Privacy Policy for Corporate’s Pilot

1. Background: About BetterSpace pilot

BetterSpace is a matching platform for mental health. BetterSpace is an initiative of WellbeingX Limited (Company number 11053000) (BetterSpace, we, us or our) provides access to mental health services and related resources via our website and/or mobile web application www.betterspace.uk (Platform). The BetterSpace Platform allows users to: Understand their wellbeing and performance levels using the wellbeing assessment tool; Learn about, find and book products, services and resources to maintain and improve their performance.

In collaboration with Corporate we are piloting the BetterSpace Platform Corporate. The BetterSpace pilot is testing a new way of building a mentally healthy workforce, an objective that is important to Corporate. Starting on 24th April 2019, each participant will have access to a wellbeing concierge for a 3 month period, with a personal budget to spend on different wellbeing solutions. The aims of the pilot are to see if this would deliver meaningful benefits to users, to Corporate as an employer, and to help BetterSpace develop its wellbeing Platform.

This Privacy Policy explaisns the data we collect from you through the BetterSpace Platform, and how we process, use, store it and keep it safe for the period of the pilot and beyond. BetterSpace considers that your trust, our transparency and your control of personal data are core values for the company and we place the highest priority on keeping your data safe and secure within our Platform.

2. Purpose of this Privacy Policy

This privacy policy aims to give you information about how BetterSpace collects and processes your personal data. It is important that you read this policy together with any other notices we may provide on specific occasions when we are collecting or processing your personal data, so that you are fully aware of how and why we are using your personal data. This notice can be accessed on our website alongside our cookie policy, which is at section 12 of this notice.

3. The Data Controller for your personal data

For the purposes of the Data Protection Act 2018 (‘DPA 2018’) and the EU General Data Protection Regulation (‘Regulation’), BetterSpace is the ‘data controller’. A controller is a person or organisation who alone or jointly determines the purposes for which, and the manner in which, any personal data is, or is likely to be, processed.

We have adopted this policy to ensure that we have standards in place to protect the data that we collect about you that is necessary and incidental to: providing the products and services that we offer; and the normal day-to-day operations of our business. By publishing this policy, we aim to make it easy for our users (employees and their employer) to understand what data we collect and store, why we do so, how we receive and/or obtain that information, and the rights you have with respect to your personal data in our possession.

4. Who and what this policy applies to

We handle personal data in our own right and also for and on behalf of our customers and users. Our policy does not apply to information we collect about companies or organisations (such as measures of wellbeing return on investment), however it does apply to information about the people in those companies or organisations who are our customers. The policy applies to all forms of information, physical and digital, whether collected or stored electronically or in hardcopy. BetterSpace is not intended for use by or available to children (people under the age of 18 years).

5. The information we collect and purposes for collecting it

BetterSpace collects personal data with the consent of users and in the course of business to allow us to provide the BetterSpace Platform to you. This information allows us to identify you for the purposes of our business, contact you in the ordinary course of business and provide products and services to you. The information we may collect is: Personal Information. We collect personal details such as your name, date of birth, gender and other information that allows us to identify who you are, and to inform the recommendation algorithm to provide appropriate resources.

Contact Information. We collect information such as your email address, home and work postcode, and other information that allows us to contact you within the BetterSpace Platform or agreed channels such as e-mail, and to inform the recommendation algorithm to provide appropriate resources.

Wellbeing data. We collect data from an initial wellbeing assessment questionnaire, which covers areas such as sleep, exercise, social connections, the resources you like doing and your wellbeing goals (wellbeing assessments). We collect further wellbeing data as you use the Platform and self-assess your wellbeing in areas such as sleep, exercise and social connections (wellbeing scores). Wellbeing data are used to inform you about your own wellbeing levels (in comparison to your own, individual scores) and to inform the recommendation algorithm to provide the most appropriate resources. Wellbeing data are aggregated and used anonymously, in aggregate only, to provide your employer with an overall understanding of the wellbeing levels of its staff. Individual identifiable or individual anonymised results are never shared with the employer. Through the app, users have a facility to record feelings, thoughts and behaviour for their own individual private use. This data is recorded in the Platform and therefore it is accessible by BetterSpace, but not used by BetterSpace or shared with anyone.

Transactional data. We collect transactional data including the wellbeing services you have subscribed to and used, the amount you have spent through the app, and past transactions. These data are used to pay wellbeing service suppliers, to inform wellbeing suppliers about use of their services and to inform the user about their transaction history. Platform information. We collect information about the time, duration and type of use of the Platform. This data is used to monitor the correct functioning of the Platform and to improve the user experience. Statistical information. We collect information about your online and offline preferences, which third-party wellbeing services available through the app that you use, trends, decisions, purchases and other information for statistical purposes. You will be asked to share your experience of the pilot through a final questionnaire. This information will be used to improve the BetterSpace Platform. Because the budget for use of wellbeing services is provided by our customer (your employer), we do not collect financial information from you such as payment card details.

Information you or third-parties send to us. We may collect any personal correspondence that you send us, or that is sent to us by others about your resources, including resources with our third-party suppliers. Anonymised personal data. Personal data from Corporate participants will be deleted following the pilot by 25th October 2019. Anonymised personal data will be retained by BetterSpace. When anonymising data, we will irrevocably delete names, e-mail addresses, home and work postcodes, telephone numbers, any other contact details, correspondence between Corporate participants and BetterSpace and any other information which could identify individuals or could be reasonably expected to identify individuals through linking in the future. Anonymous data will be used to improve the performance of the recommendation algorithm and to improve our products and services. This anonymous data will be subject to the same information security standards as personal data and will be kept secure. BetterSpace follows the Information Commissioner’s Office code on anonymisation, which is currently available at: https://ico.org.uk/media/1061/anonymisation-code.pdf (as available at 23rd April 2019). Anonymous non-personal data. We may collect anonymous non-personal data about you such as information regarding your computer, network and browser (including an IP address). Aggregated anonymous data. All of the data types above may be aggregated and shared on an anonymous basis with our business partners and/or customers. Anonymous data will only be shared when aggregated; Individual anonymous data will never be shared.

Data collection by third parties. BetterSpace makes wellbeing products, services and resources available through the BetterSpace Platform (‘wellbeing services’). These wellbeing services may separately collect personal data and they are the data controller for such data collection. BetterSpace is not responsible for, and has not conducted due diligence on, the data protection and information security policies of wellbeing service providers. Users of the BetterSpace Platform should satisfy themselves that they understand and agree to the privacy policies of these wellbeing service providers before using their services.

6. How the information is collected

Most information will be collected in association with a user’s use of BetterSpace through the Platform, an enquiry about BetterSpace or generally dealing with us. During the pilot some data will be collected manually rather than electronically. We may also receive personal data from other sources such as public records, mailing lists, contractors, BetterSpace staff, recruitment agencies and our business partners. In particular, information is likely to be collected as follows: Registrations/Subscriptions/Purchases. When an individual registers, subscribes and or purchases a product, service or other process whereby they enter data details or grant access to information in order to receive or access something, including services; Partners. When an individual grants us access to their accounts or allows information to be shared by our business partners. Supply/Contact. When an individual supplies us with goods or services or contacts us in any way. Shareholder Information. We collect information from each of our shareholders, such as the name, date of birth and address. As there are many circumstances in which we collect information both electronically and physically, we will endeavour to ensure that an individual is always aware of their data being collected, in particular by third parties whose services are available through the Platform. We may also collect anonymous non-personal data, which may be used and shared on an aggregated and anonymous basis.

7. How data collected by BetterSpace is stored

The data that we collect from you will be stored in the European Economic Area (EEA), with one exception which is noted below. Data may also be processed on our behalf by third parties. Third parties may be engaged in, among other things, the fulfilment of your order, the processing of your payment details and the provision of support services. BetterSpace ensures that this data is stored in the EEA. If there are exceptions, these will be clearly noted in this privacy policy. BetterSpace uses a number of cloud services to process and store data within and outside the Platform. BetterSpace uses Amazon Web Services with servers located in the EEA to process wellbeing data. BetterSpace uses Calendly, whose servers are located in the EEA and the US, to diarise meetings with participants; these calendar invitations will only contains names and e-mail addresses of participants and the locations of meetings. BetterSpace uses GSuite Business for e-mail communications, with a data policy of Europe. BetterSpace uses SeedLegals for shareholder documentation which may be stored outside the EEA. We will retain data for the period necessary to fulfil the purposes outlined in this policy. For Corporate participants (users), we will store personal data until 25th October 2019, at which point it will be deleted. All other personal data from people who are not Corporate participants, such as BetterSpace shareholders or employees, will be held for a period of six years from the date of last use, unless a longer retention period is required by law.

As explained in section 5, BetterSpace anonymises personal data for future use, following the Information Commissioner’s Office code on anonymisation. We will retain anonymous data, with all personal identifiers removed, indefinitely. When anonymising data, we will irrevocably delete names, e-mail addresses, home and work postcodes, telephone numbers, any other contact details, correspondence with BetterSpace and any other information which could identify individuals. Anonymous data will be used to improve the performance of the recommendation algorithm and to improve our products and services. This anonymous data will be subject to the same information security standards as personal data and will be kept secure. By consenting to our Privacy Policy, you agree to this transfer, storing or processing.

8. Use of your personal data

We will only use any personal data for the purpose for which it was collected, except with your explicit permission. The purpose of collection is determined by the circumstances in which the information was collected and/or submitted, as described in section 5. Information is used to enable us to operate BetterSpace and to provide our services to you, especially as it relates to you. This may include: the provision of BetterSpace and related services to you communicating with you about: your relationship with us; our services; our marketing and promotions to customers and prospects; and/or competitions, surveys and questionnaires; investigating any complaints made by you; as required or permitted by any law. If you publicly post on social media channels or the internet about BetterSpace, or communicate directly with us on a social media website, we may collect and process the data contained in such posts or in your public profile for the purpose of addressing any customers services requests you may have and to monitor and influence public opinion of BetterSpace.

9. Data sharing and/or disclosure

We will not disclose or sell your data to unrelated third parties under any circumstances, now or in future. The exception to this is when we may contract with other companies to perform tasks on our behalf and we need to share data with them in order to provide products and services to you. If that happens, we will take reasonable steps to ensure that the entity has agreed in writing with us to safeguard data with the highest standards as we do, and we will carry out reasonable due diligence to ensure they have an implemented and enforceable privacy policy similar to this policy. It may be necessary for us to disclose personal data relating to shareholders, suppliers and business parties to third parties in a manner compliant with applicable data protection laws in the course of our business, such as for processing resources like verification, website hosting, data analytics and payment processing. There are some circumstances in which we must disclose your information: for example, as required to by applicable laws; in order to sell our business (as we may transfer data to a new owner). We will not disclose your data to any entity outside of the United Kingdom that is in a jurisdiction that does not have a similar regime to the DPA 2018 or the Regulation or an implemented and enforceable privacy policy similar to this policy. We will take reasonable steps to ensure that any disclosure to an entity outside of the United Kingdom will not be made until that entity has agreed in writing with us to safeguard data as we do. If BetterSpace becomes involved in a merger, asset sale, financing, liquidation or bankruptcy, or acquisition of all or some portion of the business to another company, we may share information with that company before and after the transaction closes.

10. Third party services, wellbeing services and third-party websites

We may link your account with a third party to our services to enable certain functionality, which allows us to obtain information from those accounts. For example, we may link your account with a secure instant messaging provider to allow you to communicate securely with us. Section 7 above explains our policy with respect to the use of cloud service providers to process personal data. When entering into such contracts with third parties, we take all reasonable precautions to ensure that they have an implemented and enforceable privacy policy similar to this policy. and we will safeguard your data with data processing agreements to ensure that our policy is upheld. When using wellbeing services available through the BetterSpace Platform, you must read the privacy policies of third-party providers, so that you can understand the manner in which they will handle your personal information. The information we may obtain from those services often depends on their privacy policies or account settings. These service providers may be located or have facilities that are located a different jurisdiction (including outside the EEA), in which case your information may become subject to the laws of the jurisdiction(s) in which that service provider or its facilities are located.

11. Marketing information

We may collect your name and address from publicly available sources such as Companies House and use this personal data to send you information about our services via e-mail or post, if you specifically consent to receiving marketing information from us. You can withdraw your consent to receive marketing information from us at any time by following the instructions on the relevant correspondence or by contacting us using the contact details set out below.

12. Cookie policy

BetterSpace uses cookies only for the operation of the Platform, allowing you to log into the Platform and to enable the Platform to distinguish you from other users. We do not use cookies for analytics, tracking your use of the platform or any other type of use. Your consent will be obtained prior to our use of cookies on our Platform using a tick box on the Platform landing page. You are able to revoke that consent following the procedure below. A cookie is a small file of letters and numbers that we store on your browser or the hard drive of your device if you agree. Cookies contain information that is transferred to your device’s hard drive. You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. Alternatively you can visit https://www.attacat.co.uk/resources/cookies/how-to-ban on how to manage cookies. However, if you use your browser settings to block BetterSpace cookies, you will not be able to access the Platform.

13. Consent to the collection of data

You may opt to not have us collect your data and communicate with you at certain times. This may prevent us from offering you some or all of our services and may terminate your access to BetterSpace, or other services you access with or through us. Opt In. Where relevant, you will have the right to choose to have your information collected and/or receive information from us; for example, direct marketing. Opt Out. Where relevant, you will have the right to choose to be excluded from some, or all, information collection, and/or the receiving of that information from us. You may revoke your consent at any time, and the decision to opt out should be made through the BetterSpace Platform or communicated to BetterSpace using the contact details below. If you believe that you have received information from us that you did not opt in to receive, please contact us on the details provided at the bottom of this page.

14. The safety and security of data

We will take all reasonable precautions to protect your data from unauthorised access. This includes appropriately securing our physical facilities and electronic networks. Examples of such precautions include: Extensive penetration testing of our systems and firewalls by an independent security auditor, data encryption, firewalls, intrusion detection systems, physical protection of premises where data is stored, background checks for all employees accessing our physical facilities. The security of online transactions and the security of communications sent by electronic means or by post cannot be guaranteed. We do not accept responsibility for misuse or loss of, or unauthorised access to, data, where the security of information is not within our control. Privacy or security practices of any third party (including third parties that we are permitted to disclose your data to in accordance with this policy or any applicable laws) may be subject to separate privacy and security policies to that of BetterSpace. If you suspect any misuse or loss of, or unauthorised access to, your data, you should let us know immediately. We are not liable for any loss, damage or claim arising out of another person’s use of the data where we were authorised to provide that person with the data.

15. Your data protection rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. It is BetterSpace policy to respect your rights. BetterSpace will act promptly and in accordance with any applicable law, rule or regulation relating to the processing of your personal data. Details of your rights are set out below: Right to be informed about how personal data is used – you have a right to be informed about how we will use and share your personal data. This explanation will be provided to you in a concise, transparent, intelligible and easily accessible format and will be written in clear and plain language; Right to access personal data – you have a right to obtain confirmation of whether we are processing your personal data, access to your personal data and information regarding how your personal data is being used by us; Right to have inaccurate personal data rectified – you have a right to have any inaccurate or incomplete personal data rectified. If we have disclosed the relevant personal data to any third parties, we will take reasonable steps to inform those third parties of the rectification where possible; Right to have personal data erased in certain circumstances – you have a right to request that certain personal data held by us is erased. This is also known as the right to be forgotten. This is not a blanket right to require all personal data to be deleted. We will consider each request carefully in accordance with the requirements of any laws relating to the processing of your personal data; Right to restrict processing of personal data in certain circumstances – you have a right to block the processing of your personal data in certain circumstances. This right arises if you are disputing the accuracy of personal data, if you have raised an objection to processing, if processing of personal data is unlawful and you oppose erasure and request restriction instead or if the personal data is no longer required by us; Right to data portability – in certain circumstances you can request to receive a copy of your personal data in a commonly used electronic format. This right only applies to personal data that you have provided to us (for example by completing a form or providing information through the Platform). Information about you which has been gathered by monitoring your behaviour or preferences will also be subject to the right to data portability. The right to data portability only applies if the processing is based on your consent or if the personal data must be processed for the performance of a contract and the processing is carried out by automated means (i.e. electronically); Right to object to processing of personal data in certain circumstances, including where personal data is used for marketing purposes – you have a right to object to processing being carried out by us if (a) we are processing personal data based on legitimate interests or for the performance of a task in the public interest (including profiling) (b) if we are using personal data for direct marketing purposes, or (c) if information is being processed for scientific or historical research or statistical purposes. Right not to be subject to automated decisions where the decision produces a legal effect or a similarly significant effect – you have a right not to be subject to a decision which is based on automated processing where the decision will produce a legal effect or a similarly significant effect on you. At present, BetterSpace does not carry out this type of processing.

You may exercise any of your rights at any using the contact details set out below. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. We will try respond to all legitimate requests within one calendar month. Occasionally it may take us longer than one calendar month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. You will be able to adjust your contact preferences at any time in the ‘profile’ page by clicking on your name in the BetterSpace platform. You can choose how you would like to receive marketing and other non-business critical communications. Any changes made to these contact preferences can take up to 72 hours to come into effect.

16. How to make a complaint

If you have a complaint about our handling of your personal data, you should address this complaint in writing (by e-mail or post) to the details provided at the bottom of this page. You have the right to lodge a complaint with a supervisory authority if you consider that the processing of your data infringes the General Data Protection Regulation. You may raise your concerns with your local data protection authority directly, without going through our complaints procedure. However, we would encourage you to contact us in the first instance as we aim to promptly, efficiently and satisfactorily resolve any concerns or complaints you may have in relation to BetterSpace’s processing of your personal data. If we become aware of any unauthorised access to your data which is likely to result in a high risk for your data protection rights and freedoms, we will inform you without undue delay after becoming aware of it, once we have established what was accessed and how it was accessed.

17. Amendments to this policy

We reserve the right to modify this policy at any time. If we decide to change this policy, we will post the changes on our Platform at www.betterspace.uk/privacy. Changes and clarifications will take effect immediately upon their posting on the Platform. If we make material changes to this policy, we will notify you on the Platform that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

18. Contacting us

The Data Protection Officer for BetterSpace is Alfredo Belfiori, BetterSpace Chief Technology Officer and Co-Founder. All correspondence relating to data protection, privacy and information security should be addressed to: dataprotection@betterspace.uk