We are simplyweight Limited, a company incorporated in England and Wales (Company No. 7094224) with registered office: Kenburgh House, 28A Manor Row, Bradford, West Yorkshire BD1 4QU United Kingdom.
Simplyweight are currently registered under the Data Protection Act 1998. We are committed to protecting your privacy in line the GDPR (hereby known as the “Act”). For the purposes of the Act, Simplyweight is the “Data Controller”. The confidentiality of your information is of paramount concern to us. Simplyweight fully complies with data protection legislation and medical confidentiality guidelines.
For the purposes of this policy, ‘Personal Data’ means any personal information (including ‘Sensitive Personal Data’ as defined in the Act) that is capable of identifying you. This information may include your name, address, telephone number, fax number or e-mail address.
WHAT INFORMATION WE COLLECT:
We collect 2 types of information from you: (1) personally identifiable information; and (2) non-personally identifiable information (for example aggregate information or any information that does not specifically identify you as an individual). We may use these types of information in different ways as detailed throughout this policy.
Personally Identifiable Information (“PII”)
If you choose to withhold requested information, you may not be able to visit all sections of our Website or benefit from all of our Services, such as subscribing to our online weight loss tools, or posting content to our community forum.
Non-Personally Identifiable Information (“NPII”)
When you register as a user on our Website and/or any of our Services, we also may collect information that by itself cannot be used to identify or contact you, such as demographic information (like age, profession or gender) and health information (like current weight, activity level, sleep, ethnicity, smoking status, comorbid conditions, etc.)
Non-Personally Identifiable Information may also include user IP addresses, browser types, domain names, and other anonymous statistical data involving the use of our Website. NPII is used to help us understand who uses our Website and to improve and market our Website and Services.
WHY SIMPLYWEIGHT PROCESSES DATA
We will be processing your data under special category under Article 9(2) (h):
Processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
HOW WE COLLECT AND USE INFORMATION
This Website is intended to enable information relevant to the work of simplyweight UK, to be freely available on the World Wide Web. Whilst simplyweight UK hopes you find this website interesting and informative, the contents are for general information only. The use of and access to pages of the simplyweight website is subject to the foregoing disclaimer, and terms and conditions set out below. By using or accessing this Website, you agree to be bound by these terms and conditions.
simplyweight shall not be liable for any loss or damage arising in connection with the content of the website. simplyweight does not guarantee that the website will be error-free, omission-free, uninterrupted or without delay.
Website Usage & Form Submission
Information submitted to simplyweight over this website is normally unprotected until it reaches us. Users are requested not to send confidential details by email unless specifically requested by us.
We will retain data about you which we obtain as a result of you visiting this website. We may use that information to provide you with details of products or services (whether provided by us or others) which we believe may interest you, unless you indicate at the relevant part of the website to the contrary.
When you send an email or complete an enquiry form, simplyweight will not share your email address or private information with anyone outside of the simplyweight, with the exception of doctors, registered pharmacy, dietitians or any other relevant health care professionals who provide the services about which you are enquiring or other suppliers (in particular those who support our IT systems) who are under strict confidentiality requirements.
Any time you visit the Website, we gather certain information about your use of our website (such as your IP addresses, browser type, Internet service provider (ISP), referring/exit pages, platform type, date/time stamp, and number of clicks) to analyse trends, administer the site, track visitor movement in the aggregate, and gather broad demographic information for aggregate use. For example, we log your IP address for system administration purposes. IP addresses are logged to track a user’s session. This gives us an idea of which parts of our site users are visiting. We do not link any of the log files to any PII. This means that a user’s session will be tracked, but the user will be anonymous. We will only link your log files to your PII, if necessary, for internal troubleshooting and system performance purposes. We do not share your log files externally.
Cookies & Action Tags
In order for us to monitor and improve this website, we may gather certain information about you when you use it, including details of your domain name and IP address, operating system, browser, version, and the website that you visited prior to our site. We may do this by way of a “cookie”.
A cookie is an element of data that our website can send to your browser, which may then store it on your system.
Most web browsers automatically accept cookies. You do not have to accept cookies, and you should read the information that came with your browser software to see how you can set up your browser to notify you when you receive a cookie.
Any disablement of the cookies function may hinder some of the website functionality, for which we shall not be responsible.
Action tags, or gif tags, are a web technology used to help track website usage information, such as how many times a specific page has been viewed. Action tags are invisible to you, and any portion of our Website, including advertisements, or e-mail sent on our behalf, may contain cookies that are associated with action tags that are located on our Website. Unlike cookies, action tags are not placed on your computer.
We may select and use different third parties from time to time to track website usage through action tags on our Website and on our advertisements on other websites.
Phone Calls and E-mails
We require an e-mail address from you when you register with us. For paid Services, you will receive an e-mail notification of your order, and another e-mail when your order has been completed (or that your credit card or other method of payment has been rejected for an order renewal). For renewal transactions you will also receive an e-mail confirming the same.
Once you begin to register for any of our Services, we may also send you newsletters and e-mails about special events, product offerings, promotions or special discounts. If you have started, but not completed, the registration process, we may also send you e-mail messages encouraging you to complete the process and become a subscriber.
Our e-mail messages may contain code that enables our database to track your usage of the e-mails, including whether the e-mail was opened and what links (if any) were clicked.
If you have provided us with your telephone number during or after registration or if we obtain your telephone number from a publicly available source after your registration, then we may also contact you by telephone or text message solely in connection with our Services. The legal basis of processing such e-mail and phone data is under Art.6 (1)(b) GDPR.
If you would rather not receive emails about new products, promotions or other noteworthy news, or if you would rather we didn’t phone you, information is set out below about how you can Opt-Out.
When you register for or subscribe to any of our Services, we collect a wide variety of information which we use in order to better understand your needs. Our Services include the 100-Day Plan, online membership (free or paid), community forums, community messaging platform, weight loss resources and more. You must first complete certain steps to become either a member or a subscriber. During these steps, you may be required to provide us with information (including PII) such as name, postcode and email address, and, if you subscribe to one of our paid Services, credit card and billing information. The legal basis of processing such data is under Art.6 (1) (b) GDPR.
From time to time we may conduct voluntary member surveys. We encourage our members to participate in such surveys because they provide us with important information regarding the improvement of our Services. You may also volunteer for certain surveys that we may offer to our users, and any additional rules regarding the conduct of such surveys will be disclosed to you prior to your participation. We do not link the survey responses to any PII, and all responses are anonymous. The legal basis of processing such data is under Art.6 (1) (f) GDPR.
HEALTHCARE RECORDS & PERSONAL MEDICAL DATA
Medical Questionnaire & Records
More detailed information about you will be required if you subscribe to our paid Services including the 100-Day Online Plan, paid Online Membership, Consultations or any bespoke Weight Management Plan. This includes, but is not limited to, height, weight, sex, medications, ailments, eating pattern, psychological issues, surgeries and physical activity pattern. The legal basis of collection and processing of all medical data is under a special category Art.9 (2) (h) GDPR.
All this information is used to help us understand who uses our Website, to improve our Website and our Services, to contact users about requested Services and for administration of your account. It is optional for you to provide demographic information (such as profession and number of children), but providing this information is encouraged so we can work towards offering more tailored and personalised plans.
For patients who come for a clinical consultation, detailed and personal medical information will be collected by a doctor or healthcare professional. This data will be required for medical diagnosis, to help our team decide which is the most appropriate medical plan to offer you and to keep clean records of your health and progress over the course of your Plan, should you choose to join one.
Healthcare Industry Practice
In the healthcare sector, patient data is held under a duty of confidence. As a healthcare provider, we operate on the basis of implied consent when it comes to processing patient data for the purposes of direct care, without breaching confidentiality. This consent is not the same as the one needed for lawful processing of data under GDPR.
DISCLOSURE OF YOUR INFORMATION TO THIRD PARTIES
We will only disclose your personal data to carefully selected third parties and organisations for marketing purposes or to assist us in delivery a better quality of service. This includes using aggregated and anonymised data for research and study.
We may also disclose personal data if required to do so by law or in the good-faith and belief that such action is necessary to:
– conform to the edicts of the law or comply with legal process served on us;
– protect and defend our, or a third party’s rights or property;
– protect someone’s life, health or safety, such as when harm or violence against any person (including the user) is threatened.
We may also have to share your information, subject to strict agreements on how it will be used, with the following organisations;
- NHS Trusts / Foundation Trusts
- General Practitioner’s
- Your Insurance providers for invoicing and sharing care plans as and when advised by the insurance providers
- NHS Commissioning Support Units
- Independent Contractors such as dentists, opticians, pharmacists
- Registered pharmacies
- Private Sector Providers
- Voluntary Sector Providers
- Ambulance Trusts
- Clinical Commissioning Groups
- Social Care Services
- Health and Social Care Information Centre (HSCIC)
- Local Authorities
- Education Services
- Fire and Rescue Services
- Police & Judicial Services
- Other ‘data processors’ which you will be informed of
You agree that we will not be responsible or liable for any loss or damage of any sort incurred as the result of any such dealings, including the sharing of the information you supply to any such third party providers, or as the result of the presence of such providers on the Website.
We may also disclose your personal data to third parties in the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. In the case of any transfer of your PII you will be required to reconfirm your consent before any material changes can be made to the way it is stored and used.
For any of our paid Services, especially Consultations and Bespoke Weight Management Plans, we will be required to share your personal data or medical records with Primary Care (General Practitioner’s) and Secondary Care (Hospitals and Specialists). These will include Specialists under Simplyweight’s contract and in some cases, when deemed necessary by our medical team, external Specialists. This sharing is essential for the running of our services and for your own health & safety. The legal basis for such transferring of data is under Art.49 (1)(c) and in some cases Art.49(1)(f).
Our Community Messaging Platform
We are employing a GDPR compliant third-party to help us deliver an effective and reliable messaging platform Service. For the purposes of making this work, we only need to share your username (which can be PII as per your selection) and profile picture (which can be PII as per your selection). This information is used to identify users within our community and for us to receive chat analytics which will be used to improve our Services. This personally identifiable information is never distributed to anyone else.
All messaging communications use end-to-end encryption. At your request, we can request an export of your data from the third-party but even these messages will be encrypted for your protection. Should you choose to cancel your account with us, we will notify the third-party immediately and all your data on their server will be deleted.
Payment: We fully comply with all applicable UK Data Protection in place, and protect the security of your personal data with Secure Sockets Layer (SSL) encryption. We do not share customer details for payment with any 3rd parties except Stripe & Worldpay, who allow us to take credit card and PayPal payments for the System and we are committed to ensuring that all suppliers meet our security and data protection standards.
Invoice validation: We will use limited information about individual patients when validating invoices received for your healthcare, to ensure that the invoice is accurate and genuine. This will be performed in a secure environment and will be carried out by a limited number of authorised staff working for simplyweight ltd
Operations: We may use and disclose your personal data for our internal operations, which include administration, planning and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, satisfaction surveys, de-identifying personal data, customer services and internal training.
Reminders and notifications: We may use and disclose your personal data to contact you as a reminder to interact with, or complete tasks relating to your use of the System.
Third party service providers: The System uses Google Analytics. These are third party services that allow simplyweight to collect information from you concerning your use of the System, including but not limited to pages visited, links clicked, non-sensitive text entered, mouse movements, and usage of our iPhone and Android apps. These services are used to help simplyweight enhance or improve the user experience on this website and to perform any other function that simplyweight reasonably believe in good faith is required to protect and ensure the proper functionality and security of this website. The data provided to these services is non-identifiable and anonymised in order to perform services on behalf of simplyweight.
We maintain a variety of appropriate technical and organisational safeguards to protect your personal information once it is received. We however, will not have control over or responsibility for the security or privacy policies or practices of other sites on the Internet you might visit, interact with, or from which you might buy products or Services, even if you visit them using links from our Website. Please note that no website, mobile app or service is completely secure. While we endeavour to protect our Patients” information using the measures described above, we cannot guarantee that unauthorised access, hacking, data loss or a data breach will not occur.
In certain situations, we may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements. We may disclose personal information to establish or exercise our legal rights or defend against legal claims. We may also share such information if we believe it is necessary in order to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our Service Agreement, or as otherwise required by law.
TRANSFERRING YOUR DATA OUTSIDE THE UK
REQUESTS TO ACCESS YOUR DATA
You have a right under the GDPR 2018 & Data Protection Act 1998 to request access to view or to obtain copies of what information Living Mind holds about you and to have it amended should it be inaccurate. To request this, you need to do the following:
Any enquiries regarding this policy must be directed in writing for the attention of our data protection compliance officer.
- Your request must be made in writing to us
- There may be a charge to have a printed copy of the information held about you
- We are required to respond to you within 40 days
- You will need to give adequate information (for example full name, address, date of birth and details of your request) so that your identity can be verified, and your records located
Under the Act you have the right to request details of your personal data held or processed by us.
Please send such requests in writing to the address above, marked for the attention of the data protection compliance officer. There is no statutory administration fee charged.
If you believe that any information held by us is incorrect, inaccurate or incomplete, you must write without delay to our data protection compliance officer, highlighting the corrective action to be taken. If any information is found to be incorrect, it shall be corrected promptly.
Requests for rectifying personal data does not extend to any medical records or opinions of any healthcare professionals working under our contract or otherwise. In certain cases where an initial diagnosis or opinion proves to be incorrect following further investigations, we will still keep the old records on file as, at the time of diagnosis, the records accurately reflect a doctor/healthcare professional’s opinion. Furthermore, holding a history of medical records can assist future healthcare professionals who treat the same patient.
YOUR RIGHTS REGARDING YOUR PERSONAL DATA
You have certain rights with respect to your personal data. If we do not agree to a request by you with respect to your personal data, please consult the simplyweight data protection officer.
If we do not comply with any of the below, you have the right to complain to the ICO and to a judicial remedy without undue delay and at the latest within one month.
Access: You have the right to inspect and copy your personal data maintained by us. Normally, we will provide you with access within one month of your request.
Accounting: You have the right to request an accounting from us of certain disclosures made by us. We will provide you with your accounting within one month of your request. In addition, we will notify you as required by law if there has been a breach of the security of your personal data.
Amendment: You have the right to request that we amend your written personal data. For instance, you can request that we correct an incorrect date of birth in your records. We will amend your personal data within one month of your request, and will notify you when we have amended your personal data. We can deny your request in certain circumstances, such as when we believe that your personal data is accurate and complete.
Automated Decision Making & Profiling: You have the right not to be subject to a decision based on automated processing and it produces a legal effect or a similarly significant effect on you. To request an opt-out of automated decision making & profiling, please contact our data protection officer using email: firstname.lastname@example.org
Confidential Communications: You have the right to request in writing that we restrict the way in which we communicate information regarding your health and health care services, such as ceasing to send email or text messages to notify or remind you about aspects of the System or your progress through the simplyweight plan. We will make every effort to accommodate your request.
Deletion: You have the right to ask that we delete all information that the System has collected on you via email to the simplyweight data protection officer using e-mail: email@example.com
Objection: You have the right to object to processing based on legitimate interests or the performance of a task in the public interest, to direct marketing, and to processing for the purposes of scientific research & statistics. To request an objection, please contact the simplyweight data protection officer using e-mail: firstname.lastname@example.org
Opt-Out: If you have submitted your personal data, and later decide that you would like us to discontinue processing your personal data, you can choose to opt-out. To opt-out, please send an electronic mail headed “opt-out” to us at: email@example.com
If you would rather not receive telephone calls or text messages from us, you may change or delete your number by make adjustments in the account maintenance section of the Website, or by asking to be removed from our contact list if you receive a call from us.
Please note that this opt-out option applies for users who are registered with a free account or are on our free mailing list. Exceptions apply for users who are paid members or clinic patients. Please see the section below on “Data retention” for full details.
Restrictions: You have the right to request in writing that we do not disclose certain information about you. To request a restriction, please contact our Data protection officer using email: firstname.lastname@example.org
DATA STORAGE, RETENTION & ERASURE
Simplyweight considers your security extremely important. We have clear policies of data storage, retention, breach and erasure.
Where we store your personal data
All information and data you provide to us is stored on secure servers with trusted 3rd party suppliers, Amazon Web Services (‘AWS’) within the European Economic Area (‘EEA’). AWS complies with EU Data Protection Directive (‘Directive 95/46/EC’), which sets out several data protection requirements, which apply when personal data is being processed. AWS are industry leaders in the provision of hosting services and take security very seriously – you can find out more about their security policies and processes in their Security Whitepaper: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.
All passwords are stored in encrypted form and all traffic is transmitted securely via SSL by default. However, it may be possible that your anonymised data is transferred to, and stored at, a destination outside the EEA – such as Google Analytics. By submitting your personal data, you agree to this transfer, storing or processing.
Unfortunately, despite these measures, the transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the System, and any transmission is at your own risk. Once we have received your personal data, we will use strict procedures to try to prevent unauthorized access in accordance with our Company data protection policy and code of practice, and responsibilities as a registered Data Controller in the UK.
As per the ICO’s ‘Principle 5’, we retain personal data no longer than is necessary for the purpose we obtained it for. With the context that your personal data may be used for research purposes (as covered in section 3), simplyweight will retain any information held on an individual for up to 10 years after that individual has ceased use of the System. At that point, the individual’s information will be deleted. As covered in section 5, you may request that we delete your data at any time.
Upon termination or cancellation of a free Service, your personal data will be anonymised or deleted from our database but you will remain on our free mailing list unless you specifically request otherwise. At any time you can choose to unsubscribe from this mailing list by clicking on a link in the footer or e-mailing us.
Upon termination or cancellation of a paid Service (100-Day Plan, Consultations, paid Online Membership or a bespoke Plan), we will retain your personal data including all medical records and reports in the interests of your health and our own protection in the event of any legal claims:
- For 100-Day Plan and paid Online Memberships – 5 years since the date of termination
- For Consultations & Bespoke Weight Management Plans – 7 years since the date of termination
During this retention period no one you may still request to access your data in line with the “Administration” clause above, but we cannot take requests for deletion of medical records or PII that is associated with your medical records. As we operate under a special category of data Art.9 (2)(h) GDPR, the “right to be forgotten” or “right to erasure” does not apply here.
DATA SECURITY & VIRUSES
We always take appropriate measures to safeguard the personal data we hold from unauthorised access or improper use. We will exercise reasonable care in providing secure transmission of information between your computer and our servers, but given that no information transmitted over the Internet can be guaranteed 100% secure, we cannot ensure or warrant the security of any information transmitted to us over the Internet and hence accept no liability for any unintentional disclosure.
We operate a strict internal security policy with which our employees must comply as a condition of their employment with us.
Also, whilst we make all reasonable attempts to exclude viruses from the website, we cannot guarantee that the website will be virus free and accept no liability in the unlikely event that the website is not virus free.
Users are recommended to take appropriate safeguards before downloading information from this website.
simplyweight’s information systems are highly protected, encrypted, and secure – but no system is completely impenetrable. Simplyweight has procedures and tools in place to detect, report, and investigate a data breach. When a breach may result in a high risk to your rights and freedoms, we will notify both you and the ICO of this.
CHANGE OF DETAILS
It is important that you communicate with us if any of your details such as your name or address have changed or if any of your details such as date of birth is incorrect for this to be amended. You have a responsibility to inform us of any changes so our records are accurate and up to date for you.
AGAINST SPAM APPROACH
simplyweight Ltd. distinguishes the receipt, transmission or conveyance of spam messages # (i.e. unsolicited mass messages) as a significant concern and has taken sensible measures to minimise the transmission and impact of spam messages in our nature.
All messages accepted by simplyweight Ltd. are liable to spam check. Any email distinguished as spam will be rejected with sufficient data to the sender for making vital moves. With this measure, in addition to other specialised spam decrease measures; simplyweight Ltd. would like to minimise the impact of spam messages. Simplyweight Ltd. maintains all authority to reject or report any suspicious spam messages, to the powers concerned, for important movement.
RIGHT TO WITHDRAW
simplyweight Ltd regards your security contemplation and subsequently gives an alternative to you, to not give the information or data reviewed, which is to be gathered. Further, you can likewise withdraw your consent provided for simplyweight Ltd, and the same must be imparted to simplyweight Ltd. in writing.
Although the Website has been tested and should work correctly under normal circumstances, there are many factors both within and outside of the control of simplyweight, which may prevent the website from being available. No responsibility is accepted by simplyweight, for any losses howsoever caused that may arise from an inability to access or to access resources through its Website. If you find any errors within our website, including links that do not work, pages linked to the wrong document and out of date information, please email us email@example.com
Any grievance or protestation, in connection to processing or transforming of data by us, our employees or agents, ought to be sent to simplyweight Data protection officer at: Hello@simplyweight.co.uk. Grievance should be reviewed as speedily as could reasonably be expected.
PROGRESSIONS TO THIS POLICY
Please kindly note that this Policy may change occasionally. We won’t decrease your rights under this Policy without your expressed assent consent. We will post any Policy changes on this page.
Questions relating to revisions to this Policy may be addressed to the Data protection officer at Hello@simplyweight.co.uk. This Policy will be promptly revised if there is a material change to a policy described herein.
Effective Date: This Policy is effective as of 1st September 2018.