getUBetter - Privacy Policy

getUbetter privacy policy
Updated March 1^st 2024

PLEASE READ THIS POLICY CAREFULLY BEFORE USING getUBetter SERVICES

You must be 18 years or older to use our Services.

Protecting your privacy and personal data is very important to getUBetter (“us”, “our”, “we” or “getUBetter”). It is vitally important to us that our customers feel secure when using our “Services”, as further described in this policy.

About Us

We're getUBetter Limited, a company registered in England and Wales (company number 08330528). Our office is The Old Dairy, Ashton Hill Farm Weston Road, Failand, Bristol, England, BS8 3US, UK. Our VAT number is 191176892. We are responsible for operating this Website and our associated Services, including the processing of your personal data.

Unless stated otherwise in this privacy policy, we shall be the data controller of your personal data.

Summary

This privacy policy, collectively with our terms and conditions in the provision of our Services (as defined below), sets out our responsibility and commitment to protecting the privacy and confidentiality of your personal data. In particular, this policy details the basis on which any personal data we collect from you, or that you provide to us, will be processed by getUBetter when you:

use of our application “getUBetter” and the services available on our iOS or google play application (our “Apps”);
use our “WebApp”, available through our Website;
visit our getUBetter website at getUBetter.com (our “Website”) (more information on how we will process your personal data when you use our Website can be found https://www.getubetter.com/privacy-policy/

(together, the “Services”);

use our clinical portal (you will have access to this if you are an employee or of one of our customer partners or your company has an agreement in place with one of our third party partners); or
sign-up or register for an app and services provided by one of our third-party partners. Please see the 'How is your personal data collected?' section below for further information on our third-party partners and their apps and services.

Please read this privacy policy carefully to understand the types of personal data we collect from you, how we use that personal data, the circumstances under which we will share it with third parties, and your rights in relation to the personal data you provide to us. It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

This privacy policy is provided in a layered format so you can click through to the specific areas below:

The data we collect about you

Processing of sensitive personal data

How is your personal data collected?

How we use your personal data and justification of use

Marketing

Where we store your personal data

Disclosure of your personal data

How long we retain your personal data

Your rights

Change to our privacy policy

Cookies

Contact

What we do

Our Website, Apps, WebApp and the Services available through these methods are provided by us, and we partner with NHS Trusts and other healthcare providers to provide you with access to recovery and prevention self-management guidance and advice and, as appropriate, other health services in your area. To inform you about the services in your area, our Services also contain information provided by third parties. For example, through our Services, you will be able to request treatments with NHS service providers or other local service providers, and, when appropriate we will refer your details to that service provider in accordance with, and as described in, this privacy policy.

You can choose for us to introduce you to any of these services, or there may be links to such third-party websites, application, or plug-ins through our Services. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Please note that these third parties have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal data. When you leave our Website, WebApp or our App, we encourage you to read the privacy policy of every other website you visit.

We also partner with other third-party partners (as further described in the ‘How is your personal data collected?’ section). Where you engage with the services provided by any such third parties which uses our technology, or if we have been engaged by a third party to provide you with the Services, we will be acting as a processor of your personal data, and the relevant third-party will be the data controller. The third-party will have their own privacy policies which will explain how they use your personal data, which we encourage you to read. We do not accept any responsibility or liability for their policies or their processing of your personal data.

The data we collect about you

Personal data means any information about an individual from which that person can be identified.

We explain the different types of personal data we collect, use, store and transfer about you which we have grouped together as follows:

Identity Data: your name, email address and date of birth.
Registration Data: your Identity Data, phone number, contact data, postcode, gender and your GP details (optional).
Recovery Data: the nature of your injury, your recovery progress and yes/no responses to clinically based safety netting questions, and your rating of your recovery from your injury.
NHS Number: the unique number assigned to you by the NHS, which allows healthcare providers to link you to your medical record, make referrals and to identify you in the healthcare system.
Clinical Portal Log-In Data: unique username and password we assign to you for accessing our clinical portal (where applicable).
Technical Data: technical information about the device you use (e.g. your internet protocol (IP) address, device type, network, operating system and mobile browser); and how you use and interact with the App (e.g. page views, journeys through it etc.), specific information, such as your hardware model, operating system version, unique device identifiers, and mobile network information; we do this to ensure, for example, we identify devices not compatible with our app as well as enabling an easier start to use the app; and
Usage Data: information about how you use our Website, Apps and WebApp.

If you do not provide personal data which we request from you, we may be unable to provide you with our defined Services.

Processing of sensitive personal data

The nature of the Services means that, where necessary to act in your best interests, we need to be able to process certain sensitive data about your symptoms and health concerns. Due to its sensitivity, health data has the protected status of “special category data” under data protection law and we are subject to additional compliance obligations to ensure such data is adequately protected. Some of the data you provide to us (including details of your symptoms) will constitute special category data. We explain how we use this data in the below table.

We also collect anonymised aggregated data about how you use our Services. This data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, when lawfully permitted to do so we may aggregate technical data collected from you to calculate the percentage of users accessing a specific feature on our App, or we may create anonymous, aggregated reports such as statistics, ratings, analysis, and reviews that we may provide for research purpose. Your feedback and use of our Services helps improve recovery for you, others and future generations.

How is your personal data collected?

We collect and process the following data about you:

Personal data that you provide to us.

You will be asked to provide us with your personal data when you:

- email us or otherwise get in touch with us;
- register to use our Services;
- use the Services or log-into your account for the App or WebApp;
- report a problem with our Services;
- fill out forms;
- complete any questions in the App or WebApp relating to your recovery (although you do not have to complete these if you do not want to); or
- complete any other questionnaires relating to our Services.
Personal data provided by the NHS. Dependent upon your local service, and whether or not your local clinicians instruct getUBetter to do so, we may collect your NHS Number from the centralised IM1 (NHS) web database. Collection and processing of your NHS Number ensures that any Recovery Data you provide on our App or WebApp links to and updates your individual NHS medical record. This enables you easier access to associated NHS services and offers the NHS your most up to date medical and health information.
Personal data we collect about you with regard to each of your visits to our Apps or WebApp.

We automatically collect technical data about your equipment, browsing actions and patterns and usage data about how you use our Apps or WebApp, as further described in the How we use your personal data and justification of use section below.

Third Parties. We partner with trusted third parties (each a Partner) that offer services and apps that have similar functionality to our App. In this case, our Partner will be responsible for providing you with their services. However, in order to register you with that Partner, we will receive certain personal data about you from our Partner so that we can create you an account to access their services and app.

Please see the How we use your personal data and justification of use section below for further information.

Our Partners will change from time to time. If you would like further information about our current Partners, please contact us using the contact details set out below.

Other than our Partners identified above, we do not receive personal data from other sources.

How we use your personal data and justification of use.

We have data protection compliance procedures in place to oversee the effective and secure processing of your personal data and we will only use your personal data where the law allows us to. Use of personal data under applicable data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the ground in respect of each use of your personal data in this policy. These are the principal grounds that justify our use of your personal data, and most commonly, we will use your personal data in the following circumstances:

Consent: where you have consented to our use of your personal data (you are providing specific, informed, freely given consent, in relation to any such use and may withdraw your consent in the circumstance detailed below by notifying us);
Contract performance: by contract we mean the implied duties and responsibilities we have to the individual service user, so our use of your personal data is necessary for us to perform our contract/implied duties with you;
Legal obligation: there may be circumstances, in carrying out our Services, where we are obliged by law to use your personal data in order to ensure our compliance with legal obligations; and
Legitimate interests: where the processing is necessary for the purposes of legitimate interests pursued by us or a by a third party and our reasons for using it outweigh any prejudice to your rights.

We have set out below, in a table format, a description of all the ways we use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose / activity	Type of Personal Data	Lawful basis for processing
WebApp / App
To provide you with access to our App or WebApp to use our Services and create an account for you	Registration Data	Consent Necessary for our legitimate interests (so we can identify you when you access our Services)
To provide you with our Services on the App and WebApp	Identity Data Registration Data Recovery Data	Consent Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
As part of our Services, to obtain your NHS Number and link your Recovery Data to your NHS Number so that your medical records are updated to inform your clinician if you have registered to use the App.	Identity Data Registration Data NHS Number	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
To support your recovery by sending emails with updates	Identity Data Registration Data	Performance of a contract with you
To connect and refer you to your healthcare providers (including doctors, GP surgeries, hospitals, healthcare providers) (our clients) and local services of your choice on the App or WebApp	Identity Data Registration Data Recovery Data	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
To contact you where you have difficulty using the App or WebApp	Email address Recovery Data	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
To notify you about changes to our Services	Identity Data Registration Data	Performance of a contract with you
Create electronic versions of documents for you to provide to your practitioner	Identity Data Registration Data Recovery Data	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
To remember you so that you don’t have to re-enter your details each time you log in	Identity Data Registration Data	Necessary for our legitimate interests (to ensure we provide you easy access and a great level of service)
For our internal operations, including, data analysis and data statistics	Identity Data Registration Data Technical Data Usage Data	Necessary for our legitimate interests (to administer and improve our Services)
For evaluation of our Services we share with our NHS partners (NECS) identifiable data that they then anonymise to enable aggregated data to track and improve our Services	Identity Data Registration Data Recovery Data Usage Data	Necessary for our legitimate interests (to administer and improve our Services)
Clinical portal
To enable you to access our clinical portal.	Unique username and password	Performance of a contract with you
Our Partners Apps
To register you as a user of our Partner’s app and services and create you an account to access such services	Email address (provided to us by our Partner) Registration Data (provided to us by you when we create an account for you to access the Partner’s services)	Necessary for our legitimate interests (to perform our obligations under our contract with the relevant Partner and to ensure you are able to access and benefit from the use of their app and services)
Website, App and our WebApp
To use data analytics to improve, test and update our Services, Website, App and WebApp, marketing, customer relationships and to monitor its performance and effectiveness	Technical Data Usage Data	Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To administer and protect our business, Website, App and WebApp (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	Identity Data Registration Technical Data	Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) Necessary to comply with a legal obligation
Develop and test new products, services and features	Technical Data Usage Data	Necessary for our legitimate interests (to improve our Services)
For you to participate in clinical research	Identity Data Registration Data Recovery Data	Consent We also rely on your explicit consent to process your health data for this purpose
Improve user experience and the quality of the content available.	Technical Data	Necessary for our legitimate interests (to define types of customers for our Services, keep our Website, App and Webapp relevant, to develop our business and inform our marketing strategy)
To make suggestions and recommendations to you about services that may be of interest to you	Usage Data Technical Data	Necessary for our legitimate interests (to develop our Services and grow our business)
To help us identify and fix defects or errors in our systems	Usage Data Technical Data	Necessary for our legitimate interests (to ensure our Services and systems are running as they should)
To give you reminders, emails or alerts	Identity Data Registration Data	Consent

Marketing

We may use personal data for marketing products and services to you in the following ways:

Types of marketing activity:

Newsletters and marketing emails relating to our own similar services and products, only where you have not opted-out of receiving that marketing.
Newsletters and marketing emails where you have requested this personal data from us, or we have obtained your consent to send you marketing.

We will only use your personal data to send you electronic marketing messages if we have consent from you to do so (or if you are an existing customer and have not opted out of receiving marketing materials).

We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us at any time using the details set out at the end of this privacy policy.

Where we store your personal data

The personal data that we collect from you (including email addresses that form part of our prospective marketing database) are processed only in the UK and stored at a UK data centre. Sensitive personal data between our “Apps” or “Webapp” and our server is transferred in encrypted form using Secure Socket Layer (“SSL”).

Your passwords and data for our Apps, WebApp, Website and our Partners’ apps are stored on getUBetter servers in encrypted form. We do not disclose your account details to any third party. It is your responsibility to keep your password secure. When transmitting sensitive personal data, you should always make sure that your browser can validate the getUBetter certificate. Unfortunately, the transmission of personal data via the internet is not completely secure. Although getUBetter will do its best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website, any transmission is at your own risk. Once we have received your personal data, we will use strict procedures and security features to try to prevent any unauthorised access.

Transfers of personal data outside of the UK

We do not actively share any personal data outside the UK.

In the unlikely event where we need to send your data outside the UK, we will ensure that any such transfers are only undertaken following an assessment of the level of protection afforded in the receiving country or jurisdiction, and will put in place the international data transfer agreement (“IDTA”) or UK addendum to the new EU Standard Contractual Clauses (“UK Addendum”) to ensure that your data is protected with the appropriate technical and organisational controls.

Disclosure of your personal data

We may also disclose your personal data to the following third parties for the purposes specified in the above table:

Our service providers and healthcare partners: including doctors, GP surgeries, hospitals, healthcare providers.
Analytics providers, such as Health Care Providers analytics teams (to assist us in the evaluation, improvement and optimisation of the Service App and Website).
If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
If getUBetter is acquired by a third party, personal data about our customers will be one of the transferred assets. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property, or safety of getUBetter, our customers, or others. This includes exchanging personal data with other companies and organisations for the purposes of fraud protection.
We may disclose certain data to organisations involved in clinical trials and other types of research where you have authorised us to do so.
We may disclose your personal data to third parties, the court service and/or regulators or law enforcement agencies in connection with proceedings or investigations anywhere in the world where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless not permitted to do so by applicable law.

We will not sell your personal data (or any other data you provide us with) to third parties, however, we reserve the right to share any data, which has been anonymised and/or aggregated. You acknowledge and accept that we own all right, title and interest in and to any derived data or aggregated and/or anonymised data collected or created by us.

How long we retain your personal data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

Our retention periods reflect the NHS Records Management Code of Practice for Health and Social Care 2016 and also based on business needs and your personal data that is no longer needed is either irreversibly anonymised (and the anonymised personal data may be retained) or securely destroyed.

Please get in touch using the details set out below if you require further information about our retention periods.

Your rights

Under data protection legislation, you have various rights in relation to your personal data. All of these rights can be exercised by contacting us at contact@getUBetter.com.

You have the following rights in relation to your personal data:

Right to request access to your personal data
- This is commonly known as a “data subject access request”. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
Right to Rectification
- This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
Right to erasure / ‘Right to be forgotten’
- This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below).
Right to restriction of processing
- You have the right to ask us to suspend the processing of your personal data at any time in the following scenarios:
  - If you want us to establish the data's accuracy.
  - Where our use of the data is unlawful but you do not want us to erase it.
  - Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
  - You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it
Right to data portability
- You have the right to request that getUBetter provides you with a copy of your personal data and to transmit your personal data to another data controller in a structured, commonly used and machine-readable format, where it is technically feasible for us to do so. Note this right only applies to automated personal data which you initially provided consent for us to use or where we used the personal data to perform a contract with you.
Withdraw consent at any time where we are relying on consent to process your personal data.
- However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you of this is the case at the time you withdraw your consent.
Right to object to processing
- You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your personal data which override your rights and freedoms.

Where you request getUBetter to rectify or erase your personal data or restrict any processing of such personal data, getUBetter may notify third parties to whom such personal data has been disclosed of such request. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons, for example, the NHS may ask us to retain some data for legal purposes. Additionally, such third parties may have the right to retain and continue to process such personal data in its own right, for example doctors, GP Surgeries, Healthcare professionals, local health related services or Hospitals.

Asking us to stop processing your personal data means that, dependent upon our defined responsibility as data controller or data processor as per your Health Care Provider we will need to notify your Health Care Provider of your request. Your Health Care Provider Organisation has the legal responsibility to maintain a record of care provided so, ultimately, has the authority to respond to your request. On receipt of your request, getUbetter will acknowledge the request and keep you informed of the Health Care Provider's instructions. Where authority to stop processing your data is received, getUBetter will anonymise all identifiable data whilst retaining storage of the anonymised data on secure cloud-based data servers, which shall only be used for aggregate data analysis. Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use getUBetter Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services. We will notify you if this is the case at the time.

Automated decision-making

Automated decision-making takes place when an electronic system uses your personal data to make a decision without human intervention.

If we make an automated decision on you (and using your health data), we will obtain your explicit written consent and we will put measures in place to safeguard your rights. Automated decision-making is used on our App and WebApp to ensure we generate appropriate responses to any Recovery Data you submit (for example, if it appears that your symptoms have got worse, we may recommend that you contact your GP).

Changes to our privacy policy

Any changes we make to our privacy policy in the future will be posted on this page, and where appropriate, notified to you by email or notifications via the App or our Partner’s app (as applicable). We therefore encourage you to review it from time to time to stay informed of how we are processing your personal data.

Cookies

A cookie is a small file of letters and numbers that we or third parties may store on your browser or device. We use them to identify and distinguish you from other users of our services, which helps to provide you with a better experience.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

Website

Our services are made available to individual users via the getUBetter mobile apps and webapp applications. This Privacy Policy reflects our responsibility to individual users in these applications. Our website, which has a marketing, thought leadership and information share purpose, is hosted and managed in a different environment. How we collect and use this data is described in an additional sub privacy policy found via this link.

Complaints

We encourage you to contact us first if you have any queries, comments or concerns about the way we handle your data (our details are in the section immediately below). We will try to put things right.

However, if you are not satisfied with our handling of any request by you in relation to your rights or concerns, you also have the right to make a complaint to a data protection supervisory authority, which, if you are based in:

the UK, is the UK's Information Commissioner's Office ("ICO"). You can contact the ICO at: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF; 0303 123 1113; or https://ico.org.uk/; or
if you are not based in the UK and are based in Europe, you can contact your local representative, details of which can be found here.

Contact

We are committed to continually developing and promoting our compliance with the UK GDPR and data protection standards. You are welcome to contact us at contact@getUBetter.com if you have any questions, comments and requests regarding this privacy policy. For the purpose of the relevant data protection legislation, our data protection officer is Carey McClellan.

When contacting us we strongly recommend you don't email us confidential or personal data (unless otherwise requested by us, for example, where you’re exercising one of your data subject rights and we need to verify your identity).

getUbetter privacy policy Updated March 1st 2024

getUbetter privacy policy
Updated March 1^st 2024