Date Last Modified: 18/5/2018
SiSU Wellness Ltd (the Company)
This document also describes how we, as a data controller, may collect, use, share and protect the information we that we obtain about you directly or indirectly in accordance with applicable data privacy laws and what choices you have about how this information is used.
Should you have any questions about this policy or our privacy practices, please email us on email@example.com or write to us at: SiSU Wellness Ltd, Data Privacy and Security, 35 Kingsland Road, London, E2 8AA, UK.
- What Personal Data We Collect and How We Collect It (including cookies)
- Legal Basis for Usage of Your Personal Information
- What We Do With Your Personal Data and Why We Collect It
- Disclosure of Personal Data to Third Parties
- How We Protect Information Online
- How You Can Access and/or Correct Your Personal Data
- Disclosure of Personal Data Outside of the European Union
- Your Legal Choices and Rights.
- Retention, Account Deactivation and Deletion
- Links to Third Party Sites
- Requesting Further Information and Making a Complaint
- Who We Are
What Personal Data We Collect and How We Collect It
A) Provided by You
The Company will collect information that identifies you (Personal Data) when you voluntarily provide it to us through the use of any of our Services. For example, when you choose to register via our online health portal (website) or use our biometric health station, we may ask you to provide personal information, such as your name, telephone number, date of birth, gender and email address. We may collect information that will allow you to establish a username and password.
We collect information that you provide to us, including when you communicate with us via email or other channels, when you sign up for or request that we send you newsletters, alerts, or other materials, when you sign up for a webinar or event, or when you respond to our communications or requests for information. We may collect personal data about your other dealings with us, including any contact we have with you in person, by telephone, email or online.
In addition, we also collect sensitive biometric and lifestyle related health information through our health station tests or online portals such as health, weight, height, blood pressure, heart rate, and body fat percentage (please see the section below titled ‘Sensitive Personal Data’).
We may collect further information that you voluntarily provide to us through responses to questionnaires and self-assessments, or communicate with us via email or other channels, or sign up for or request that we send you newsletters, alerts, or other materials, or sign up for a webinar or event, or respond to our communications or requests for information. We may collect personal data about your other dealings with us, including any contact we have with you in person, by telephone, email or online.
Individuals may deal with the Company on an anonymous basis or using a pseudonym when making inquiries to the Company. However, the Company may require certain contact details or other information from individuals to respond to these inquiries.
In some circumstances, we may also request Personal Data that includes financial information, such as your credit card details. Financial information will be transacted online via trusted third-party transaction gateways, and will never be stored by the Company.
Personal Data may also be collected through use of a Fitbit or other like devices (Wearables) when you connect your device to our Services. The Personal Data collected through Wearables may include sensitive personal information such as gender, weight, date of birth, plus activity-related information such as heart rate, number of steps, and calorie-intake (please see the section below concerning Sensitive Personal Data).
B) Unsolicited Personal Data
C) Social Media
We may also gather information about your general Internet usage. This non-personal information is not connected to any Personal Data you provide us and it cannot be used to identify you. We use it for statistical reasons only. For example, we may use it to analyse broad audience profiles - like what region you are from. This statistical data is anonymous and aggregated. Through this process we do not gather or disclose any of your Personal Data.
The cookies we use remain on your device for differing times. Some expire at the end of each session and some remain for longer so that when you return to our use our Services, you will have a better user experience.
We use the _utmz cookie which expires after 26 months
We collect standard internet log information and details of visitor behaviour patterns by using Google Analytics cookies. We do this to compile reports and to help us find out things such as the number of visitors to the various parts of our website, so that this can be improved. We will not associate any data gathered in this way with any personal data from any source. For more information about Google Analytics cookies please see https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage?csw=1.
We use a Marketo cookie to help us track anonymous website usage which lasts 2 years.
Most browsers are initially set to accept cookies, however you can adjust the settings on your browser to block any or all cookies if you wish. This can easily be done by activating the browser settings on your computer or handheld device and selecting reject cookies. Please be aware though that if you disable cookies, you may not be able to access some of our Services. To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, visit www.allaboutcookies.org which includes information on how to manage your settings for the major browser providers.
E) Location Data
Location data may be collected by the Company when you use our mobile application and health stations and stored to improve the overall functionality of the Service. The level of location information you provide may be varied in the app settings, including being active all the time, only when the app is in use, or not at all.
F) Sensitive Personal Data
From time to time, we may request the collection of sensitive information (Sensitive Personal Data) about you in order to provide our Services, such as information about your health or ethnicity. Sensitive Personal Data, also known as ‘Special Category Data’ and is a subset of Personal Data. Special rules apply to the handling of Sensitive Personal Data.
We require your explicit consent to collect and process your Sensitive Personal Data. Please see the sections below entitled ‘What We Do With Your Personal Data’ and ‘Why We Collect It’ which provides more details about consent where you have granted this to us.
Legal Basis for Usage of Your Personal Information
Where we intend to use your personal data, we rely on the following legal grounds:
Performance of a Contract: We may need to collect and use your personal data to enter into a contract with you or to perform a contract that you have with us. For example, to provide you with: our products and services, health checks at our health stations, health risk appraisals online, lifestyle coaching, and provision of relevant health content, and where we respond to your requests and provide you with services in accordance with our terms and conditions (https://www.sisuwellness.com/terms-of-use-eu/) or other applicable terms of business agreed with you or with your employing organisation.
In Our or a Third Party’s Legitimate interests: Where we consider use of your information as being (a) non-detrimental to you, (b) within your reasonable expectations, and (c) necessary for our own, or a third party’s legitimate purpose, we may use your personal data, which may include:
- for our own direct marketing or continued communication;
- the prevention of fraud;
- our own internal administrative purposes;
- personalisation of the service(s) we provide to you;
- ensuring network and information security, including preventing unauthorised access to electronic communications networks and stopping damage to computer and electronic communication systems; and
- reporting possible criminal acts or threats to public security to a competent authority.
Compliance With a Legal Obligation: We may be required to process your information due to legal requirements, including tax laws and other regulatory provisions applicable to the Company as a provider of health assessment and health improvement services.
Consent: We will only ask you for your consent to process your personal information if there is no other legal reason to process it. If we need to ask for your consent, we will make it clear that this is what we are asking for, and ask you to confirm your choice to give us that consent.
You may be asked to provide your consent in connection with certain Services that we offer, for example in respect of any processing of your personal data for the marketing of third party products that we consider may be of interest to you. We are also legally obliged to gain your explicit consent in respect of your Sensitive Personal Data, due to the sensitive nature of such information and/or the circumstances in which it is gathered or transferred.
If we cannot provide a Service without your consent (for example, we cannot provide the results to your health station tests without health information), we will make this clear when we ask for your consent. Where we are reliant upon your consent, you may withdraw this at any time by contacting us at firstname.lastname@example.org or by using the details set out below, however we will no longer be able to provide you with the Service that relies on having your consent.
What We Do With Your Personal Data and Why We Collect It
A) Internal Uses
We may use your Personal Data within the Company:
- to provide you with the Services and products you request;
- to assist with your questions about our Services, billing (where relevant), payment methods (where relevant) or use of our website, mobile app or health stations;
- to process or collect payments made in connection with our Services;
- to carry out our obligations arising from any contracts entered into between us;
- to maintain and develop our relationship with you;
- to evaluate our Services and products and to conduct customer surveys;
- to improve our Services via internal research and development;
- to maintain and update our records including our database of contacts;
- for our business purposes, including data analysis, submitting invoices, detecting, preventing, and responding to actual or potential fraud, illegal activities, or intellectual property infringement;
- as we believe reasonably necessary or appropriate to: comply with our legal obligations; respond to legal process or requests for information issued by government authorities or other third parties; or protector your, our, or others’ rights; and
- for direct marketing purposes as set out in section B) below.
We may also use your information within the Company, to send you information relating to your use of the Company Services.
B) Direct Marketing
We can only use your personal information to send you marketing material if we have your permission or a legitimate interest as described above.
We may use your personal information to send you marketing by post, by phone, through social media, by email and by text.
For our legitimate interests, in order to support the Services we provide to you, we may provide you with information and services on an ongoing basis, including relevant marketing communications related to the Company, and other information or materials, that you request from us or which we feel may interest you where you have indicated that you would like to receive these from us.
If you don’t want to receive emails from us, you can click on the ‘unsubscribe’ link that appears in all emails we send. Otherwise, you can always contact us update your profile information on our website in accordance with the section titled ‘How You Can Access and/or Correct Your Personal Data’ below or by contacting us at email@example.com to update your contact preferences.
You have the right to object to direct marketing and profiling (the automated processing of your information to help us evaluate certain things about you, for example, your personal preferences and your interests) relating to direct marketing. Please see the section about your rights for more details.
If you provide Personal Data or any loyalty program number that has been issued to you for the purposes of any promotions offered in connection with the Services either by the Company or a third party, this information may be passed back to the owner of the promotion to apply rewards and improve your overall customer experience.
If at any time we intend to change the purpose for which we hold your Personal Data, for example to offer you with a complimentary service that we may provide in the future, we will give you prior information of that new purpose so you are aware of this.
Disclosure of Personal Data to Third Parties
We will not give, sell, rent, loan or otherwise disclose any Personal Data to any third party, unless:
- you have authorised us to do so;
- it is for direct marketing purposes as set out above;
- such sharing is provided for under contract, including our terms and conditions (https://www.sisuwellness.com/terms-of-use-eu/) for any particular service that we may provide to you;
- it is for the purposes of a contest, loyalty program and/or competition conducted via our Services;
- we are legally required to do so, for example, in response to a subpoena, court order or other legal process;
- we need to enforce or apply our terms and conditions (https://www.sisuwellness.com/terms-of-use-eu/) to which you have agreed (or other terms that have been agreed to apply to our relationship with you or your employing organisation);
- it is necessary to protect the rights and interests, property, or safety of the Company, our clients or others;
- our agents or contractors who assist us in providing our services require such information, for example in fulfilling requests for information, receiving and sending communications, updating marketing lists, analysing data, providing support services or in other tasks from time to time. Our agents and contractors will only use your information to the extent necessary to perform their functions;
- all, or most, of the assets of the Company or any single business unit within the Company are merged with or acquired by a third party, or we expand or re-organise our business, in which case your personal data may form part of the transferred or merged assets.
We use third party service providers to provide services that involve data processing, for example web-hosting, analytics providers in connection with the operation of our Services, auditing, research, client contact, data processing, and marketing services. [A full list of such service providers can be found at https://www.sisuwellness.com/sub-processors/. This link may be updated from time to time as we change, add or update our suppliers, so we would encourage you to periodically check this list for any changes that may have been made].
All information collected by the Company will be stored by a secure third-party web host under a service agreement with the Company. Your email address and some personal information will be stored with our email providers under a service agreement with the Company.
How We Protect Information Online
We take steps to hold information securely in electronic or physical form and hold ISO 27001 accreditation for our information security systems.
Our information security policy is supported by a variety of processes and procedures, and we store information in access-controlled premises or electronic databases requiring logins and passwords. It is our policy to protect your account information against unauthorised access or release. All the information you provide to us is handled through a Secure Socket Layer (SSL). SSL is a leading Web technology that encrypts your account information. If you register on-line or via any of our health stations we use 128-bit encryption when we ask for or provide personal or confidential information. Please exercise caution when sending information via email, as email messages do not have the security features that are built into our website.
In addition, we have procedures that limit ‘the Company' employees’ and contractors' access to personal information. Only those employees and contractors with a business reason to know have access to such information. We educate our employees about the importance of confidentiality and customer privacy through standard operating procedures, mandatory training programs, and internal policies on data privacy and corporate integrity. We take appropriate disciplinary measures to enforce employee privacy responsibilities.
Once we have received your Personal Data, we will take reasonable steps to use procedures and security features to try to prevent unauthorised access, modification or disclosure.
How You Can Access and/or Correct Your Personal Data
If you register or use our Services, you may review and correct, as needed, the registration information you provide by visiting the website.
You are able to update and keep all your information accurate via our website. For this reason we recommend you do not share your Personal Data with anyone or allow them to access your personal details and health information. Please contact us immediately if you believe your Personal Data is incorrect and you are unable to correct it or it otherwise needs to be corrected or has been viewed or accessed by anyone but you without your consent at firstname.lastname@example.org.
Disclosure of Personal Data Outside of the European Union
Where you are submitting personal data from within the European Economic Area (“EEA”), such information may be transferred to countries outside the EEA. By way of example, this may happen if one or more of our third-party service providers with whom we share personal data in accordance with the section titled ‘Disclosure of Personal Data to Third Parties’ are located, or have their servers located, outside your country or the country from which the data were provided. If we transfer your information outside the EEA in this way, we will take steps to ensure that your privacy rights continue to be protected.
Your Legal Choices and Rights
You can request:
- access to the personal data we hold about you
- corrections or updates to your details;
- the erasure of your personal data;
- the portability of personal data that you have provided to us in a structured, commonly used and machine-readable format.
You also have the right to object to, or request the restriction of, our use of your personal data.
If you would like to exercise any of the rights set out in this section, please contact us at email@example.com or using the details below. We may refuse to provide access where we have legitimate reasons for doing so under applicable data privacy laws, and in exceptional circumstances may charge a fee for access if the relevant legislation allows us to do so, in which case we will provide reasons for our decision.
Retention, Account Deactivation and Deletion
You may delete your account at any time by sending us an email at firstname.lastname@example.org with the subject titled “Delete Account”.
Remember that even after your account is deleted, your email address will still be held by us in a suitably secure/pseudonymised way in order to comply with the law, to avoid any other person attempting to fraudulently use your contact details. We may also retain backup information related to your account on our servers for some time after cancelation for fraud detection or to comply with applicable law or our internal security or other policies. We are not responsible for any information lost following the deletion of your account.
Links to Third Party Sites
The Company may, from time to time, let you leave the site to linked sites. The linked sites are not under the control of the Company and the Company explicitly states that it is not responsible for the contents of any linked site. The links are provided for the convenience of members and any such link does not imply endorsement by the Company of the site or of any association with the operators of the site.
Requesting Further Information and Making a Complaint
To find out more about the Company please visit http://www.sisuwellness.com.
The Company at your request, can confirm what information we hold about you and how it is processed. If the Company does hold personal data about you, you can request the following information by contacting us using the details below:
- Identity and the contact details of the person or organisation that has determined how and why to process your data.
- The purpose of the processing as well as the legal basis for processing.
- If the processing is based on the legitimate interests of the Company or a third party, information about those interests.
- The categories of personal data collected, stored and processed.
- Recipient(s) or categories of recipients that the data is/will be disclosed to.
- How long the data will be stored.
- The source of personal data if it wasn’t collected directly from you.
- Any details and information of automated decision making, such as profiling, and any meaningful information about the logic involved, as well as the significance and expected consequences of such processing.
In order to verify the identity of those who make a request to us, we will accept the following forms of ID when information on your personal data is requested:
- Driving licence, Birth certificate,
- Utility bill dated within the last 3 months.
If you think the Company has breached any of its privacy obligations, or you wish to make a complaint about the way your personal data has been handled, you can contact our Data Protection Officer by email at email@example.com. So that the Company can respond to you, please clearly describe your complaint and include your name, email address and/or telephone number for our reply. Your complaint will be considered by the Company’s management, and an ac