MOAI Health - Privacy Notice
Last updated: 25 February 2022
Introduction
We are Moai Health® Limited, operating as MOAI (“we”, “us”). Our registered office is at 112, Scylla Road, Nunhead Scylla Road, London, England, SE15 3RZ and our company number is 12924603.
Our privacy notice is designed to tell you about our practices regarding the collection, use and disclosure of personal information which may be provided to us via our website, associated apps and other digital products we provide or collected through other means such as email, an online form, or telephone communication.
In this notice “you” refers to any individual whose personal information we hold or process (other than our staff), and in most circumstances, this will be the individual undertaking our wellbeing assessments. However it may also relate to our client, the organisation who has engaged for our services, or a visitor to our website.
This notice is prepared in compliance with applicable data protection legislation including the EU General Data Protection Regulation (the “GDPR”), the Data Protection Act 2018 and UK GDPR. For the purposes of this notice, “UK GDPR” means the GDPR as such regulation is adopted into the law of the United Kingdom pursuant to the European Union (Withdrawal Act) 2018 and as amended by the Data Protection Act 2018 and any successor regulation or law.
The type of personal information we collect
We currently collect and process at least some if not all of the information set out below from you:
Questionnaire Information: Most of the data you provide to us is in the form of questionnaire answers. These are answers to questions such as ‘Other people in this organisation take my opinions seriously’ and are normally in the form ‘Sometimes/always’ etc.’, or a number 1-11. These answers are generally considered ‘non-identifiable’. That is, it would be very difficult for anyone to identify you specifically from these answers alone. We are interested in looking for correlations between these questionnaire answers and demographic information. To facilitate this enquiry, we ask you for personal information, including certain sensitive personal information. Specifically, we collect personal data revealing age, gender, weight, height, address, current postcode, prior postcode, ethnicity, religious beliefs, area of employment, type of employment, relationship status, sexual orientation, disability, salary, and years in service.
Client Information: This means information which we hold because you are a client of ours (e.g. as the organisation who has engaged us for our services) and which we process during the course of providing our services to you and your members/employees.
Communication Information: This means a record of any correspondence or communication between you and us.
How we get the personal information and why we have it
Most of the personal information we process is provided to us directly by you for one of the following reasons:
- Your organisation is interested in assessing their members’ wellbeing through our services. The questionnaire answers you provide are summarised in statistical reports and analyses that aim to give a snapshot of a group of people and what their answers to these specific questions may mean with regards to the wellbeing of the group.
- We are interested in researching how people answer these questionnaires, what groups of people answer them perhaps differently from other groups and what it means in terms of their overall wellbeing.
We can also receive personal information indirectly, from the following sources in the following scenarios:
- Our survey platform provider. When you respond to one of our assessments, they provide the type of device (Mobile vs Web) and the time at which the response was registered. Your organisation may provide us with your email address initially to deliver our assessments. This information is used only to deliver the assessment via email while your organisation retains our services. We will keep your email address (stored separately from all of your other information as described above) until your organisation or you no longer wish to be contacted for ongoing assessment.
We use the information that you have given us in order to:
- Produce summary reports for your organisation to understand the wellbeing of their employees/members.
- Research and understand how we can measure ‘wellbeing’ as a concept, what it might mean in day-to-day terms and how we can help companies and individuals improve their wellbeing.
We may share anonymised information with:
- As noted above, your organisation, in the form of summary reports. Again, only in anonymised form.
- Members of the MOAI Health Ltd team for internal operations and research purposes.
Legal basis for processing your personal information
Under applicable data protection legislation, we must rely on a legal basis in order to lawfully process your personal information. In most circumstances, we will process personal information we hold about you because you have specifically consented to this – for instance as part of completing a wellbeing assessment/ questionnaire. Please note you are able to withdraw your consent at any time if you wish to, however this will not affect the lawfulness of consent prior to withdrawal.
We may also process your personal information because:
- It is necessary in order for us to comply with our obligations under a contract between you and us – for instance if are an organisation and have engaged us for the provision of our services;
- The processing is necessary in pursuit of a “legitimate interest” - a legitimate interest in this context means a valid interest we have or a third party has in processing your personal information which is not overridden by your interests in data privacy and security; or
- The processing is necessary to comply with a legal obligation.
How we store your personal information & data retention periods
We will take all reasonable steps to ensure that appropriate technical and organisational measures are carried out in order to safeguard the information we collect from you and protect against unlawful access and accidental loss or damage.
These measures may include (as necessary):
- protecting our servers by both hardware and software firewalls;
- locating our data processing storage facilities in secure locations;
- encrypting all data stored on our server with an industry standard encryption method. By way of example, your information is securely stored in an encrypted form in servers run by GOOGLE LLC in many regions across the world, details of which can be found here. Google’s cloud platform privacy policy can be found here;
- when necessary, disposing of or deleting your data so it is done so securely;
- regularly backing up and encrypting all data we hold.
We keep different types of information for different periods of time as outlined below:
Personal Information:
- We will retain this information for as long as our users wish to undergo wellbeing assessments or interventions, and up to a maximum of 5 years thereafter after which time the information will be securely deleted.
Questionnaire Information:
- We will retain this information for as long as our users wish to undergo wellbeing assessments or interventions, and up to a maximum of 5 years thereafter after which time the information will be securely deleted.
- Anonymised information will be kept for ongoing research efforts into wellbeing for a maximum of up to 30 years after which time it will be permanently deleted.
Client Information:
- We will retain this information for as long as the relevant organisation continues to engage us for our services and remains a client of Moai, and up to a maximum of 5 years thereafter. After which time the information will be securely deleted.
Communication Information:
- We will retain this information for as long as is deemed reasonably relevant given the particular circumstances at the time.
Marketing Information and Technical Information
- We will retain this information for a period of 3 years from the last date on which the user interacted with us.
Please note that any information which is anonymised falls out of scope in relation to applicable data protection law however in any event, once the above timeframes have elapsed we will then dispose of your information securely (such as by way of permanent deletion from Google’s Cloud servers further information about which can be found here).
For any category of personal information not specifically defined in this notice, and unless otherwise specified by applicable law, the required retention period for any personal information will be deemed to be 7 years from the date of receipt by us of that data.
The retention periods stated in this notice can be prolonged or shortened as may be required (for example, in the event that legal proceedings apply to the data or if there is an on-going investigation into the data).
We review the personal information (and the categories of personal information) we are holding on a regular basis to ensure the data we are holding is still relevant to our business and is accurate. If we discover that certain data we are holding is no longer necessary or accurate, we will take reasonable steps to correct or delete this data as may be required.
Who we share your information with
We may disclose information to third parties in the following circumstances:
- We may work with other professionals and providers in providing and delivering our services to you or your organisation, such as service technology provider Google Cloud.
- In order to enforce any terms and conditions or agreements for our services that may apply.
- If we are sub-contracting services to a third party we may provide information to that third party in order to provide the relevant services.
- We may disclose information to our group companies (as the case may be).
- If we are under a duty to disclose or share your personal information in order to comply with any legal obligation (for example, if required to do so by a court order or for the purposes of prevention of fraud or other crime).
- As part of a sale of some or all of our business and assets to any third party or as part of any business restructuring or reorganisation.
- To protect our rights, property and safety, or the rights, property and safety of our users or other third parties. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
If we do supply your personal information to a third party we will take steps to ensure that your privacy rights are protected and that such third party complies with the terms of this notice.
List of sub processors
Subprocessor: Google LLC
Purpose of transfer: Data storage and management
Personal data transferred: E-mail, DOB, gender, sex, sexuality, height, weight, employment parameters including salary, job title, employer team, psychological wellbeing data, loneliness data, organisational culture data.
Sensitive data?: Yes
Country: UK
Subprocessor Privacy Notice: https://cloud.google.com/terms/cloud-privacy-notice
Subprocessor: Typeform LLC
Purpose of transfer: Data gathering and storage
Personal data transferred: E-mail, DOB, gender, sex, sexuality, height, weight, employment parameters including salary, job title, employer team, psychological wellbeing data, loneliness data, organisational culture data.
Sensitive data?: Yes
Country: US
Subprocessor Privacy Notice: https://admin.typeform.com/to/dwk6gt
Subprocessor: Mongo DB Inc.
Purpose of transfer: Data storage
Personal data transferred: E-mail, DOB, gender, sex, sexuality, height, weight, employment parameters including salary, job title, employer team, psychological wellbeing data, loneliness data, organisational culture data.
Sensitive data?: Yes
Country: Belgium
Subprocessor Privacy Notice: https://www.mongodb.com/legal/privacy-policy
Subprocessor: Twilio SendGrid
Purpose of transfer: Email notifications and application communication
Personal data transferred: Email Address
Sensitive data?: No
Country: Global
Subprocessor Privacy Notice: https://www.twilio.com/legal/privacy
Subprocessor: Stripe Inc.
Purpose of transfer: Payment processing
Personal data transferred: Email Address
Sensitive data?: No
Country: US
Subprocessor Privacy Notice: https://stripe.com/gb/privacy
Transferring your information outside of the UK or EEA
We will not transfer your personal information in a systematic way outside of the UK or European Economic Area (“EEA”) but there may be circumstances in which certain personal information is transferred outside of the UK or EEA, in particular:
- From time to time, some of our data processors (such as hosting server providers), may be based outside of the UK or EEA. In that case, we will ensure we have an agreement in place with such processors to provide adequate safeguards and a copy of such safeguards will be available on request.
- If you or your organisation uses our services while you are outside the UK or EEA, your information may be transferred outside the UK or EEA in order for us to provide our services or to communicate with you or your organisation (as the case may be)
- We may communicate with individuals or organisations outside of the UK or EEA in providing our services. Those communications may include personal information (such as contact information).
- From time to time your information may be stored in devices which are used by our staff outside of the UK or EEA (but staff will be subject to our cyber-security policies).
If we transfer your information outside of the UK or EEA, and the third country or international organisation in question has not been deemed by the EU Commission or Secretary of State (as the case may be) to have adequate data protection laws, we will provide appropriate safeguards and we will be responsible for ensuring your privacy rights continue to be protected as outlined in this notice.
Data breaches
If personal information we hold about you is subject to a breach or unauthorised disclosure or access, we will report this to our data protection manager or officer (if an officer has been appointed) and/or the Information Commissioner’s Office (ICO) (as necessary).
If a breach is likely to result in a high risk to your data rights and freedoms, we will notify you as soon as possible.
Cookies
Like most websites and applications, we use cookies to help provide you with the best experience whilst using our service. Please note the information in a cookie does not contain any personally identifiable information you submit yourself to our website.
The cookies we use are split between the following categories:
- Strictly Necessary Cookies - which are an essential part of our service and affect the way you can use our website (e.g security & authentication);
- Performance/Analytics Cookies - which are used for analytics (e.g understanding usage on our website);
- Functionality Cookies - which collect information about your device to help you customize our service (e.g. remembering your timezone settings or accessing inline help); and
- Targeting/Advertising Cookies - these cookies record your visit to our website, the pages you have visited and the links you have followed. We will use this information to make our website and the advertising displayed on it more relevant to your interests.
Other than in relation to Strictly Necessary Cookies, we are generally required to obtain your consent prior to using cookies. On this basis and on your first visit to our website from your browser, we will display a cookie consent banner. We will only load the Strictly Necessary Cookies until you have clicked the “Accept” button on our cookies banner. If you click the “Accept” button our Functionality, Performance/Analytics Cookies will be loaded depending on your stated preferences.
For more information, please see our up-to-date cookie policy here.
Your data protection rights
Under applicable data protection law, you have rights including:
Your right to be informed - You have the right to know about our personal information protection and data processing activities, details of which are contained in this notice.
Your right of access - You have the right to ask us for copies of your personal information.
Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.
Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.
Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.
Your right to withdraw consent - You have the right to withdraw any permission you have given us to process your personal information
Your rights in relation to automated decision making and profiling - You have the right not to be subject to automated decision-making (including profiling) when those decisions have a legal (or similarly significant effect) on you.
Please contact us at [email protected] if you wish to make a request in respect of your rights. We will endeavour to comply with such requests as soon as possible but in any event we will respond to a data subject access request within one month of receipt (unless a longer period of time to respond is reasonable by virtue of the complexity or number of your requests).
Notification of changes to the contents of this notice
We will post details of any changes to our notice on our website to help ensure you are always aware of the information we collect, how we use it, and in what circumstances, if any, we share it with other parties.
Contact us
If you have any enquiry or concerns about our use of your personal information, you can contact us at:
Email: [email protected]
Complaints
If we are unable to resolve any issues you may have or you would like to make a further complaint, you can contact the Information Commissioner’s Office (“ICO”).
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113
ICO website: https://www.ico.org.uk