Password reset and Welcome email; and other potential marketing messages where you have given your explicit consent for Us to do so. Based in the United States. MailChimp complies with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
• Google Firebase: Used to authenticate users and manage user accounts (e.g. send password reset emails etc.) . If the user does not create an account, then Firebase is used to assign a unique anonymous identifier to that user. Google, including Google Inc. and its wholly-owned US subsidiaries, comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
• Google Analytics: Used to provide analytics to understand how the Service is used and help provide actionable insights for improvements. Google, including Google Inc. and its wholly-owned US subsidiaries, comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
• Google G Suite: Used as email system, so any emails you send to support will be handled by G Suite. Google, including Google Inc. and its wholly-owned US subsidiaries, comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
• Crashlytics (Part of Google): Used to provide actionable insights and analytics on crash reporting. Part of Fabric, acquired by Google’s Developer Products Group. Crashlytics complies with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
• IBM and AWS: Hosting services. IBM and AWS comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
• RevenueCat: Payment processing services. RevenueCat complies with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States. We do not share any unencrypted identifiable information such as e-mail addresses with RevenueCat. RevenueCat assist with processing notifications of payments made through Apple and Google payment services
• Facebook Pixel: Used to provide analytics to understand how the Service is used and help provide actionable insights for improvements. Facebook, including Facebook Inc. and its wholly-owned US subsidiaries, comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
12. International Transfers of Personal Data
As We have described above, to be able to provide you with the Services We may transfer your personal data to partners in countries outside the EEA (such as the United States). These countries’ privacy laws may be different from those in your home country. Should We transfer data to a country which has not been deemed to provide adequate data protection standards We always have security measures and approved model clauses in place to protect your personal data.
Cookies are small text files sent by websites to your web browser and sent back to them each time you access or use the site, and may be necessary for the site to function. They are unique to you or your web browser and may contain personally identifiable information as well as technical information (e.g. your device manufacturer and model, screen resolution, internet service provider, browser, and geo-location data). Session-based cookies last only while your browser is open and are automatically deleted when you close the browser. Persistent cookies last until you or your browser delete them, or until they expire. Third- party websites which we, or other users, may link to might however include cookies. These are outside of our control and we cannot guarantee their behaviour. These sites may use both session-based and persistent cookies, dependent upon the functionality in those sites. Further information about cookies can be found at Interactive Advertising Bureau or Out-Law's.
14. External Links
The Service includes relevant hyperlinks to external websites which are not directly controlled by Us. Whilst all reasonable care has been exercised in selecting and providing such links, you are advised to exercise caution before clicking any external links. We cannot guarantee the ongoing suitability of external links, nor do we continually verify the safety or security of the contents which may be provided to you. You are advised, therefore, that your use of external links is at your own risk and We cannot be responsible for any damages or consequences caused by your use of them.
16. Contacting the Data Controller
Iona Mind Ltd, 35 Lodge Avenue, Romford, England, RM2 5AB