17 November 2020
Your privacy is essential to our core activity. We are committed to respecting and protecting it while you use our websites and app systems (phone applications, smartwatch applications and web services), collectively referred to as “Services.” This policy is designed to let you know who we are, what we do, how we protect your information, and what your data rights are.
This policy was updated on the 17th November, 2020.
Who we are
BIOS Health delivers a platform for patients and healthcare teams to monitor patients’ health. Our company's registered address is 8 Bateman Mews, Cambridge, United Kingdom, CB2 1NN and we are registered with Companies House with the number 09575301.
Under the General Data Protection Regulation (GDPR), we are a data controller and sometimes a data processor. This means we are responsible for the data we receive through the use of our Services and for determining the purpose(s) and manner in which it is processed. When providing our services to third parties, such as healthcare organisations and trusts, we will process user data for our own legitimate interests. When data is transferred from BIOS Health to third parties, this transferred data is subject to the third party’s lawful basis for processing. We will inform you if your data is being used by a third party. In order for third parties to process your data, they may separately need to secure your consent for how they plan on using your data.
By signing up to use BIOS Health’s Services, you agree to allow us to collect, store, and process your data to provide our services, as well as to use your data for research purposes and algorithmic development. We take this responsibility extremely seriously and commit to maintaining utmost security to support this. You can stop using our Services at any time after which we will no longer collect new data from you. The data you have previously provided will continue to be used for research purposes. You have certain data rights under GDPR that are listed in more detail below.
What data will we collect?
Any information that you input into our Services, including but not limited to survey responses entered into our survey application and inputs to forms on our website. Signing-up for a study with BIOS Health does not require one to enter one’s name or date of birth. Study participants will only be identified in our system using pseudonyms. If you are enrolled in a study via a research partner, they may collect personally identifiable information, but that information will not be shared with BIOS Health. To access certain material on our website, such as papers or reports, you may be asked to enter your name, email address, business information, username, or display name.
Data related to your health from wearable devices, including but not limited to accelerometer data, heart rate and other cardiac metrics from PPG sensors, motion classification, and ECG readings.
Information inputted into our system by your healthcare team.
Geolocation – In order to create accurate measures of your activity levels we use differential GPS in some of our metrics. This means that we do not record your locations, but only the changes in your location. This information enables accurate measures of distances moved without us having access to your location.
To improve product performance and the user experience, we may also collect additional information from our applications and website such as your device's IP address, the time and duration during which you used our Services, and information related to how you use our Services (e.g. what sections of an app you use most).
Information from third parties that form part of our Services.
How do we use your data?
We use your health-related information to support you and your healthcare team and for research purposes. The applications are intended for you to record your symptoms, how you are feeling, and other health metrics. There are also passively collected health measures that measure your physical activity levels as well as your heart function. This data is for you and your healthcare team to learn more about your health status. This data is not to be used for determining your course of treatment, but only for informational purposes.
Data that is not related to health, such as information inputted into forms on our website, may be used for other purposes such as providing you services you have requested or exercising our legitimate interests listed below.
We use your data to:
1. To exercise our legitimate interests
a. We will use the data for improving the health metrics we calculate, to create new health metrics, and for researching new treatments and therapies for chronic conditions.
b. We will use your data to assess the quality of our service and to make improvements.
c. We will also use the data to provide a responsive service to you and your healthcare team and to support or respond to you when you contact us.
d. We will use your information for internal operations. These might include troubleshooting, fraud detection and resolution, data quality checks, functional testing, security, audit and statistical analysis to ensure that our app(s)/service satisfies the requirements of our users and partners.
2. To provide you with the service
a. To register and manage your account with us and to ensure your information is accurate and up to date.
b. To inform you of any alterations, modifications and updates to the service.
c. To review, investigate, and address issues that may affect your use of our service.
d. To provide you with content that you have requested or content which is similar to content which you have requested in the past.
3. To communicate with you about new content, products, services, and features provided by BIOS Health
a. We will NOT use nor sell your health-related information, nor any information provided to BIOS Health in the course of your participation in a study or trial, for marketing purposes.
b. We will NOT sell any personal information for marketing purposes.
c. Marketing content will only be related to BIOS Health products and services.
4. To respond to obligatory requirements
a. We will disclose information if we are requested to do so as part of a reasonable regulatory requirement or in response to a legal request.
Sharing your data
We may share some of your anonymised data with third parties. Examples include:
Healthcare & research teams. This will always be anonymised unless you agree to participate in trials or studies using your identifiable information
Information storage providers to record information that is input to your account
We will only ever share the minimal information necessary to deliver the service.
We will also take part, where approved by the relevant authorities, in assisting with relevant studies and medical research. This is to help understand more about your condition and to improve treatments available to you and others who suffer from the same condition.
How do we keep your information secure?
Your information is stored within Amazon Web Services and situated in a region local to you. All information processed by us is encrypted in storage.
We have strict procedures and security measures to prevent, as much as reasonably possible, unauthorised access to or disclosure of your information. We cannot guarantee the security of any information you transmit to us, such as emails containing information about you.
How long will we store your information?
In line with medical guidelines, we will keep your information collected as part of a study or trial for up to 30 years from the point you tell us you no longer wish to use the platform. If you ask us to delete your information before this, we will, but it may take up to 6 months to completely remove your data from the cloud-based back-up storage system, simply because of the way in which our back-up host operates. In line with medical guidelines, following the confirmed death of a user, their data will be removed after 8 years.
We store other personal information, such as information entered into forms on our website, for as long as necessary to carry out the purposes for which we originally collected it and for other legitimate business purposes, including to meet our legal, regulatory, or other compliance obligations.
What rights do you have regarding your information?
In recognition of your data rights, we will fulfil any of the requests outlined below in line with regulatory timeframes. By law you have a number of rights that apply in certain circumstances. These include the right to:
Object to processing
This means you may not want your information used in some ways.
This means we can no longer use your data. We will continue to store your data and note you on a list of users whose data we hold but cannot use in the future.
You should have clear, accessible and transparent information provided to you so you understand how we work, protect and use your data.
Have access to your information
This enables you to check we are using your data correctly and is done by contacting us directly or via your healthcare team.
If you see incorrect or incomplete data, you can ask to have that corrected.
This means you can be "forgotten". It is important to know this is subject to some conditions, but the right means you can have all the information we hold on you deleted where there is no compelling reason for us to keep using it.
Move your data
This is referred to as portability. Your data should be provided for you in a way that is accessible and provides you with the option of reusing the data in other situations.
You have the right to lodge a complaint, and we will respect this and deal with it in a timely fashion in line with UK regulations.
This means you remove the right for us to use your data. You may do this at any point and without providing a reason for doing so. Removing your consent means you will no longer be able to use our Services.
If you have further questions, you can contact us at the address:
8 Bateman Mews
If you would rather deal with an independent group or feel we have not satisfactorily dealt with your enquiry, you can contact the ICO by email OR phone 0303 123 1113.