Canada

Limbic AI Wellbeing
Companion Privacy Notice

Version 1 | Last Updated: 6 June 2024

Table of contents

Jump to...

toc link sample

Our Privacy Promise

Your privacy is important to Limbic Incorporated ("Limbic", "we", "us" and "our"). We're committed to protecting your personal data and being transparent about the personal data we hold and use.

This privacy notice is intended to be concise, transparent, and easy to understand, but we appreciate that you may have questions or want to seek clarification as to its terms. If you have any questions, please see section 14 for details on how to contact us.

We may make changes to this privacy notice from time to time, including where necessary to reflect any changes in the ways in which we process personal data or any changes to data protection laws. Any updates to this privacy notice will be posted on the Assistant and the Limbic website (www.limbic.ai). Please check this privacy notice regularly for updates.

1. Introduction

1.1 This privacy notice applies to you, a user of the Limbic AI Wellbeing Companion App (the "App") and our users or prospective users ("you" and "your") in Canada.

1.1.1 the “App” can be defined as the mobile application software available on iOS and Android known in different forms as Limbic AI Wellbeing Companion, (as it may be rebranded, renamed or localised from time to time) the data supplied with such software, and any updates or supplements to it;

1.2 Please read this privacy notice carefully. Among other things, it explains:

1.2.1 what personal data we may collect about you;
1.2.2 why we collect and use your personal data and the legal bases we rely on for processing it;
1.2.3 who we disclose your personal data to;
1.2.4 where we store your personal data;
1.2.5 how long we keep your personal data; and
1.2.6 your rights regarding the personal data we hold about you and/or which you provide to us.

2. Who We Are

2.1 We are Limbic Incorporated (“Limbic”), a Delaware corporation. We are a business that provides software for mental healthcare.

2.2 Data protection laws apply to our collection and use of personal data.

2.3 If you have any queries regarding this privacy notice or the way in which we process your personal data, please contact us at:

Role responsible for PIPEDA compliance: DPO

email: data.enquiries@limbic.ai

Address: FAO: Data Protection Enquiries, Limbic Inc, 8th Floor 100 Church Street Tribeca New York, NY 10007

3. Changes To Your Personal Information

It's important that the personal data we hold about you is accurate and current. Please let us know if your personal data changes or if you become aware that any personal data that we hold about you is not accurate.

email: data.enquiries@limbic.ai

Address: FAO: Data Protection Enquiries, Limbic Inc, 8th Floor 100 Church Street Tribeca New York, NY 10007

4. What Personal Data We Collect

4.1 The type of personal data we process may include (as applicable) the following depending onyour use of the App:

Categories of Data

Description of Data

Identity Data

Name, address, date of birth, age, title.

Contact Data

Email address, phone number.

Correspondence Data

Information which you provide in, or we learn about you from, any correspondence or communications with us, details of anyenquiries or requests for technical support or customer care support and any other information you provide to us.

Usage Data

Usage information such as how you navigate around the App.

Health Data

Any information that you voluntarily provide (whether manually or automatically) through your use of the App. This may include medication and prescription history; mood logs; your responses to questions to track your progress with any cognitive behavioural therapy and emotional triggers; clinical questionnaire scores; and other qualitative and quantitative health data.

Technical Data

Type of device, unique device identifier (e.g. an IMEI number, IDFA, IP, or MAC address), network information, the type of operating system, platform and browser you use, location, time zone settings and other device related information and online identifiers.

User Generated Image Data

Any user generated images sent via technical support channels whilst using the App are kept and used to triage bugs and customer complaints.

Marketing and Communications Data

Your marketing preferences and communication preferences and any information that you may provide to us in any reviews or feedback.

Consent Data

Information relating to your preferencesregarding the processing of your data and your consent to process health data.

4.2 Information about why we process the above personal data and the lawful basis we rely on is set out in sections 6 and 7 below.

4.3 We only process personal data which is adequate, relevant and limited to what is necessary tofulfil the purposes set out in this notice.

4.4 You acknowledge and agree that you will only provide us with your own personal data and thatyou must not provide us with the personal data of any third party or any data which may beconsidered unlawful.

4.5 We do not process any information about children under the age of 13 and we do not process any information about criminal convictions and offences. You must not provide us with any such information on the App. If you or any other person becomes aware that a child has accessed or may have accessed the App and provided their personal data without parent consent, they must contact us by email at data.enquiries@limbic.ai.

5. How We Collect Your Personal Data

5.1 We may collect information direct from you and use, disclose and store it when:

5.1.1 you access, use or interact the Limbic AI Wellbeing Companion;
5.1.2 you correspond/interact with us via email, phone, social media or other channels;
5.1.3 you make any inquiry or complaint;
5.1.4 you purchase, request or subscribe for a product or service from us;
5.1.5 you request technical support or other customer care support;
5.1.6 you participate in competitions, surveys and questionnaires or provide us with areview or feedback; or
5.1.7 you provide data for other legal and regulatory purposes.

5.2 Where lawful, we may also obtain personal data from other third parties (including third party platforms) and we may process that information where such processing is necessary or permitted in order to provide our products and services to you, or where such processing is necessary or permitted for our internal administrative purposes or for marketing and business development purposes.

5.3 We may also automatically collect certain Technical Data (as defined in section 4 above) relating to your device and your activities on the App. We may also collect such data from third parties such as analytics providers (including Google) and third party platforms and organisations within advertising networks (including Facebook).

5.4 Where we need to collect personal data by law, or under the terms of an agreement we have with you, and you fail to provide that data when requested (or fail to consent to the processing of that data, if necessary), we may not be able to perform the agreement or arrangement we have or are trying to enter into with you or such failure may limit or prevent you obtaining access to, or making full use of, the App.

6. How We Use Your Personal Data

6.1 We use your personal data for a number of purposes but only where we're allowed to by law

6.2 We may process your personal data where such processing is necessary or permitted:

6.2.1 in order to perform any agreement we have entered into with you or in anticipation of any agreement we may enter into with you (including our Terms of Use);
6.2.2 to comply with any applicable law or regulation; and/or
6.2.3 for the purposes of the legitimate interests pursued by us or a third party. These legitimate interests include the purposes identified in the table below in section 7 but may also include other commercial interests and our internal administrative purposes. Where we rely on legitimate interests as the lawful basis for processing your personal data, we'll put in place appropriate safeguards to protect your data and to ensure that your fundamental rights and freedoms are not overridden by those legitimate interests.

6.3 We may also process your personal data where we have your consent. Where we rely on consent as the lawful basis for processing your personal data, you have the right to withdraw your consent at any time and if you wish to do so, you should contact us using the contact details set out in section 13 below. Where we obtain your consent to send you marketing communications, you can unsubscribe by following the unsubscribe link within the communication. The withdrawal of consent does not affect the lawfulness of processing based on consent before withdrawal or the lawfulness of processing based on other lawful grounds.

6.4 We may process special categories of personal data (including details about your race or ethnicity, sex life, sexual orientation, and information about your health and genetic and biometric data) where:

6.4.1 we have your explicit consent;
6.4.2 the processing is necessary for reasons of substantial public interest because of the law; and/or
6.4.3 the processing is necessary for the establishment, exercise, or defense of legal claims.

6.5 As elements of your Health Data will constitute special categories of personal data, our lawful basis for processing your Health Data will usually be your explicit consent. Where you are asked to give such explicit consent, this consent refers to the processing of your Health Data for the specific purposes set out in clause 7 or such other purposes as may be communicated to you within the Assistant from time to time. You should not consent to such processing (including by accepting the terms of this notice) unless you wish to give us your express, freely given consent to process your Health Data in accordance with the terms of this notice. You are not required to provide any Health Data to us, but given the nature of our App and our services, it is likely to prejudice our ability to deliver our services to you if you choose not to do so.

6.6 We may anonymise your personal data and use it for our internal research and development purposes to improve and develop existing or new software and services. Such purposes may include, for example, to gain statistical insight into how our services are used and can be most helpful, as well as to develop and improve our algorithms, functionality and user interface. We ensure that your personal data is irreversibly anonymised before using it for such purposes, meaning that it does not, and cannot be used to, identify you. You acknowledge and agree that any resulting intellectual property rights arising out of or in connection with your personal data are fully owned by us.

6.7 We may process your personal data for more than one lawful ground depending on the specific purpose for which we're using your data.

6.8 We may process your personal data ourselves or in conjunction with our third party service providers in accordance with section 8.

6.9 We'll only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.

6.10 If we need to use your personal data for an unrelated purpose, we'll notify you (which may be by way of update to this privacy notice) and we'll explain the legal basis which allows us to do so. In the event that the purpose of data collection changes where consent is the lawful basis for processing, we will notify you of such change and re-secure your consent for such processing.

6.11 Please note that we may process your personal data without your knowledge or consent where this is required or permitted by law.

7. Our Legal Bases For Processing Your Personal Data

7.1 We've set out below the legal bases on which we process your personal data. We've identified what our legitimate interests are, where appropriate.

Purpose/Activity

Type of Personal Data Processed

Lawful Basis for Processing

Provision of our products and services

To provide our Assistant to you
To allow your nominated clinician to process your personal data (including Health Data)
To apply our proprietary algorithms to Health Data

Identity Data
Contact Data
Correspondence Data
Health Data
Usage Data
Technical Data

Your explicit consent (with regards to Health Data)
Performance of a contract
Compliance with a legal obligation
Our legitimate interests to operate our business and fulfil our legal and contractual obligations

Business Operation and Maintenance

To operate and protect the Assistant (including troubleshooting, incident management and data breach management, data analysis, product and system testing, system maintenance, support, reporting and hosting of data)

Identity Data
Contact Data
Health Data
Correspondence Data
Usage Data
Technical Data

Your explicit consent (with regards to Health Data)
Performance of a contract
Compliance with a legal obligation
Our legitimate interests to operate and improve our business, fulfil our legal and contractual obligations and for the purposes of IT security

Customer Relationship
Management

To manage our relationship with our customers which includes notifying you of any changes to our terms or this privacy notice or to our products/services, apps, to respond to enquiries, messages, and requests for technical support and customer care support

Identity Data
Contact Data
Correspondence Data
Health Data
Usage Data
Technical Data
Marketing and Communications Data

Your explicit consent (with regards to Health Data)
Performance of a contract
Compliance with a legal obligation
Our legitimate interests to respond to enquiries, messages and requests, operate, develop and improve our business and to fulfil our legal and contractual obligations

Research and Business Development

To improve the Assistant, our apps, customer relationships and experiences
To anonymize your data for the purposes set out in section 6.6

Identity Data
Contact Data
Correspondence Data
Health Data
Usage Data
Technical Data
Marketing and Communications Data

Our legitimate interests to define types of customers for our products and services, develop and improve our business and to inform our marketing strategy

Business Management

To manage our business including to keep financial and accounting records, carry out audits, testing, comply with our reporting requirements and other corporate governance requirements
To exercise our rights set out in agreements including recovering debts owed to us

Identity Data
Contact Data
Correspondence Data
Usage Data
Technical Data

Performance of a contract
Compliance with a legal obligation
Our legitimate interests to exercise our rights (including to recover debts), to operate our business (including internal administration and IT services, network security, to prevent fraud and in the context of a business reorganization, sale or group restructuring exercise) and to fulfil our legal and contractual obligations

Marketing and Advertising

To market our products and services
Asking you to leave a review or take part in a poll/survey
To use data analytics to improve our business, the Website, our products, services, marketing, customer relationships and experiences

Identity Data
Contact Data
Marketing and Communications Data
Usage Data
Technical Data

Consent (where you have opted-in to marketing)
Our legitimate interests to develop our business (and to inform our marketing strategy)

Reasons of public interest

To assist wider society and public health such as sharing data with health services like the NHS

Health Data
Usage Data
Technical Data

Health or social care
Public health

Purpose Activity	Categories of Data	Description of Data
<ul style="margin: 0; padding-left: 20px;"> <li>Identity Data</li> <li>Contact Data</li> </ul>	<ul style="margin: 0; padding-left: 20px;"> <li>Performance of a contract</li> <li>Compliance with a legal obligation</li> <li>Our legitimate interests to exercise our rights (including to recover debts), to operate our business including internal administration and IT services, network security, to prevent fraud and in the context of a business reorganisation, sale or group restructuring exercise; and to fulfil our legal and contractual obligations</li> </ul>
<strong>Business Management</strong> <ul style="margin-top: 8px; margin-bottom: 0; padding-left: 20px;"> <li>To manage our business including to keep financial and accounting records, carry out audits, testing, comply with our reporting requirements and other corporate governance requirements</li> <li>To exercise our rights set out in agreements including recovering debts owed to us</li> </ul>	<ul style="margin: 0; padding-left: 20px;"> <li>Identity Data</li> <li>Contact Data</li> <li>Correspondence Data</li> <li>Usage Data</li> </ul>	<ul style="margin: 0; padding-left: 20px;"> <li>Performance of a contract</li> <li>Compliance with a legal obligation</li> <li>Our legitimate interests to exercise our rights (including to recover debts), to operate our business including internal administration and IT services, network security, to prevent fraud and in the context of a business reorganisation, sale or group restructuring exercise; and to fulfil our legal and contractual obligations</li> </ul>

8. How We Share Your Personal Data With Others

8.1 We won't share any of your personal data with third parties except as set out in this section or otherwise notified to you or agreed between you and us from time to time.

8.2 We may share personal data with our group companies (including our subsidiaries, ultimate holding company and its subsidiaries) and partnered companies for the purposes outlined in this privacy notice. We may also share personal data with third party service providers who we engage to provide services which facilitate our business and we may also need to share personal data with other third parties in order to comply with our legal and regulatory obligations. Below is a list of specific third parties and other categories of third parties with whom we may share your personal data:

8.2.1 Heroku Services (the Limbic Software’s platform as a service provider);
8.2.2 Amazon Web Services (used for the cloud hosting of Limbic Software);
8.2.3 MongoDB Atlas (database provider);
8.2.4 Sentry, our application monitoring and error tracking software;
8.2.5 Mixpanel, our application for monitoring performance and usage analytics;
8.2.6 Firebase (Google), our application for serving push notifications on both iOS and Android and creating deep links for cross-product usage;
8.2.7 Messagebird (provider for OTPs)
8.2.8 Intercom (used for Limbic Software customer support)
8.2.9 Visual Studio App Center (Microsoft), our application for making app updates;
8.2.10 Apple, our application for making push notifications on iOS and reviewing app crash logs (iOS devices);
8.2.11 Google, our application for reviewing app crash logs (Android devices);
8.2.12 Microsoft Azure (the manufacturer of the front-end large language model (LLM) used in Limbic AI Wellbeing Companion)
8.2.13 any third party buyer of our business or assets;
8.2.14 law enforcement or a regulator;
8.2.15 legal counsel and other professional advisers including accountants and auditors;
8.2.16 any of our personnel who many need access to certain of your personal data in order to provide their services, which may include personnel who are engaged as consultants or workers, as well as our employees; and
8.2.17 any similar or replacement third parties from time to time.

8.3 We ensure that any third party engaged by us who processes your personal data in connection with the purposes listed above has policies and procedures in place to ensure compliance with data protection laws.

8.4 For any third parties that are based, or process data, outside of the EEA or the United Kingdom, we engage such third parties in accordance with section 9 below.

8.5 We may share your personal data with third parties where we're required to do so by law or regulation (such as in connection with an investigation of fraud or other legal enquiry) or in connection with other legal proceedings (including where we believe that your actions violate applicable laws or any agreement with us, including our Terms of Use).

8.6 In the event that our business or any part of it is sold or integrated with another business, your details may be disclosed to our advisers and those of any prospective purchaser and will be passed to the new owners of the business.

9. International Transfers Of Your Personal Data

9.1 From time to time it may be necessary for us to transfer your information internationally. In particular, your information may be transferred to and/or stored on the servers of third parties identified in section 8 which are based outside of Canada, the UK or the EEA.

9.2 However, we won't transfer your personal data outside of Canada, the UK or the EEA unless:

9.2.1 such transfer is to a country or jurisdiction which the Canadian Government has approved as having an adequate level of protection;
9.2.2 appropriate safeguards are in place in accordance with data protection laws. These safeguards include the use of standard contractual clauses or binding corporate rules; or
9.2.3 the transfer is otherwise allowed under data protection laws (including where we have consent or the transfer is necessary for important reasons of public interest, is necessary for the establishment, exercise or defence of legal claims or is necessary for the performance of a contract with the data subject).

9.3 We'll ensure that where your personal data is transferred outside of Canada, the UK or the EEA, it is afforded an essentially equivalent level of protection as would be afforded to it within the location from which it is transferred.

10. How We Store And Retain Your Personal Data

10.1 As a minimum, we need to store your personal data for as long as is necessary to enable us to fulfil the purpose for which it is processed, including to provide and operate our App, fulfil our legal and regulatory obligations (e.g. relating to record keeping) and to exercise or defend any legal claims.

10.2 For as long as we do store your data, we follow generally accepted industry standards and maintain reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided. All information you provide to us is stored on our secure servers. We adhere to the NHS Data Protection Toolkit, have implemented DCB0129 standards for safety/risk mitigation, are ISO 27001 certified and are Cyber Essentials accredited.

10.3 We'll notify you without undue delay in accordance with the requirements of data protection laws, if we have reason to believe that there has been a personal data breach by us which could adversely affect your rights and freedoms and we're required by law to notify you.

10.4 We maintain and implement a data retention policy and will delete personal data in accordance with this other than in rare circumstances (for example, where we are required to retain data by law).

11. Your Legal Rights

11.1 Subject to any conditions and requirements set out in data protection laws, you may have some, or all, of the following rights in relation to the personal data we hold about you:

11.1.1 the right to request a copy of your personal data held by us;
11.1.2 the right to correct any inaccurate or incomplete personal data held by us;
11.1.3 the right to request that we erase personal data we hold about you;
11.1.4 the right to request that we restrict the processing of your data;
11.1.5 the right to have your personal data transferred to another organization;
11.1.6 the right to object to certain types of processing of your personal data by us;
11.1.7 the right to request that you are not subject to any decision which is based solely on automated processing, including profiling, where this produces legal effects or otherwise significantly affects you; and
11.1.8 the right to complain (please see section 13 of this privacy notice).

11.2 PLEASE NOTE that these rights are not absolute in all situations and may be subject to conditions and provisions set out in data protection laws. We cannot, therefore, guarantee that we'll be able to honour any request from you in connection with the rights set out above. (For example, even if you request that we delete your personal data, we may be required by law to retain some personal data for accounting and record keeping purposes or in order that we comply with our legal and regulatory obligations).

11.3 We will respond to a request to exercise your rights as set out in this section as we can, and in any event within one calendar month.

11.4 For further information, or to exercise any particular right, please see section 13 for details of how to contact us.

12. Links To Third Parties

12.1 The App may link or redirect to other websites, social media accounts or other content which is not under our control. Unless otherwise stated, such links or redirections are not endorsements of such websites or representation of our affiliation with them in any way and such third party websites are outside the scope of this privacy notice.

12.2 If you access such third party websites or platforms, please ensure that you're satisfied with their respective privacy policies before you provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website or platform operated by any third party.

13. Questions And Complaints

13.1 Please contact us at:

Role responsible for PIPEDA compliance: DPO

email: data.enquiries@limbic.ai

Address: FAO: Data Protection Enquiries, Limbic Inc, 8th Floor 100 Church Street Tribeca New York, NY 10007

13.2 You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues, which in Canada is the Office of the Privacy Commissioner of Canada (OPC) (www.priv.gc.ca).

Limbic AI WellbeingCompanion Privacy Notice

Limbic AI Wellbeing
Companion Privacy Notice