Last updated: 17th August 2021
1 Introduction
1.1 Limbic Limited (the "Company", "we", "us" or "our") respects your privacy and is committed to treating any information that we obtain about you with as much care as possible and in a manner that is compliant with all applicable data protection legislation including the EU General Data Protection Regulation 2016/679 ("GDPR") and any national implementing laws in relation to the same including the Data Protection Act 2018 (collectively, "Data Protection Legislation").
1.2 We have appointed Sebastiaan de Vries, the Company’s CTO, as our data protection officer (DPO). If you have any questions about this privacy policy, please contact us by email at bas@limbic.ai or by post at Data Protection Enquiries, CTO/Director, Kemp House, 160 City Road, London, England, EC1V 2NX.
1.3 Please read this data protection and privacy policy (the “policy”) carefully as it contains important information relating to your personal data.
1.4 This policy applies to your use of:
1.4.1 the website chatbot software known as Limbic Access (as it may be rebranded, renamed or localised from time to time), the data supplied with such software, and any updates or supplements to it (the “Web Chatbot”)
1.4.2 our mobile application software available on iOS and Android known in different forms as Limbic Self-Care, Limbic Care, or Limbic Prevent (as it may be rebranded, renamed or localised from time to time) and any updates or supplements to it (the “App”);
1.4.3 our web-based applications known as Limbic Therapist Portal and Limbic Admin Portal (as it may be rebranded, renamed or localised from time to time) and any updates or supplements to it (the “Dashboards” and, together with the App, and Web Chatbot, the “Software”);
1.4.4 any wearable devices which we send you for use in connection with the Software
(“Wearable Devices”); and
1.4.5 any of the services accessible through the Software, including the tools which the Software provides to help mental healthcare professionals and their patients to monitor various health data metrics (the “Services”).
1.5 This policy sets out the basis by which any personal data we collect from you, or that you provide to us, will be processed. Among other things, it explains:
1.5.1 what personal data we may collect about you in connection with:
1.5.1.1 providing you with access to, and your use of, our Software and Services;
1.5.1.2 your online interaction with us (including via the App, Dashboards, our websites, via email, or via telephone);
1.5.1.3 any data generated by any Wearable Devices you use; and
1.5.1.4 any other interaction between you and us through any other channels related or ancillary to the foregoing,
(collectively, the "Data Processing Channels");
1.5.2 how we collect, store, disclose, transfer, protect and otherwise process that personal data (and for what purposes); and
1.5.3 other important information, such as the lawful basis or bases by which we process your personal data, how long we retain your personal data, and the rights you have in relation to the personal data we hold about you.
1.6 This policy supplements (and its terms apply in addition to) any other terms of use or other terms and conditions agreed between you and the Company from time to time, including our Terms of Use. Please note that there may also be other privacy policies related to elements of the Data Processing Channels which apply in addition to this policy, such as a privacy policy issued by the manufacturer of your device or any Wearable Device.
1.7 In this policy, terms defined in the GDPR, including "data subject", "personal data", and "processing", have the same meaning when used in this policy. The words "include", "including", "such as" and similar words and phrases shall be construed to mean "including without limitation".
1.8 This policy is intended to be communicated to you in a concise, transparent, intelligible and easily accessible manner, but we appreciate that you may have queries or want to seek clarification as to its terms. If so, please contact us and we will endeavour to respond as soon as possible.
1.9 The Company reserves the right to make changes to this policy from time to time including as may be necessary or desirable to reflect any changes in: (i) the ways in which we gather and process personal data; Data Protection Legislation; or (iii) best practice. The Company will endeavour to notify you of such changes but you are advised to check for an updated version of this policy at https://static.limbic.ai/pp each time you interact with us through the Data Processing Channels.
1.10 It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
2 The personal data we process
2.1 We collect personal data about you through the Data Processing Channels when you:
2.1.1 access and use our websites, apps, Software, Services and any Wearable Devices (including automatically by way of cookies or similar technologies – please refer to paragraph 11 below for more information);
2.1.2 send messages or submit information via the App and/or Dashboards (which could, at your option, include your location data and/or your Health Data) or otherwise interreact with other users of the App (including your clinician or patient, as the case may be);
2.1.3 register for an account on our Software or Services, or subscribe for or participate in other services, competitions, contests, special events, or our mailing list;
2.1.4 contact us (whether in writing, by email, by telephone or otherwise), including via any contact form available through the Data Processing Channels;
2.1.5 make any enquiry or application with respect to careers, vacancies or opportunities at the Company (including via the AngelList recruiting tool);
2.1.6 purchase, request or subscribe for a product (including the Software) or service (including the Services);
2.1.7 request technical support or other customer care support;
2.1.8 participate in polls, surveys and questionnaires on or related to the Data Processing Channels; or
2.1.9 otherwise interact with us through the Data Processing Channels.
2.2 Where lawful, we may also obtain personal data from third parties or public sources (for example, the open electoral register or credit reference agencies) and we may process that information where it is an essential component of the products and services we offer you.
2.3 The type of personal data we process may include (if and as applicable depending on your use of the Software and Services):
2.3.1 technical data including the information obtained through the use of cookies or similar technologies when you use the site (please refer to paragraph 11 below for more information) ("Technical Data");
2.3.2 any information that you voluntarily provide (whether manually or automatically) through your use of the App, Dashboards, Service and/or any Wearable Device, which is used to assist us in delivering the Services. For patients, this is likely to include your medication and prescription history; mood logs; your responses to questions asked to track your progress with any cognitive behavioural therapy and emotional triggers (for example, “where are you?”, “what are you doing?”, “who are you with?”); heart rate data, accelerometer data, steps data and sleep tracking data provided through any Wearable Devices; and clinical questionnaire scores (“Health Data”);
2.3.3 in relation to clinicians, the identity and contact information of the clinician and the clinic where the clinician is employed, details relating to therapist specialisation and the clinician account password (which will be stored in a hashed/obscured manner) (“Clinician Data”);
2.3.4 if you give the relevant permissions in your device, your location data provided
through your device’s GPS (“Location Data”);
2.3.5 your identity and contact information, such as your name, user name, email address, postal address, date of birth, telephone number and other information provided by you when you register for an account on our Software or Services, ask us to send you a Wearable Device, or subscribe for other services, contests, special events or our mailing list (“Identity and Contact Data”);
2.3.6 other information which you provide in any correspondence with us ("Correspondence Data");
2.3.7 if you enquire or apply for any vacancies or opportunities at the Company, your CV, résumé, educational background, employment history and any other information you provide in connection with the same ("CV Data");
2.3.8 in relation to any order, purchase or subscription made by you, your order details, payment information, preferences and other transaction information provided or obtained in connection with any product or service you have requested, bought or subscribed for ("Product and Service Data");
2.3.9 your responses to any polls, surveys and questionnaires we may run from time to time ("Response Data");
2.3.10 marketing and communications data, which includes your preferences in receiving marketing from us and our third parties and your communication preferences ("Marketing and Communications Data"); and
2.3.11 information ascertained by your other interaction with us through the Data Processing Channels, such as your usage history ("Usage Data").
2.4 We do not process:
2.4.1 any information about criminal convictions and offences; or
2.4.2 any information about children under the age of 13,
and you should not provide us with any such information through any of the Data Processing Channels.
3 The purposes for which we process your personal data
3.1 We use the personal data referred to in paragraph 2 above for the purposes of (if and as applicable):
3.1.1 providing you with access to, and facilitating your use of, our App, Dashboards and the Services. For the avoidance of doubt, this means (in the case of patients) allowing your nominated clinician to access, filter and process your personal data, including Health Data;
3.1.2 applying our proprietary algorithm to Health Data in order to derive new data which can be used to indicate mood and emotional state;
3.1.3 personalising content on the Software, Services or through our other Data Processing Channels;
3.1.4 sending you promotional and marketing materials, notifications, updates and exclusive news (in accordance with your Marketing Communications Data preferences);
3.1.5 processing payments and fulfilling orders for products and/or services;
3.1.6 conducting internal training and other internal uses to improve our services and customer experience (including improving our marketing and promotional efforts, analysing channel usage statistics, improving content and product offerings and customising the content and layout of our Software and Services);
3.1.7 responding to any correspondence from you including enquiries, comments, complaints and request for technical assistance;
3.1.8 if your data was provided in connection with a career opportunity or vacancy, assessing your fitness and eligibility for any particular role;
3.1.9 administering any polls, services, questionnaires, competitions, contests, or special events which you may have subscribed for or participated in;
3.1.10 recording your purchase or usage history and administering your account with us;
3.1.11 market research and demographic studies;
3.1.12 complying with any legal obligation; and
3.1.13 otherwise carrying out our business activities in circumstances where you ought reasonably to have an expectation that we will process your personal data for a particular purpose (including as may be provided for in our Terms of Use or any other agreement between us).
3.2 We may process your personal data for the purposes set out in paragraph 3.1 ourselves or in conjunction with our third party service providers (in accordance with paragraph 6). You are reminded that, if you use the Software as a patient, your data will be accessible through the Dashboards to your nominated healthcare professional(s).
4 The lawful bases by which we process your personal data
4.1 Health Data
4.1.1 Because elements of your Health Data will constitute special categories of personal data for the purposes of the Data Protection Legislation, our lawful basis for processing your Health Data will usually be your explicit consent. Where you are asked to give such explicit consent, such consent refers to the processing of your Health Data for the specific purposes set out in clause 3.1 or such other specific purposes as may be communicated to you within the Software when you give such consent. You should not consent to such processing (including by accepting the terms of this policy), unless you wish to give the Company your express, freely given consent to process your Health Data in accordance with the terms of this policy.
4.1.2 In certain circumstances, we may also process Health Data on the following lawful bases, if permitted by Data Protection Legislation:
4.1.2.1 processing for the purposes of preventative or occupational medicine; or
4.1.2.2 processing where necessary for reasons of public interest in the area of public health.
4.2 Marketing
For marketing emails which relate to your use of our Software or Services and may reasonably be considered to be service communications, we may rely on our legitimate interests and the performance of our agreement with you. Occasionally, however, we will obtain your consent before sending marketing communications to you (e.g. via email or text message).
4.3 Consent
4.3.1 Where your consent is our lawful basis for processing your personal data (e.g. under clauses 4.1.1 and 4.2), you may withdraw your consent at any time by contacting bas@limbic.ai. You can also unsubscribe from certain marketing emails by following the unsubscribe link displayed at the bottom of each email.
4.3.2 The withdrawal of your consent does not affect the lawfulness of processing based on consent before withdrawal or the lawfulness of processing based on other lawful grounds.
4.4 Other lawful bases
The Company may process your personal data in any circumstances where such processing is necessary:
4.4.1 in order to perform any agreement between us (including pursuant to our Terms of Use or any other agreement between us);
4.4.2 to comply with any applicable law or regulation; or
4.4.3 for the purposes of the legitimate interests pursued by us or third parties. These legitimate interests include the purposes identified above in paragraph 3.1 but also include other commercial interests and our internal administrative purposes.
4.5 We may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data.
4.6 More information about which lawful basis is used for which data processing activity is set out in the table below:
Purpose/Activity
Lawful basis for processing including basis of legitimate interest
To register you as a new customer or user
(a)Your consent (in the case of special categories of personal data)
(b) Performance of a contract with you
To process in-App and/or Dashboards purchases and deliver Services including managing payments and collecting money
owed to us
(a) Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
To provide, personalise and improve the Services (including sharing information with nominated clinicians)
(a)Your consent (in the case of special categories of personal data)
(b) Performance of a contract with you
(c) Legitimate interest (to develop the Services, improve user accessibility and tailor the user experience)
Purpose/Activity
Lawful basis for processing including basis of
legitimate interest
To promote safety, integrity and security
(a)Performance of a contract with you
(b) Legitimate interest (to provide security of the App and/or Dashboards)
(c) if applicable, the lawful bases mentioned in clause 4.1.2.
To manage our relationship with you which will include:
(a)Notifying you about changes to our terms or privacy policy
(b) Asking you to leave a review or take a survey
(a)Your consent (where special categories of personal data are concerned)
(b) Performance of a contract with you
(c) Necessary to comply with a legal obligation
(d) Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To process and deliver any orders, subscriptions, or requested services including:
(a)Manage payments, fees and charges
(b)Collect and recover money owed to us
(a)Performance of a contract with you
(b) Necessary for our legitimate interests (to recover debts due to us)
To administer and protect our business and this App and/or this Dashboards (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)
(a)Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
(b) Necessary to comply with a legal obligation
To deliver relevant App/Dashboards content and advertisements to you and measure or understand the effectiveness of the
marketing we serve to you
(a)Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our
marketing strategy)
To use data analytics to improve our App/Dashboards, products/services, marketing, customer relationships and experiences
(a)Necessary for our legitimate interests (to define types of customers for our products and services, to keep our App/Dashboards updated and relevant, to develop our business and to inform our marketing
strategy)
To make suggestions and recommendations to you about goods or services that may be of interest to you
(a)Necessary for our legitimate interests (to develop our products/services and grow our business)
4.7 We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
4.8 If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
4.9 Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
5 What if you refuse to provide us with any personal data?
5.1 Where we need to collect personal data by law, or under the terms of an agreement we have with you, and you fail to provide that data when requested (or fail to consent to the processing of that data, if necessary), we may not be able to perform the contract or arrangement we have or are trying to enter into with you (for example, to provide you with products or services). In this case, we may have to cancel a product or service you have with us but we will endeavour to notify you if this is the case at the time.
5.2 Whilst we may be able to provide you with certain products and services notwithstanding your refusal to submit personal data, this may limit your ability to participate in some activities, or use certain features, services or functionality.
5.3 Because our Software and the Services we offer are dependent on being able to process your Health Data, if you withdraw your consent you acknowledge and agree that we may be unable to provide you with all or any part of our Software and Services.
6 Sharing information with clinicians and other third parties
6.1 We will not share any of your personal data with third parties except as set out in this paragraph 6 or otherwise notified to you or agreed between you and us from time to time.
6.2 Where you are a patient, you acknowledge and agree that we will share your personal data (including Health Data) with your nominated clinician(s). This data may then be processed by them through the Dashboards.
6.3 From time to time, we will also need to share personal data with the following types of third party service providers who we engage to provide services which facilitate our business and who may need to process your personal data to the extent necessary to provide those services:
6.3.1 Heroku Services, our data hosting provider;
6.3.2 AngelList, our recruiting software;
6.3.3 Amazon Web Services, the servers used by Heroku Services; and
6.3.4 any similar or replacement third parties from time to time.
6.4 We seek to ensure that any third party engaged by us who processes your personal data in connection with the purposes listed above has policies and procedures in place to ensure compliance with the Data Protection Legislation.
6.5 For any third parties that are based, or process data, overseas, we only engage such third parties in accordance with paragraph 7.
6.6 Unless otherwise disclosed to you from time to time, we will remain the data controller in respect of your personal data notwithstanding that third parties may be engaged as data processors.
6.7 We may also share your personal information with third parties where we are required to do so by law or regulation (such as in connection with an investigation of fraud or other legal enquiry) or in connection with other legal proceedings (including where we believe that your actions violate applicable laws, our Terms of Use or any other arrangement between us, or any usage
guidelines for specific products or services, or threaten the rights, property, or safety of our Company, our users, or others).
7 International transfers of personal data
7.1 From time to time it may be necessary for us to transfer your information internationally. In particular your information may be transferred to and/or stored on the servers of third parties identified in paragraph 6 which are based outside of the EEA.
7.2 However, we will not transfer your personal data outside of the EEA unless:
7.2.1 such transfer is to a country or jurisdiction which the EU Commission has approved as having an adequate level of protection (including to the USA where Privacy Shield compliant);
7.2.2 appropriate safeguards are in place as set out in Article 46 GDPR or equivalent provisions of other Data Protection Legislation; or
7.2.3 the transfer is otherwise allowed by applicable Data Protection Legislation (such as in the form of a derogation under Article 49 GDPR).
8 Your rights as a data subject
Subject to any conditions or requirements set out in the relevant Data Protection Legislation, you may have some or all of the following rights in relation to the personal data we hold about you:
8.1 the right to request a copy of your personal data held by us;
8.2 the right to correct any inaccurate or incomplete personal data held by us;
8.3 the right to request that we erase the personal data we hold about you;
8.4 the right to request that we restrict the processing of your data;
8.5 the right to have your personal data transferred to another organisation;
8.6 the right to object to certain types of processing of your personal data by us; and
8.7 the right to complain (please see paragraph 12 of this policy).
Please note, however, that these rights are not absolute and may be subject to conditions and provisos set out in relevant Data Protection Legislation. The Company cannot therefore guarantee that any request from you in connection with the rights set out above will be agreed to. For further information, or to see if you can exercise any particular right, please contact us at bas@limbic.ai.
9 Storage and retention of your personal data
9.1 As a minimum, we need to store your data for as long as is necessary to enable us to provide you with access to our Software and the Services (or to support your use of our Software and Services, such as maintaining your account). However, we will retain certain of your personal
data for longer if we think it is reasonably necessary to do so in the circumstances, taking into consideration factors such as:
9.1.1 our need to perform any agreements between you and us (including our Terms of Use);
9.1.2 our need to answer any queries or resolve any problems you may have;
9.1.3 your continued consent;
9.1.4 your continued use of the Software;
9.1.5 our continued provision of Services to you; and
9.1.6 our need to comply with legal requirements (e.g. relating to record keeping).
9.2 Information about you that is no longer necessary and relevant to provide our Services may be de-identified or aggregated with other non-personal data to provide insights which are commercially valuable to us, such as statistics of the use of the Services. For example, we may retain anonymised Health Data and other anonymised information to continue to improve the Services.
9.3 If you tell us that you would like to delete your account, we will take steps to delete all the personal data we hold about you once it is no longer necessary for us to hold it. Your personal data will also be deleted from the Software when you are marked as “discharged”.
9.4 For as long as we do store your data, the Company follows generally accepted industry standards and maintains reasonable safeguards to attempt to ensure the security, integrity, and privacy of the information you have provided.
9.5 Information you provide is stored on Amazon Web Services (AWS) servers. AWS employs a high level of data protection safeguards, more information of which can be seen here: https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/.
9.6 The Company has security measures in place designed to protect against the loss, misuse, and alteration of the information under our control. Personal data collected by the Company in connection with this policy is stored in secure operating environments that are not available to the public. The Company maintains information behind a firewall-protected server and uses SSL encryption for purchases made through our online store. All password information is hashed and never stored in plain text.
9.7 Notwithstanding our efforts to keep your personal data secure, no system can be 100% reliable. To the extent permitted by law, we cannot be held liable for any loss you may suffer if a third party procures unauthorised access to any data you provide through the Data Processing Channels. In addition, you are responsible for maintaining the strength and confidentiality of any login credentials.
9.8 We will notify you as soon as reasonably practicable if we have reason to believe that there has been a personal data breach by us which could adversely affect your rights and freedoms.
10 Links to third parties
10.1 Our App/Dashboards may contain links or redirections to other websites or mobile applications that are beyond our control. Such links or redirections are not endorsements of such websites/mobile applications or representation of our affiliation with them in any way and such third party websites or mobile applications are outside the scope of this policy.
10.2 If you access such third party websites or mobile applications, please ensure that you are satisfied with their respective privacy policies before you provide them with any personal data. We cannot be held responsible for the activities, privacy policies or levels of privacy compliance of any website or mobile applications operated by any third party.
11 Cookies
11.1 A cookie is a small file of letters and numbers stored on your browser or the hard drive of your computer or your device. Cookies contain information that is transferred to your computer's hard drive or device.
11.1 Our App/Dashboards uses cookies to distinguish you from other users of our App/Dashboards. This helps us to provide you with a better experience when you browse our App/Dashboards and also allows us to improve our website.
11.2 Some data collected by cookies is collected on an anonymous and/or aggregated basis. Where we use cookies that contain personal data, we will only process that personal data as set out in this policy.
11.3 Our App and Dashboards use some or all of the following cookies:
11.3.1 Strictly necessary cookies. These are cookies that are required for the operation of our App/Dashboards. They include, for example, cookies that enable you to log into secure areas of our App/Dashboards, use a shopping cart or make use of e-billing services.
11.3.2 Analytical/performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our App/Dashboards when they are using it. This helps us to improve the way our App/Dashboards works, for example, by ensuring that users are finding what they are looking for easily.
11.3.3 Functionality cookies. These are used to recognise you when you return to our App/Dashboards. This enables us to personalise our content for you, greet you by name and remember your preferences (for example, your choice of language or region).
11.3.4 Targeting cookies. These cookies record your visit to our App/Dashboards, the pages you have visited and the links you have followed. We will use this information to make our App/Dashboards and the advertising displayed on it more relevant to your interests. We may also share this information with third parties for this purpose.
11.3.5 Device Cookies. Each time you use our App/Dashboards we will automatically collect personal data including device, Content and Usage Data such as:
11.3.5.1 information relating to the operating system, hardware and software versions, battery level, signal strength, device memory, available storage space, browser type, app and file names and types and plugins;
11.3.5.2 unique identifiers, device IDs, mobile phone number, and other identifiers, such as from apps or accounts you use;
11.3.5.3 Bluetooth signals, and information about nearby Wi-Fi access points, beacons, and cell towers service provider and signal strength;
11.3.5.4 information you allow us to receive through device settings you turn on, such as access to your GPS location including your location to determine your distance from other users; some of our location-enabled services require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can withdraw your consent at any time by disabling Location Data in your settings;
11.3.5.5 information such as the name of your mobile operator or ISP, language, time zone, mobile phone number, IP address, connection speed;
11.3.5.6 information from device sensors, such as accelerometers, gyroscopes, compasses, microphones and headphone connection; and
11.3.5.7 for clinicians, information recording login times and dates.
11.4 You can find more information about the individual cookies we use and the purposes for which we use them in the table below:
Cookie
Purpose
Session
To determine if the user has an active session and therefore
should or should not log in to the App
11.5 Please note third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies and other technology (e.g. web beacons), over which we have no control.
11.6 Your browser may give you the ability to block all or some cookies by activating a setting in your browser's options. However, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our Software or Services.
11.7 Except for essential cookies, all cookies will remain unless the cookie cache is cleared (unless otherwise indicated in the table above).
12 Questions and complaints
12.1 For all questions or complaints about this policy, we would appreciate the chance to deal with your concerns before you approach the relevant data protection authority. Please contact us in the first instance via email at bas@limbic.ai or write to Data Protection Enquiries, CTO/Director, Kemp House, 160 City Road, London, England, EC1V 2NX.
12.2 You have the right to make a complaint at any time to the relevant supervisory authority for data protection issues, which in the UK is the Information Commissioner's Office (ICO) (www.ico.org.uk).
Limbic Access is a UKCA-marked Class 1 medical device. Our device label can be found here