Effective date: 16 March 2022
Changes: Addition of 'Representation for data subjects in the EU' section.
The primary purpose of the mySymptoms Consumer App is to enable users to monitor their food intake and symptoms, then to share their symptoms and other data inputted into the Consumer App with their clinician if they choose to do so.
The Consumer App provides you with two account types - an Anonymous Account and an Identified Account.
All new Consumer App accounts default to Anonymous Accounts. Only if you opt to share your diary data using mySymptoms’ “Share Diary with Clinician” feature does your account change to an Identified Account.
The Consumer App seeks to operate on an anonymised basis for Anonymous Accounts, meaning it is not designed to store or process your personal data in a form that identifies anyone.
For Anonymous Accounts, SkyGazer Labs seeks to operate on the basis that it does not process your personal data. To do this, we require that your account is registered with an anonymous username, unique to mySymptoms, that doesn’t personally identify you. Furthermore, personally identifiable data must not be entered into the Consumer App. Both of these conditions are put in place to protect your privacy.
If you opt to share your diary data with a clinician by using the “Share Diary with Clinician” feature within the Consumer App, you will be asked to complete a form including your first and last names, along with your email address. This personal information is then stored on our platform, such data is classified as ‘personally identifiable health information.’
Any data you enter into the Consumer App is stored securely in your account and is only accessible to you when logged in to your account using your username and password. Optionally, you can also share or revoke access to your data with your clinicians at any time.
SkyGazer Labs has put in place more stringent security, data access procedures, and breach reporting procedures to protect your data and to comply with the appropriate data protection regulators in your country.
It is always sensible though to explain how we would process personal data, so in circumstances where certain personal data may be processed this policy will apply.
Please read this Privacy Policy carefully together with our Terms and Conditions to understand our policies and practices regarding your Personal Data (as defined below) and how we will treat it.
This Privacy Policy applies to the website https://skygazerlabs.com (“Website”) and the associated ‘mySymptoms’ consumer mobile application (“Consumer App”) hosted on the Apple iTunes Store, Amazon App Store and Google Play (“App Store”), and the Clinic web application (“Clinic App”), (together, the “Platform”, “Services” or “Apps”) which are operated by SkyGazer Labs Ltd. (collectively, “mySymptoms”, “we”, “our” or “us”). This Privacy Policy also applies to SkyGazer Lab’s employees.
The data controller is SkyGazer Labs Ltd. a company registered in England and Wales under number 07287061 with its registered office at Lakin Rose, Pioneer House Vision Park, Histon, Cambridge, Cambridgeshire, United Kingdom, CB24 9NL.
By using the mySymptoms Platform or Services, you consent to the data practices described in this Privacy Policy. If you do not agree with any part of this Privacy Policy, then we cannot make our Platform or Services available to you and you should stop accessing and using them.
This Privacy Policy explains how we collect and use your Personal Data and is provided in accordance with our obligations under applicable privacy and data protection law in force from time to time (i) in the UK including the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) and the Data Protection Act 2018 (collectively the ‘UK GDPR’), and (i) and the Health Insurance and Accountability Act (‘HIPAA’) in the U.S. (“Applicable Data Protection Law”).
For the purposes of this Privacy Policy:
For the purposes of Applicable Data Protection Law, SkyGazer Labs Ltd. is a data controller and processes personal data.
When you use our Platform and Services, we may collect certain Personal Data and information that can be used to identify you.
When the Consumer App is used with an Anonymous Account, the information you upload will not be considered Personal Data so long as you upload your information using a username which does not enable you to be identified, and you provide no other personal information that identifies you. Your anonymised personal information is stored on our provider’s servers in Ireland.
If you request your information to be shared with clinicians or other healthcare professionals, your information will be securely shared from servers in Ireland to the Clinic App. Following your request, the clinician will receive an invitation from the Consumer App. Only those clinicians you have opted to share your diary data with will be able to view your de-anonymised information, along with mySymptoms Support Staff as and when support on your account is required. If you choose to share your information with your clinician, you need to agree with your clinician that they may process your Personal Data and they will be considered the Data Controller for the information that is then in their possession under the UK GDPR, or as a Covered Entity or Business Associate under HIPAA, as appropriate . You must be satisfied that your clinician will hold and lawfully process your Personal Data in a way acceptable to you, we cannot control their use once you share your data.
We may also collect Personal Data automatically, or from third-party partners or services. The Personal Data we collect includes:
For Consumer App users, if you choose to share your diary with your clinician, at the point of sharing we will ask you for your first and last names, along with your email address. For Clinic App users, we collect your name, email address, phone number, postal address, web site at the point of registration.
We collect some information from you when you provide it to us directly, such as via an email or online form, through the support feature embedded in our Services, or through another form of inquiry. This information may include your name, email, and phone number as well as other personal identifying information. Please note that any such personal information that we collect is stored separately from, and not linked with, your Consumer App Account.
We may also invite you to join our email list for marketing purposes. Any personal information gathered for marketing purposes will not be linked to Consumer App accounts.
When you download and use our Services, we automatically collect information on the type of device you use, operating system, resolution, application version, language, time zone and IP address. We use Google Adsense to serve adverts which collect mobile device identifiers (such as your device ID, advertising ID).
We collect information automatically about your activity through our Services, such as the date and time you used a service, features you have used, your in-app purchases history, subscriptions, your interaction with advertisements, and data generated when you use our Services.
We may collect, with your consent, other information such as precise geolocation (latitude and longitude) using information including GPS, Bluetooth or Wi-Fi connections.
We may receive information about you from our third party service provider (principally Google Analytics), who collect this information through our Services in accordance with their own privacy policies.
The information you provide when using our Services may include health-related information such as details of symptoms, medications, dietary information, personal notes or any other information uploaded to the Platform. Such categories of data may be considered Special Categories of Personal Data for the purposes of the Applicable Data Protection Law.
Specifically, our software and business processes are designed to meet the requirements of EU and UK GDPR Special Category: Health regulations, and US HIPAA regulations.
For our Consumer App users with Anonymous Accounts, as noted in our Terms of Use, it is your responsibility to upload your information in a way that does not reveal your personal identity. The username you choose to interact with our Platform and Services must not enable you to be identified.
For our Consumer App users with Identified Accounts, if your data is covered by HIPAA, by agreeing to these terms you are agreeing that any notices required under HIPAA may be delivered by email, to the address we hold on your account.
For our Clinic users who are HIPAA covered entities, we are able to offer a HIPAA Business Associate agreement. Please contact clinic@mysymptoms.net for more information.
The anonymised information we collect from you may be combined with the information provided by other anonymous users to produce aggregated anonymised data sets for research purposes. We refer to this combined data as “Aggregated Data.” Aggregated Data is not considered to be Personal Data as it does not identify anyone.
Aggregated Data may be used for the operation of the Platform and the Services we provide to you, and to provide general statistics regarding use of our Platform and Services. We may also use such anonymised Aggregated Data and provide it to third parties for medical research purposes.
However, if you or we combine or connect Aggregated Data with any of your Personal Data that enables you to be directly or indirectly identified, we will treat such data as Personal Data to be used in accordance with this Privacy Policy.
The mySymptoms Platform may use “cookies” and similar technologies to provide and personalise our Services. These include a cookie for the Clinic App, a cookie for the mySymptoms website and a Google token for the Consumer App. A cookie is a text file that is placed on your hard disk by a web page server. Cookies cannot be used to run programs or deliver viruses to your computer. Cookies are uniquely assigned to you, and can only be read by a web server in the domain that issued the cookie to you. Our Platform uses cookies and similar technologies to distinguish you from other users of our Platform. This helps us to provide you with a good experience when you browse our Platform and allows us to improve our Platform. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of the Platform may become inaccessible or not function properly. For more information about the cookies we use, please see https://skygazerlabs.com/wp/cookie-policy/.
We use Google Analytics. The information generated by the Google Analytics cookie (including your IP address) will be transmitted to and stored by Google on servers in the United States. Google will use this information for the purpose of evaluating your use of our websites and/or services compiling reports on activity and providing other services relating to activity and internet usage.
Google may also transfer this information to third parties where required to do so by law, or where third parties process the information on Google’s behalf.
You should be aware that when using our Platform and Services, you are providing your Personal Data to third party providers. The charges for using our Platform and Services are administered by the App store you use to download our Apps and Services (e.g. Apple iTunes Store, Amazon App Store and Google Play). We recommend that you refer to the privacy policy of the relevant App store to make sure you understand how your Personal Data, including your financial Personal Data, may be used when you purchase Apps and Services.
We do not knowingly collect personally identifiable information or Personal Data from children under the age of fourteen. We ask for age confirmation in using the app and if you are under fourteen you should not use our app without involving a parent or guardian. If you are a parent or guardian and wish to use the app for someone under the age of fourteen, you may do so in compliance with our Platform and Services Terms and Conditions, we rely on your consent to comply with our terms and this policy.
We may collect and use your personal information and Personal Data to operate our website and Platform, and to provide the Services you have requested.
The legal bases we rely upon to use your Personal Data may include the contract we have with you, your consent and our legitimate interests, or where we need to comply with a legal or regulatory obligation. Please contact us if you require further details concerning the specific legal ground(s) we are relying on to process your Personal Data.
We will only use your Personal Data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If we need to use your Personal Data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
We offer here non-exhaustive examples of the ways in which we use your Personal Data and the legal bases we may rely upon to do so:
We may share your Personal Data for certain purposes with our business parties or affiliates in accordance with Applicable Data Protection Law, as set out below.
We may share your Personal Data with our third party business service providers who perform functions on our behalf. These may include:
We may use Google Adsense which provides ads in our mobile and web apps:
We may transfer your Personal Data if we are involved, whether in whole or in part, in a merger, sale, acquisition, divestiture, restructuring, reorganisation, dissolution, bankruptcy or other change of ownership or control.
We may also share Personal Data if we are under a duty to disclose or share your Personal Data in order to comply with any legal obligation, or to protect the rights, property, or safety of our business, our customers or others.
We may also share Personal Data: (i) If disclosure would mitigate our liability in an actual or threatened lawsuit; (ii) as necessary to protect our legal rights and legal rights of our users, business partners or other interested parties; (iii) to enforce our agreements with you; and (iv) to investigate, prevent, or take other action regarding illegal activity, suspected fraud or other wrongdoing.
Sharing of Personal Data sometimes involves cross-border data transfers, including transfers outside of the EEA in accordance with the law. We only transfer Personal Data where you direct us to do so, or where we do so for other reasons we do this to entities in third countries that have provided appropriate safeguards to ensure that their level of data protection is in agreement with this privacy policy and applicable law, deemed by the European Commission or UK Government to provide sufficient safeguards for Personal Data.
We will ask for your consent before transferring your Personal Data outside of the EEA. You may provide your consent by clicking the ‘consent box’ which will appear on the Consumer App interface when you make a request which requires any such transfer of your Personal Data outside of the EEA.
We have put in place appropriate security measures to prevent your Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
Your passwords are stored in the mySymptoms’ database in encrypted form. We do not disclose your account details, or email addresses to anyone except when legally required to do so. However, it is your responsibility to keep your password secure.
For Anonymous Accounts, you must ensure that the username you create to upload your data to the Consumer App does not enable your data to be personally identified. If you request your information to be shared with clinicians or other healthcare professionals, your information will be securely shared from servers in Ireland to the Clinic App.
Wherever data is stored, either on a mobile device or on our servers, it is encrypted to protect your privacy.
All data is encrypted in transit between the mobile app or web browsers and our servers, and internally between our servers.
Our server log files do not contain any personally identifiable health information.
Information between your browser/App and the Platform is transferred in encrypted form using Secure Socket Layer (SSL). When transmitting sensitive information, you should always make sure that your browser can validate the Platform’s certificate.
We limit access to your Personal Data to those employees, agents, contractors and other third parties who have a business need to know. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We will retain your Personal Data only for as long as is necessary for the purposes set out in this Privacy Policy. We will retain and use your Personal Data to the extent necessary to comply with our legal obligations (for example, if we are required to retain your data to comply with applicable laws), resolve disputes, and enforce our legal agreements and policies.
We will keep your Personal Data for at least six years from the date of the last interaction for insurance and liability purposes. Should you opt out of using our Services you will be able to re-join and access your Personal Data within six years.
The retention of your Personal Data will be reviewed regularly and at least every six years for relevance. Any Personal Data deemed no-longer relevant is deleted.
Where we have taken steps to anonymise your personal data (so that it can no longer be associated with you) we may use this indefinitely for analytical, research and statistical purposes and to help us to improve our products and services.
Whenever we rely on your consent to process your Personal Data, you have the right to withdraw your consent at any time. If you wish to withdraw your consent, please contact SkyGazer using the contact details provided at the end of this privacy policy. This will not affect the lawfulness of any processing carried out before you withdraw, nor ongoing contractual or other obligations requiring us to process data for example due to a court ordered law enforcement request.
You have the right to make a request to access your Personal Data collected through our Platform and Services (known as a “Data Subject Access Request” or “SAR”).
We aim to respond electronically to all SARs within one month. In circumstances where it may take us longer than one month to respond (for example if your request is particularly complex or if you have made a series of requests), we will notify you. We do not charge a fee for responding to a SAR. However, we may charge a reasonable fee if your SAR is manifestly unfounded or excessive.
Right of rectification - You have the right to ask us to rectify Personal Data you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
Right to erasure – You have the right to ask us to erase your Personal Data in certain circumstances.
Right to restriction of processing – You have the right to ask us to restrict the processing of your Personal Data in certain circumstances.
Right to object to processing – You have the right to object to the processing of your Personal Data in certain circumstances.
Right to data portability – You have the right to ask that we transfer your Personal Data to another organisation, or to you, in certain circumstances.
We respect your privacy and give you an opportunity to opt-out of receiving announcements of certain information. Users may opt-out of receiving any or all communications from us by contacting us or selecting the “Unsubscribe” option on their email.
We value your privacy and your rights as a data subject and have therefore appointed Prighter Group with its local partners as our privacy representative and your point of contact.
Prighter gives you an easy way to exercise your privacy-related rights (e.g. requests to access or erase personal data). If you want to contact us via our representative Prighter or make use of your data subject rights, please visit the following website: https://prighter.com/q/13990424787
We may occasionally update this Privacy Policy to reflect company and customer feedback and any changes in data protection regulations. We encourage you to periodically review this Privacy Policy to be informed of how we are protecting your information.
SkyGazer Labs Ltd welcomes your questions or comments regarding this Privacy Policy. If you believe that we have not adhered to this Privacy Policy, please contact us at privacy@skygazerlabs.com.
SkyGazer Labs LtdQuestions, comments and requests regarding this privacy policy are welcome and should be addressed to privacy@skygazerlabs.com.
We ask that you try to resolve any issues with us first, although you have a right to lodge a complaint with the Information Commissioner's Office (ICO) at any time about our processing of your personal information.
The ICO is the UK regulator for data protection and upholds information rights.
Information Commissioner's Office