mySymptoms Privacy Policy and Notice

Effective date: May 26th 2020.

INTRODUCTION

The primary purpose of the mySymptoms Consumer App is to enable users to monitor their food intake and symptoms, then to share their symptoms and other data inputted into the Consumer App with their clinician if they choose to do so. The Consumer App seeks to operate on an anonymised basis, meaning it is not designed to store or process your personal data in a form that identifies anyone.

SkyGazer Labs seeks to operate on the basis that it does not process your personal data. To do this, we require that your account is registered with an anonymous username, unique to mySymptoms, that doesn't personally identify you. Furthermore, personally identifiable data must not be entered into the Consumer App. Both of these conditions are put in place to protect your privacy.

Any data you enter into the Consumer App is stored securely in your account and is only accessible to you when logged in to your account using your anonymous username and password. Optionally, you can also share or revoke access to your data with your clinicians at any time. They can only identify your account if you provide them with your anonymous username which they can then de-anonymise your personal and they can associate it with your real name on their systems.

It is always sensible though to explain how we would process personal data, so in circumstances where certain personal data may be processed this policy will apply.

Please read this Privacy Policy carefully together with our Terms and Conditions to understand our policies and practices regarding your Personal Data (as defined below) and how we will treat it.

This Privacy Policy applies to the website https://skygazerlabs.com ("Website") and the associated 'mySymptoms' consumer mobile application ("Consumer App") hosted on the Apple iTunes Store, Amazon App Store and Google Play ("App Store"), and the Clinic web application ("Clinic App"), (together, the "Platform", "Services" or "Apps") which are operated by SkyGazer Labs Ltd. (collectively, "mySymptoms", "we", "our" or "us"). This Privacy Policy also applies to SkyGazer's employees.

IMPORTANT INFORMATION AND WHO WE ARE

The data controller is SkyGazer Labs Ltd. a company registered in England and Wales under number 07287061 with its registered office at Lakin Rose, Pioneer House Vision Park, Histon, Cambridge, Cambridgeshire, United Kingdom, CB24 9NL

By using the mySymptoms Platform or Services, you consent to the data practices described in this Privacy Policy. If you do not agree with any part of this Privacy Policy, then we cannot make our Platform or Services available to you and you should stop accessing and using them.

This Privacy Policy explains how we collect and use your Personal Data and is provided in accordance with our obligations under applicable privacy and data protection law, including Regulation (EU) 2016/679 (GDPR) and the Data Protection Act 2018 ("Applicable Data Protection Law").

For the purposes of this Privacy Policy, the term "Personal Data" means any information which identifies you or which allows you to be identified when combined with other information. It does not include data where your identity has been removed ("Anonymised Data"). For the purposes of Applicable Data Protection Law, SkyGazer Labs Ltd. is a data controller and a data processor.

INFORMATION WE COLLECT AND HOW

Operation of Our Platform and Services

When you use our Platform and Services, we may collect certain Personal Data or personal information that can be used to identify you.

The information you upload to the Consumer App will not be considered Personal Data so long as you upload your information using a username which does not enable you to be identified. Your anonymised personal information is stored on our provider's servers in Ireland.

If you request your information to be shared with clinicians or other healthcare professionals, your information will be securely shared from servers in Ireland to the Clinic App. Following your request, the clinician will receive an invitation from the Consumer App. Local cookies on the Clinic App will enable your information to be de-anonymised, at which point it will be considered Personal Data. Only your clinician will be able to view your de-anonymised information. We will not be able to view your de-anonymised information. If you choose to share your information with your clinician, you need to agree with your clinician that they may process your Personal Data and they will be considered the Data Controller for the information that is then in their possession. You must be satisfied that your clinician will hold and process your Personal Data in a legal and acceptable way, we cannot control their use once you share your data.

We may also collect Personal Data automatically, or from third-party partners or services. The Personal Data we collect includes:

Basic Identifiers and Contact Information

We collect some information from you when you provide it to us directly, such as via an email or online form, through the support feature embedded in our Services, or through another form of inquiry. This information may include your name, email, and phone number as well as other information. Please note that We do not link and store your name or email address with any information you upload: Your name and email address are stored separately.

Device Information

When you download and use our Services, we automatically collect information on the type of device you use, operating system, resolution, application version, mobile device identifiers (such as your device ID, advertising ID), language, time zone and IP address.

Usage Information

We collect information automatically about your activity through our Services, such as the date and time you used a service, features you have used, your in-app purchases history, subscriptions, your interaction with advertisements, and data generated when you use our Services.

Location and Other Information

We may collect, with your consent, other information such as precise geolocation (latitude and longitude) using information including GPS, Bluetooth or Wi-Fi connections.

Information we obtain from third parties

We may receive information about you from our third party service provider (principally Google Analytics), who collect this information through our Services in accordance with their own privacy policies.

Health data and special category data

The information you provide when using our Services may include health-related information such as details of symptoms, medications, dietary information, personal notes or any other information uploaded to the Platform. Such categories of data may be considered Special Categories of Personal Data for the purposes of the Applicable Data Protection Law unless they are adequately anonymised.

As noted in our Terms of Use, it is your responsibility to upload your information in a way that does not reveal your personal identity. The username you choose to interact with our Platform and Services must not enable you to be identified.

Aggregated Anonymised Data

The anonymised information we collect from you may be combined with the information provided by other anonymous users to produce aggregated anonymised data sets for research purposes. We refer to this combined data as "Aggregated Data." Aggregated Data is not considered to be Personal Data as it does not reveal your identity.

Aggregated Data may be used for the operation of the Platform and the Services we provide to you, and to provide general statistics regarding use of our Platform and Services. We may also use such anonymised Aggregated Data and provide it to third parties for medical research purposes.

However, if you or we combine or connect Aggregated Data with any of your Personal Data that enables you to be directly or indirectly identified, we will treat such data as Personal Data to be used in accordance with this Privacy Policy.

USE OF COOKIES AND GOOGLE ANALYTICS

The mySymptoms Platform may use "cookies" and similar technologies to provide and personalise our Services. These include a cookie for the Clinic App, a cookie for the mySymptoms website and a Google token for the Consumer App. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you. Our Platform uses cookies and similar technologies to distinguish you from other users of our Platform. This helps us to provide you with a good experience when you browse our Platform and allows us to improve our Platform. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Platform may become inaccessible or not function properly. For more information about the cookies we use, please see https://skygazerlabs.com/wp/cookie-policy/

We use Google Analytics. The information generated by the Google Analytics cookie (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our websites and/or services compiling reports on activity and providing other services relating to activity and internet usage.

Google may also transfer this information to third parties where required to do so by law, or where third parties process the information on Google's behalf.

PROVIDING PERSONAL DATA TO THIRD PARTIES

You should be aware that when using our Platform and Services, you are providing your Personal Data to third party providers. The charges for using our Platform and Services are administered by the App store you use to download our Apps and Services (e.g. Apple iTunes Store, Amazon App Store and Google Play). We recommend that you refer to the privacy policy of the relevant App store to make sure you understand how your Personal Data, including your financial Personal Data, may be used when you purchase Apps and Services.

CHILDREN UNDER FOURTEEN

We do not knowingly collect personally identifiable information or Personal Data from children under the age of fourteen. If you are under the age of sixteen, you must ask your parent or guardian for permission to use our Platform or Services.

PURPOSES FOR WHICH WE WILL USE YOUR PERSONAL DATA

We may collect and use your personal information and Personal Data to operate our website and Platform, and to provide the Services you have requested.

The legal bases we rely upon to use your Personal Data may include the contract we have with you, your consent and our legitimate interests, or where we need to comply with a legal or regulatory obligation. Please contact us if you require further details concerning the specific legal ground(s) we are relying on to process your Personal Data.

We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

We offer here non-exhaustive examples of the ways in which we use your Personal Data and the legal bases we may rely upon to do so:

PURPOSES FOR WHICH WE WILL SHARE YOUR PERSONAL DATA

We may share your Personal Data for certain purposes with our business parties or affiliates in accordance with Applicable Data Protection Law, as set out below.

Sharing with our service providers and partners

We may share your Personal Data with our third party business service providers who perform functions on our behalf. These may include:

Advertising

We may share or otherwise "sell" information with advertising partners who distribute advertising in our Services.

For corporate transactions

We may transfer your Personal Data if we are involved, whether in whole or in part, in a merger, sale, acquisition, divestiture, restructuring, reorganisation, dissolution, bankruptcy or other change of ownership or control.

When required by law

We may also share Personal Data if we are also under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or to protect the rights, property, or safety of our business, our customers or others.

To enforce legal rights

We may also share Personal Data: (i) If disclosure would mitigate our liability in an actual or threatened lawsuit; (ii) as necessary to protect our legal rights and legal rights of our users, business partners or other interested parties; (iii) to enforce our agreements with you; and (iv) to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing.

Cross-border data transfers

Sharing of Personal Data sometimes involves cross-border data transfers, including transfers outside of the EEA in accordance with the law. We only transfer Personal Data to entities in third countries that have provided appropriate safeguards to ensure that their level of data protection is in agreement with this privacy policy and applicable law, for example in accordance with the rules and procedures known as the EU-US Privacy Shield, or under contractual provisions which have been deemed by the European Commission to provide sufficient safeguards for Personal Data.

We will ask for your consent before transferring your Personal Data outside of the EEA. You may provide your consent by clicking the 'consent box' which will appear on the Consumer App interface when you make a request which requires any such transfer of your Personal Data outside of the EEA.

DATA SECURITY

We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.

Your passwords are stored in the mySymptoms' database in encrypted form. We do not disclose your account details, or email addresses to anyone except when legally required to do so. However, it is your responsibility to keep your password secure.

You must ensure that the username you create to upload your data to the Consumer App does not enable your data to be personally identified. If you request your information to be shared with clinicians or other healthcare professionals, your information will be securely shared from servers in Ireland to the Clinic App. Local cookies on the Clinic App will enable your information to be de-anonymised.

Information between your browser/App and the Platform is transferred in encrypted form using Secure Socket Layer (SSL). When transmitting sensitive information, you should always make sure that your browser can validate the Platform's certificate.

We limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

DATA RETENTION

We will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.

We will keep your Personal Data for at least six years from the date of the last interaction for insurance and liability purposes. Should you opt out of using our Services you will be able to re-join and access your Personal Data within six years.

The retention of your Personal Data will be reviewed regularly and at least every six years for relevance. Any Personal Data deemed no-longer relevant is deleted.

Where we have taken steps to anonymise your personal data (so that it can no longer be associated with you) we may use this indefinitely for analytical, research and statistical purposes and to help us to improve our products and services.

YOUR RIGHTS

Your right to withdraw consent at any time

Whenever we rely on your consent to process your Personal Data, you have the right to withdraw your consent at any time. If you wish to withdraw your consent, please contact SkyGazer using the contact details provided at the end of this privacy policy. This will not affect the lawfulness of any processing carried out before you withdraw, nor ongoing contractual or other obligations requiring us to process data for example due to a court ordered law enforcement request.

Your right to access the Personal Data we hold about you

You have the right to make a request to access your Personal Data collected through our Platform and Services (known as a "Data Subject Access Request" or "SAR").

We aim to respond electronically to all SARs within one month. In circumstances where it may take us longer than one month to respond (for example if your request is particularly complex or if you have made a series of requests), we will notify you. We do not charge a fee for responding to a SAR. However, we may charge a reasonable fee if your SAR is manifestly unfounded or excessive.

Other rights

Right of rectification

You have the right to ask us to rectify Personal Data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Right to erasure

You have the right to ask us to erase your Personal Data in certain circumstances.

Right to restriction of processing

You have the right to ask us to restrict the processing of your Personal Data in certain circumstances.

Right to object to processing

You have the right to object to the processing of your Personal Data in certain circumstances.

Right to data portability

You have the right to ask that we transfer your Personal Data to another organisation, or to you, in certain circumstances

OPT-OUT & UNSUBSCRIBE

We respect your privacy and give you an opportunity to opt-out of receiving announcements of certain information. Users may opt-out of receiving any or all communications from us by contacting us or selecting the "Unsubscribe" option on their email.

CHANGES TO THIS PRIVACY POLICY

We may occasionally update this Privacy Policy to reflect company and customer feedback and any changes in data protection regulations. We encourage you to periodically review this Privacy Policy to be informed of how we are protecting your information.

CONTACT INFORMATION

SkyGazer Labs Ltd welcomes your questions or comments regarding this Privacy Policy. If you believe that we have not adhered to this Privacy Policy, please contact us at privacy@skygazerlabs.com

SkyGazer Labs Ltd
Lakin Rose
Pioneer House
Vision Park
Histon
Cambridge
CB24 9NL
United Kingdom

Questions, comments and requests regarding this privacy policy are welcome and should be addressed to privacy@skygazerlabs.com

We ask that you try to resolve any issues with us first, although you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information.

The ICO is the UK regulator for data protection and upholds information rights.

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Telephone: 0303 123 1113
Fax: 01625 524510