Discova LTD (“Discova”, “we”, “our” or the “Company”) respect the privacy of its Users and is committed to protect the personal information that its Users share with it. We believe that you have a right to know our practices regarding the information we may collect and use when you use the Service.
WHO WE ARE
We are DISCOVA LTD of 42 Brookfield Crescent, Newcastle upon Tyne, United Kingdom, NE5 1BP, email@example.com. We are the providers of the Discova platform.
Discova is a product of Discova Ltd and is cloud-based web platform that enables individuals to manage their mental health (the “Service” or “Discova”).
A User may be either an entity, for example an employer which has executed an agreement with Discova (“Customer “) or a Customer’s users for example a Customer’s employees, of the Services (“End User(s)”) (Customer and End User shall collectively be referred to as “Users” or “you”).
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
For the purposes of applicable data protection law, including the General Data Protection Regulation (“GDPR”), the UK GDPR (once in force) and the Data Protection Act 2018 (the “Data Protection Law”), we are the data controller in respect of the personal data you enter or create through use of Discova. We will not at any time share that personal data with your employer or other organisation through whom you gain access to the Services, though we will provide the organisation with anonymised, aggregated data reports which show how our Services are being used but no individual will be identifiable from such reports.
Questions, contact information and complaints
We have appointed a Data Protection officer Emma Reilly, please contact firstname.lastname@example.org if you wish to make a complaint, exercise any of your rights as a data subject or if you consider a breach of Data Protection Laws has occurred.
Your right to complain
If you have any complaints or concerns about how we collect, store or use your personal data we hope you will raise those concerns with us direct. However, you have a right at all times to lodge a complaint about us with a supervisory authority (Data Protection Authority in your jurisdiction). If you are based in the UK, the supervisory authority is the Information Commissioner’s Office: please go to their website for full contact details https://ico.org.uk/make-a-complaint/
WHICH INFORMATION MAY WE COLLECT?
Categories of information and data we may collect from our Users.
Data we collect about you from your use of the Service
The first type of Data is non-identifiable and anonymous information (“Non-personal Information”). We are not aware of the identity of the User from which we have collected Non- Personal Information. Non-Personal Information is any unconcealed information which is available to us while Users are using the Service and which does not identify any individual persons. We may also collect certain Personal Information via these automatic means not requiring you to enter the personal data directly. Some of the information which is being gathered consists of technical information and some limited behavioural information including the number of visits or period of time the User visited the website.
Data you give us
The second type of Data is individually identifiable information (“Personal Information”).
This information may identify an individual or may be of a private and/or sensitive nature.
In addition to the information described in the “Data we collect about you from your use of the Service” section, Personal Information which we collect consists of any personal details provided consciously and voluntarily by a Customer, End User or the Customer’s administrator or which is entered by you or generated through your use of the Discova platform. This may (should you chose to enter the information onto the Discova platform) include your name (first and last), birthdate, gender, special category data relating to your health, disability, sexual orientation, religious beliefs, political beliefs, criminal conviction data, as well as information such as learning style, mood data, focus area, country, city, postcode, gender, other unique identifiers and other information the User may choose to provide to Discova and to its employee. Discova may not be aware of the nature of the information collected through the Services. As mentioned above, such information which the User choses to input to their individual user account may include Personal Information about an individual’s racial or ethnic origin, religious or similar beliefs, physical or mental health or condition or any other data considered as sensitive under applicable law (“Sensitive Information”).
We will never sell your Personal Information to third parties and we only share your Personal Information as set out in this Policy.
You do not have any legal obligation to provide any information to Discova however, we require certain information in order to provide the Services to you. If you choose not to provide us with certain information we may not be able to provide you with the Services. Login credentials (email and username) are required to have the Discova system work properly, however the email and username you make use of do not have to reveal your personal identity you are free to use a pseudonym if preferred and we would encourage you to do so in relation to your username.
We store your Personal Information on a secure cloud server via AWS services, please see “Third Parties” and “Where do we store your data” sections below for more information.
Discova may also collect the email addresses of people who communicate with Discova via email or via messenger services or create accounts and login credentials.
By registering for an account on Discova’s general web site, Discova will collect your name, company name, phone number and company email you provided. Discova may use this information to offer Discova’s services and support.
HOW DO WE COLLECT INFORMATION ON USERS OF Discova?
There are two main methods we use:
We collect Non-Personal Information through your use of our Service. In other words, when you are using the Service we are aware of it and may gather, collect and record the information relating to such usage, either independently or through the help of third-party services as detailed below in our cookies policy.
We collect Personal Information which you provide us voluntarily. We collect Personal Information required to operate the Service when you or the Customer’s administrator registers and opens an individual user account. In addition, we collect your Personal Information, which may be considered as personally identifiable, whether you provide us such information by entering it manually or via a Customer.
We refer to all the information we collect from Users as “Data” throughout the rest of this policy.
WHY DO WE COLLECT SUCH DATA?
Data you give to us:
We will use this Data only to provide the Services to the User including:
carrying out our obligations arising from any contracts entered into between you and Discova and/or any contracts entered into between a Customer and Discova and to provide you with the information and Services that you request from Discova;
administering your account with Discova;
verifying and carry out financial transactions in relation to payments you make in connection with the Service;
notifying you about changes to our Service;
contacting you for the purpose of providing you with technical assistance and other related information about the Service;
replying to your queries, troubleshooting problems, detect and protect against error, fraud or other criminal activity;
We may combine this information with information you give to us and information we collect about you. We will use this information and the combined information for the purposes set out above (depending on the types of information we receive). We will also anonymise and, once anonymised, aggregate your data with data from other users. Those anonymised and aggregated data sets will be used for analytical purposes including statistical modelling, predictive analytics and reporting to Customers on how the subscriptions are being used. However, all such data sets and reports will have all personally identifiable information removed and neither you nor any other user will be identifiable from those reports and analytics.
LAWFUL GROUNDS FOR PROCESSING
Under the Data Protection Laws, the lawful bases we rely on for processing this information are:
(a) Your consent. You are able to remove your consent at any time. You can do this by contacting email@example.com
(b) We have a contractual obligation.
(c) We have a legal obligation.
(d) We have a vital interest.
(e) We have a legitimate interest.
In respect of Sensitive Information (referred to under the Data Protection Laws as special category data), we process that data on the basis of your explicit consent given at the time of your opening a User account and by your submission of any Sensitive Information in the course of your use of the Service and the Platform. If you wish to withdraw that consent please do so by writing to us at firstname.lastname@example.org , do not submit any further special category data and we will subsequently delete the relevant data from our systems.
SHARING DATA GATHERED THROUGH Discova WITH THIRD PARTIES
In order to provide our Services and the Discova Platform to you, we may need to share your Data with certain limited other parties for limited purposes. We set out the details below:
Our selected third parties may include:
business partners, suppliers, affiliates, agents and/or sub-contractors for the performance of any contract we enter into with you. They may assist us in providing the Services we offer, processing transactions, fulfilling requests for information, receiving and sending communications, analysing data, providing IT and other support services or in other tasks, from time to time. These third parties will only use your information to the extent necessary to perform their functions and they will be bound by written contracts imposing confidentiality obligations and relevant elements of the data protection legislation on them in relation to their processing of your personal data;
analytics and search engine providers that assist us in the improvement and optimisation of our site and subject to the cookie section of this policy (this will not identify you as an individual) and data processors who process your personal data on our behalf and in accordance with our instructions and applicable data protection law.
A full list of third parties with whom we share your personal data in the course of providing our Services to you is set out below, if we make any changes to this list we will update this policy and email you a copy or otherwise make the updated policy available to you on the Platform:
We may also need to disclose your personal information in certain limited circumstances to additional third parties:
If Discova’s all or substantially all of its assets are acquired by a third party including by way of a merger, share acquisition, asset purchase or any similar transaction, in which case personal data held by it about its customers will be one of the transferred assets.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of supply terms and other agreements with you; or to protect the rights, property, or safety of Discova, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction and to prevent cybercrime. We may also share your personal data (including Sensitive Information) where we reasonably consider it necessary to protect the vital interests (health and life) of you or another individual.
For avoidance of doubt, Discova may transfer and disclose Non-Personal Information and fully anonymised information to third parties at its own discretion.
WHERE DO WE STORE YOUR DATA?
MODIFICATION OR DELETION OF PERSONAL INFORMATION GATHERED THROUGH DISCOVA
Data stored through Discova is inherently dynamic and may contain errors and omissions. If for any reason you wish to modify your Personal Information you may do so through the Discova Platform by editing the relevant data that needs to be modified. In order to delete your Personal Information completely please contact us at email@example.com
Discova acts as Controller of your personal data. We do not share it with the employer or organisation through whom you gain access to the Discova Services.
Please note that Personal Information may be either deleted or retained in an aggregated or anonymised manner without being linked to any identifiers or Personal Information, depending on technical commercial capability. We will not be able to delete or amend such data at your individual request once it is in anonymised form and it has ceased to be personal data belonging to you.
Such information may continue to be used by Discova for the purpose of operating the Service on behalf of the Controller. In particular, the statistical model used to provide predictive analytics.
For any request or question regarding deletion or amendment of User data, you can contact us at firstname.lastname@example.org
and we shall make efforts to respond and support your request. As mentioned above, you are free to complain to the ICO at any time.
YOUR DATA PROTECTION RIGHTS
Under data protection law, you have rights including:
Your right of access – You have the right to ask us for copies of your personal information.
Your right to rectification – You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Your right to erasure – You have the right to ask us to erase your personal information in certain circumstances.
Your right to restriction of processing – You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing – You have the right to object to the processing of your personal data in certain circumstances.
Your right to data portability – You have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please contact our DPO at email@example.com if you wish to make a request.
How to complain You can also complain to the ICO if you are unhappy with how we have used your data.
The ICO’s address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. Helpline number: 0303 123 1113
Data retention – Discova
Discova will retain data it processes on behalf of its Users only for as long as required to provide the Service to its Users and as necessary to comply with its legal obligations, resolve disputes and enforce its agreements. The data in Discova is backed up for system continuity purposes and each backup file may be stored for 30 days.
After a (i) request from the User to delete his/her Data or (ii) a deletion of data from the Discova’s interface; (iii) termination of a user account or an organisation from the Discova system, an automated process will begin that permanently deletes the data in accordance with the timelines set forth in the tables below. Once begun, this process cannot be reversed and data will be permanently deleted. Some data will not be deleted and shall be kept in an anonymised manner.
Similarly, Discova collects and retains anonymised and aggregated data (which has ceased to be personally identifiable information and cannot be linked to the User), non-personal metadata and statistical information concerning the use of the Service which are not subject to the deletion procedures in this policy and may be retained by Discova for no more than required to conduct its business or such other permissible analytical and reporting purposes. Some data may be retained also on our third-party service providers’ servers in accordance with their retention policies. You will not be identifiable from this retained metadata or statistical information.
Security and storage of information
We take great care in implementing, enforcing and maintaining the security of the Service, and our Users’ Personal Information. Discova implements, enforces and maintains security policies to prevent the unauthorised or accidental access to or destruction, loss, modification, use or disclosure of personal data and monitor compliance of such policies on an ongoing basis.
The Personal Information is hosted on the Amazon Cloud in London which provides advanced security features and is compliant with ISO 27001 standard, among other certifications, as listed here: https://aws.amazon.com/ compliance/. All Personal Information is stored with logical separation from information of other customers. However, we do not guarantee that unauthorised access will never occur.
Discova shall act in accordance with its policies to promptly notify Customer and/or User in the event that any personal data processed by Discova is lost, stolen, or where there has been any unauthorised access to it subject to applicable law and instructions from any agency or authority. Furthermore, Discova undertakes to cooperate with Customer and/or User (as appropriate and if required by law) in investigating and remedying any such security breach. If any security breach involves Personal Information, Discova shall promptly take remedial measures, including without limitation, reasonable measures to restore the security of the Personal Information and limit unauthorised or illegal dissemination of the Personal Information or any part thereof. Where required by the Data Protection Laws Discova shall self-report breaches to the ICO and affected data subjects.
Discova maintains documentation regarding compliance with the requirements of the law, including without limitation documentation of any known breaches and holds reasonable insurance policies in connection with data security.
The Service may, from time to time, contain links to external sites. We are not responsible for the operation, privacy policies or the content of such sites.
We do not knowingly collect or solicit information or data from children under the age of 16 or knowingly allow children under the age of 16 to register for the Discova Service. If you are under 16, do not register or attempt to register for any of the Discova Service or send any information about yourself to us. If we learn that we have collected or have been sent Personal Information or Personal Data from a child under the age of 16, we reserve the right to delete that Personal Information or Personal Data as soon as reasonably practicable without any liability to Discova from any User. If you believe that we might have collected or been sent information from a minor under the age of 16, please contact us at: firstname.lastname@example.org as soon as possible.
Last Revised: 06.11.20