Limbic Privacy Policies

1 INTRODUCTION

1.1  This privacy notice applies to you, a user of theLimbic Website (www.limbic.ai, the "Website") and our users or prospective users who are intended to be either patients or clinicians ("you"and "your").

1.2  Please read this privacy notice carefully. Among other things, it explains:

1.2.1  what personal data we may collect about you;

1.2.2  why we collect and use your personal data and the legal bases we rely on for processing it;

1.2.3  who we disclose your personal data to;

1.2.4  where we store your personal data;

1.2.5  how long we keep your personal data; and

1.2.6  your rights regarding the personal data we hold about you and/or which you provide to us.  

2 WHO WE ARE

2.1  We are Limbic. We are a business that provides software for mental healthcare. Limbic is a company registered in England andWales (company number: 11093861) with its registered office at Kemp House 160 City Road, London, England, EC1V 2NX.

2.2  Data protection laws apply to our collection and use of personal data and Limbic is the controller of that personal data (ICO registration number: ZA779212).

2.3  If you have any queries regarding this privacy notice or the way in which we process your personal data, please contact us at: Email: data.enquiries@limbic.ai, Address: FAO Data Protection Enquiries, CTO/Director, Kemp House, 160 CityRoad, London, England, EC1V 2NX.

3 CHANGES TO YOUR PERSONAL INFORMATION

It's important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes or if you become aware that any personal data that we hold about you is not accurate.

4 WHAT PERSONAL DATA WE COLLECT

4.1 The type of personal data we process may include (asapplicable) the following depending on your use of the Website:

4.2  Information about why we process the above personal data and the lawful basis we rely on is set out in sections 6 and 7 below.

4.3  We only process personal data which is adequate, relevant and limited to what is necessary to fulfil the purposes set out in this notice.

4.4  You acknowledge and agree that you will only provide us with your own personal data and that you must not provide us withthe personal data of any third party or any data which may be considered unlawful.

4.5  We do not process any information about children under the age of 13 and we do not process any information about criminal convictions and offences. You must not provide us with any such information on the Website. If you or any other person becomes aware that a child has accessed or may have accessed the Website and provided their personal data without parent consent, they must contact us by email at data.enquiries@limbic.ai.

5 HOW WE COLLECT YOUR PERSONAL DATA

5.1  We may collect information direct from you and use, disclose and store it when:

5.1.1  you access, use or interact with the Website;

5.1.2  you correspond/interact with us via email, phone, social media or other channels;

5.1.3  you make any enquiry or complaint;

5.1.4  you purchase, request or subscribe for a product or service from us;

5.1.5  you request technical support or other customer care support;

5.1.6  you participate in competitions, surveys and questionnaires or provide us with a review or feedback; or

5.1.7  you provide data for other legal and regulatory purposes.

5.2  Where lawful, we may also obtain personal data from other third parties (including third party platforms) and we may process that information where such processing is necessary or permitted in order to provide our products and services to you, or where such processing is necessary or permitted for our internal administrative purposes or for marketing and business development purposes.  

5.3 Where we need to collect personal data by law, or under the terms of an agreement we have with you, and you fail to provide that data when requested (or fail to consent to the processing of that data, if necessary), we may not be able to perform the agreement or arrangement we have or are trying to enter into with you or such failure may limit or prevent you obtaining access to, or making full use of, the Website.

6 HOW WE USE YOUR PERSONAL DATA

6.1  We use your personal data for a number of purposes but only where we're allowed to by law.

6.2  We may process your personal data where such processing is necessary or permitted:

6.2.1 in order to perform any agreement we have entered into with you or in anticipation of any agreement we may enter into with you (including our Terms of Use);

6.2.2 to comply with any applicable law or regulation; and/or

6.2.3 for the purposes of the legitimate interests pursued by us or a third party. These legitimate interests include the purposes identified in the table below in section 7 but may also include other commercial interests and our internal administrative purposes. Where we rely on legitimate interests as the lawful basis for processing your personal data, we'll put in place appropriate safeguards to protect your data and to ensure that your fundamental rights and freedoms are not overridden by those legitimate interests.

6.3  We may also process your personal data where we have your consent. Where we rely on consent as the lawful basis for processing your personal data, you have the right to withdraw your consent at any time and if you wish to do so, you should contact us using the contact details set out in section 14 below. Where we obtain your consent to send you marketing communications, you can unsubscribe by following the unsubscribe link within the communication. The withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal or the lawfulness of processing based on other lawful grounds.

6.4  We may  process your personal data for more than one lawful ground depending on the specific purpose for which we're using your data.

6.5  We may process your personal data ourselves or in conjunction with our third party service providers in accordance with section 8.

6.6  We'll only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

6.7  If we need to use your personal data for an unrelated purpose, we'll notify you (which may be by way of update to this privacy notice) and we'll explain the legal basis which allows us to do so. In the event that the purpose of data collection changes where consent is the lawful basis for processing, we will notify you of such change and re-secure your consent for such processing.   

6.8 Please note that we may process your personal datawithout your knowledge or consent where this is required or permitted by law.

7 OUR LEGAL BASES FOR PROCESSING YOUR PERSONAL DATA

7.1 We've set out below the legal bases on which we process your personal data. We've identified what our legitimate interests are, where appropriate.

‍

Purpose/Activity	Type of Personal Data Processed	Lawful Basis for Processing
Provision of our products and services  ● To provide our Website to you.	●  Identity Data  ●  Contact Data  ● Correspondence Data	●  Performance of a contract ●  Compliance with a legal obligation ●  Our legitimate interests to operate and improve our business, fulfil our legal and contractual obligations and for the purposes of IT security
Business Operation and Maintenance  ● To operate and protect the Website (including troubleshooting, incident management and data breach management, data analysis, product and system testing, system maintenance, support, reporting and hosting of data)	●  Identity Data  ●  Contact Data  ● Correspondence Data	●  Performance of a contract ●  Compliance with a legal obligation ●  Our legitimate interests to operate and improve our business, fulfil our legal and contractual obligations and for the purposes of IT security
Customer Relationship Management ● To manage our relationship with our customers which includes notifying you of any changes to our terms or this privacy notice or to our products/services, apps, to respond to enquiries, messages, and requests for technical support and customer care support	●  Identity Data ●  Contact Data ●  Correspondence Data ●  Marketing and Communications Data	●  Performance of a contract ●  Compliance with a legal obligation ●  Our legitimate interests to respond to enquiries, messages and requests, operate, develop and improve our business and to fulfil our legal and contractual obligations
Research and Business Development ● To improve the Website, our apps, customer relationships and experiences	●  Identity Data ●  Contact Data ●  Correspondence Data ●  Marketing and Communications Data	● Our legitimate interests to define types of customers for our products and services, develop and improve our business and to inform our marketing strategy
Business Management ●  To manage our business including to keep financial and accounting records, carry out audits, testing, comply with our reporting requirements and other corporate governance requirements ●  To exercise our rights set out in agreements including recovering debts owed to us	●  Identity Data  ●  Contact Data  ● Correspondence Data	●  Performance of a contract ●  Compliance with a legal obligation ●  Our legitimate interests to exercise our rights (including to recover debts), to operate our business (including internal administration and IT services, network security, to prevent fraud and in the context of a business reorganisation, sale or group restructuring exercise) and to fulfil our legal and contractual obligations
Marketing and Advertising ●  To market our products and services ●  To make suggestions and recommendations to you about other products/services that may be of interest to you ●  Asking you to leave a review or take part in a poll/survey ●  To enable you to take part in a prize draw or competition including the publication of certain details if you're the winner ●  To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you ●  To use data analytics to improve our business, the Website, our products, services, marketing, customer relationships and experiences	●  Identity Data ●  Contact Data ●  Marketing and Communications Data	●  Consent (where you have opted-in to marketing)

8 HOW WE SHARE YOUR PERSONAL DATA WITH OTHERS

8.1  We won't share any of your personal data with third parties except as set out in this section or otherwise notified to you or agreed between you and us from time to time.

8.2  We may also share personal data with our group companies (including our subsidiaries, ultimate holding company and its subsidiaries) and partnered companies for the purposes outlined in this privacy notice. We may also share personal data with third party service providers who we engage to provide services which facilitate our business and we may also need to share personal data with other third parties in order to comply with our legal and regulatory obligations. Below is a list of specific third parties and other categories of third parties with whom we may share your personal data:

8.2.1  Heroku Services, our data hosting provider;

8.2.2  Amazon Web Services, the servers used by Heroku Services;

8.2.3  Google Analytics and Google Ads, operated byGoogle LLC, our provider of online marketing tools and other analytics, advertising and attribution partners;

8.2.4  Hubspot, our Customer Relationship Management software;

8.2.5  any similar or replacement third parties from time to time.

8.3  We ensure that any third party engaged by us who processes your personal data in connection with the purposes listed above has policies and procedures in place to ensure compliance with data protection laws.

8.4  For any third parties that are based, or process data, outside of the EEA or the United Kingdom, we engage such third parties in accordance with section 9 below.

8.5  We'll remain the controller responsible for the processing of your personal data even if third parties may operate as a joint controller with us. For some processing activities we may act as a processor for a third party and, in such circumstances, the third party will be responsible for providing you with the processing information required under data protection laws.

8.6  We may share your personal data with third parties where we're required to do so by law or regulation (such as in connection with an investigation of fraud or other legal enquiry) or in connection with other legal proceedings (including where we believe that your actions violate applicable laws or any agreement with us, including our Terms of Use).

8.7  In the event that our business or any part of it is sold or integrated with another business, your details may be disclosed to our advisers and those of any prospective purchaser and will be passed to thenew owners of the business.

9 INTERNATIONAL TRANSFERS OF YOUR PERSONAL DATA

9.1  From time to time it may be necessary for us to transfer your information internationally. In particular, your information maybe transferred to and/or stored on the servers of third parties identified in section 8 which are based outside of the UK or the EEA.

9.2  However, we won't transfer your personal data outside of the UK or the EEA unless:

9.2.1  such transfer is to a country or jurisdiction which the EU Commission or the UK (as applicable) has approved as having an adequate level of protection;

9.2.2  appropriate safeguards are in place in accordance with data protection laws. These safeguards include the use of standard contractual clauses or binding corporate rules; or

9.2.3  the transfer is otherwise allowed under data protection laws (including where we have consent or the transfer is necessary for important reasons of public interest, is necessary for the establishment, exercise or defence of legal claims or is necessary for the performance of a contract with the data subject).

9.3  We'll ensure that where your personal data is transferred outside of the UK or the EEA, it is afforded an essentially equivalent level of protection as would be afforded to it within the location from which it is transferred.

10 HOW WE STORE AND RETAIN YOUR PERSONAL DATA

10.1  As a minimum, we need to store your personal data for as long as is necessary to enable us to fulfil the purpose for which it is processed, including to provide and operate our Website, fulfil our legal and regulatory obligations (e.g. relating to record keeping) and to exercise ordefend any legal claims.

10.2  For as long as we do store your data, we follow generally accepted industry standards and maintain reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided. All information you provide to us is stored on our secure servers. We are ISO 27001 certified and Cyber Essentials accredited.

10.3  We'll notify you without undue delay in accordance with the requirements of data protection laws, if we have reason to believe that there has been a personal data breach by us which could adversely affect your rights and freedoms and we're required by law to notify you.

10.4  We maintain and implement a data retention policy and will delete personal data in accordance with this.

11 YOUR LEGAL RIGHTS

11.1 Subject to any conditions and requirements set out in data protection laws, you may have some, or all, of the following rights in relation to the personal data we hold about you:  11.1.1  the right to request a copy of your personal data held by us;

11.1.2  the right to correct any inaccurate or incomplete personal data held by us; 11.1.3  the right to request that we erase personal data we hold about you;

11.1.4  the right to request that we restrict the processing of your data;

11.1.5  the right to have your personal data transferred to another organisation;

11.1.6  the right to object to certain types of processing of your personal data by us;

11.1.7  the right to request that you are not subject to any decision which is based solely on automated processing, including profiling, where this produces legal effects or otherwise significantly affects you; and

11.1.8  the right to complain (please see section 14 of this privacy notice).

11.2  PLEASE NOTE that these rights are not absolute in all situations and may be subject to conditions and provisions set out in data protection laws. We cannot, therefore, guarantee that we'll be able to honour any request from you in connection with the rights set out above. (For example, even if you request that we delete your personal data, we may be required bylaw to retain some personal data for accounting and record keeping purposes orin order that we comply with our legal and regulatory obligations).

11.3  We will respond to a request to exercise your rights as set out in this section as we can, and in any event within two months.

11.4  For further information, or to exercise any particular right, please see section 14 for details of how to contact us.

12 LINKS TO THIRD PARTIES

12.1  The Website may link or redirect to other websites, social media accounts or other content which is not under our control. Unless otherwise stated, such links or redirections are not endorsements of such websites or representation of our affiliation with them in any way and such third party websites are outside the scope of this privacy notice.

12.2  If you access such third party websites or platforms, please ensure that you're satisfied with their respective privacy policies before you provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website or platform operated by any third party.

13 COOKIES

The Website does not use any cookies.

14 QUESTIONS AND COMPLAINTS

14.1 Please contact us at: Email: data.enquiries@limbic.ai
Address: FAO Data Protection Enquiries, CTO/Director, Kemp House, 160 CityRoad, London, England, EC1V 2NX.

14.2 You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues, which in the UK is the Information Commissioner's Office (ICO) (www.ico.org.uk).
‍