Privacy Policy

WHO WE ARE
Whilst your legal agreement may be with a different legal entity, depending on your residence, unless notified otherwise, Sphere Health Innovations Limited  (‘we‘, ‘us‘ or ‘our‘) is the controller responsible for processing any personal data you submit to us via our website or mobile application. We are a private company limited by shares, registered in England and Wales (Registration No 12107479) with its registered office at 215-221 Borough High Street, London, United Kingdom, SE1 1JA. Our registration number with the UK’s Information Commissioners’ Office is ZA560959. You can contact us at any time at hello@mysphereapp.com

WHAT WE OFFER
The Sphere mobile application (‘the App‘) is a service offered by us that aims to help users manage stress, anxiety and/or PTSD; it works by using our proprietary technology which is based on neurofeedback and is still in a development phase.(the ‘Service‘).

SCOPE
This Privacy Policy applies to anyone (‘you’‘your’ or ‘yours’) who uses our App. Any personal information, as defined in applicable law, you submit to us through the App will be managed in accordance with this Policy.

ACKNOWLEDGEMENT
By submitting personal data to us you acknowledge and accept the practices described in this Policy. We will endeavour to bring this Policy to your attention every time we ask for your personal information. We will seek your specific consent whenever this is required.

PROCESSING ACTIVITIES

We process the following information:For the following purposes:On the following bases:
Information you provide to us via the App  
Name and email address.

We need these if you want a

more personalised in-App experience and also to able to contact you outside of the App.

To the extent you wish to receive this part of the Service, this information is necessary for the performance of the contract between us (i.e. the App’s T&Cs) (Article 6(1)(b) GDPR).
Date of birth, gender.We need these in order to provide the Service.This is necessary for the performance of the contract between us (i.e. the App’s T&Cs) (Article 6(1)(b) GDPR).
Answers to pre-formulated questions about your health (may include special categories data).We need these in order to provide the Service, and we will need your permission to use this information.We use your explicit permission to use this information which is critical to the delivery of the Service. (Article 9(2)(a) GDPR). Please note that if this or any other information you submit to us is irreversibly anonymised, it shall be longer treated as personal data and this Policy shall not apply to it.
We also need these in order to assess whether the Service is suitable for you to use.It may be necessary to protect your vital interests (Article 9(2)(c) GDPR). Please contact us if you need additional information about this type of information processing.

Information generated when you use the App

Device-specific information such as device model, screen resolution, device memory, OS type and version, IP address, IDFA or AAID, etc.

Information our suppliers give us, such as type of internet connection, approximate location, details of your use of the App and App interaction information such as time spent in App, scrolling, clicks, etc.

We need this information for three broad purposes.

Part of it is necessary to make the App work and safe to use.

Part of it is necessary for us to analyse the App’s performance and to continue to improve it.

Part of it is necessary for us to advertise the App.

This is necessary for the performance of the contract between us (i.e. the App’s T&Cs) (Article 6(1)(b) GDPR).

This is necessary for the purposes of the legitimate interests pursued by us (Article 6(1)(f) GDPR). We need to run analytics (without disclosing your information to any third parties) in the interest of providing a safe and effective Service which we can improve over time by, among others, analysing its usage and user experience.

This is necessary for the purposes of the legitimate interests pursued by us (Article 6(1)(f) GDPR). Your App usage helps us to understand how we can better promote the App and to deliver advertisement (with the help of third parties).

Where the law requires us to seek your permission for analytics, advertising or marketing, we shall seek your consent (Article 6(1)(a) GDPR).

 THIRD PARTY DISCLOSURE
You understand and acknowledge that, in addition to disclosures to any companies in our corporate group, in some circumstances your personal information will be disclosed with third parties as per the below. Please note that no personal and financial information you submit to our third party payment processor is processed by us.

Third party type:For the following purposes:On the following legal grounds:
Suppliers

Including but not limited to:

Google Firebase Cloud Storage: to store data and facilitate the provision of the Service.

This is necessary for the performance of the contract between us (ie the App’s T&Cs) (Article 6(1)(b) GDPR).
 Google Analytics for Mobile Apps: to facilitate the promotion and improvement of the Service.

This is necessary for the purposes of the legitimate interests pursued by us (Article 6(1)(f) GDPR), namely running analytics in the interest of providing a safe and effective Service which we can improve over time by, among others, analysing its usage and user experience.

Where the law requires us to seek your permission for analytics, advertising or marketing, we shall seek your consent (Article 6(1)(a) GDPR).

AdvisorsWe may disclose your personal information to our professional advisors that are usually regulated by a competent authority (solicitors, accountants, etc.) where that proves necessary.This is necessary for the purposes of the legitimate interests pursued by us (Article 6(1)(f) GDPR), namely the proper administration of our business.
AuthoritiesWe may disclose your personal information to the court service or regulators or law enforcement agencies in connection with proceedings or investigations where compelled to do so.To comply with a legal obligation (Article 6(1)(f) GDPR) or in pursuit of our legitimate interests (Article 6(1)(f) GDPR), namely the protection of our business.

 INTERNATIONAL TRANSFERS
All information submitted to us via the App is stored on Google Firebase servers located inside the European Economic Area (‘EEA‘) which is composed of countries offering a high standard of personal data protection, equivalent to the regime applicable in the UK. Nevertheless, due to the very nature of the Internet, your personal data may be accessed or otherwise processed by staff, contractors or third parties outside the EEA in which data protection laws may be of a lower standard than in the EEA. For example, it may be necessary in order to provide the Service for one or more of our employees to access your personal information whilst located in a country outside the EEA (e.g. the United Arab Emirates).  Our employees’ access to your personal data from overseas is not considered a ‘restricted transfer’ under data protection law as your information stays in our control. Nevertheless, regardless of location or whether the person is an employee, contractor or a third party, we will impose the same data protection safeguards that we employ inside the EEA. Whenever required by law, we will also implement ‘appropriate safeguards’ as defined in applicable law, for the protection of your personal data. Please contact us if you would like further details of the specific safeguards applied to the export of your personal data outside the EEA (where applicable).

YOUR RIGHTS
We are committed to guaranteeing the statutory rights of individuals. If you send us a request regarding your rights under data protection law, we will respond within thirty (30) calendar days of receipt and, where possible, address your request within such time. Where necessary, this period may be extended by up to a further sixty (60) days. Please use hello@mysphereapp.com for the exercise of any of your rights:

The right to be informed;The right to access;The right to rectification;
The right to erasure;The right to restrict processing;The right to object to profiling;
The right to data portability;The right to complain to the Information Commissioner’s Office; andThe right to withdraw consent.

Detailed information on the full content of your rights is provided by the United Kingdom’s Information Commissioner’s Office, available here.

Whenever we use our legitimate interests (Article 6(1)(f) GDPR)  as justification for the processing of your personal data, we apply a three-stage test to ensure that our interests are not overridden by your interests and rights under data protection law.

We do not engage in profiling which is capable of producing legal or other significant effects on you.

You are under no statutory or contractual obligation to provide any personal data to us.

 INFORMATION SECURITY
No data transmission over the internet can be absolutely guaranteed to be secure from intrusion. Nevertheless, we and the third parties we deal with maintain physical, electronic and procedural safeguards to protect your personal information in accordance with data protection legislation requirements. As a data controller, we are under an obligation to implement appropriate and commercially reasonable technical and organisational measures to ensure a level of security appropriate to the risk for your fights and freedoms.

All information you provide to us is stored on our suppliers’ secure servers and is encrypted in transit and at rest. You can find more information about the security measures our suppliers have in place here.

RETENTION PERIOD
We shall retain your personal data until you request us to no longer process it by e.g. contacting us or simply deleting your user account. If your personal data becomes irrelevant to the purpose for which it was originally collected then we will delete it on our own initiative. Outdated personal data is periodically and safely deleted in accordance with our internal data retention procedures. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the personal risk or harm from unauthorised use or disclosure, the purpose for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.

Please note the foregoing does not apply to any personal data that has been irreversibly anonymised, meaning data rendered anonymous in such a manner that you are no longer identifiable from such data. Under the applicable law, such data is not deemed ‘personal’ and may be retained by us or our partner(s) indefinitely;

CHANGES
We reserve the right to amend this Policy from time to time. Any changes we make in the future will be published in this section of the App. We therefore encourage you to review this section of the App from time to time. Material changes to this Policy may be notified to you via email or any other means we deem fit.

DATE OF LAST AMENDMENT
22 October 2019