Privacy Policy

Last updated: 20 Jan 2020

IMPORTANT

PLEASE READ THIS POLICY CAREFULLY BEFORE USING ANY OF AKESIO SERVICES.

By visiting the website at https://www.akesio.com (the “Website”) and/or our application (“App”), collectively named our “Services” you are accepting and consenting to the practices described in this Privacy Policy (“Privacy”).

 IF YOU DO NOT CONSENT, PLEASE DO NOT SUBMIT ANY PERSONAL DATA TO US.

You must be 18 years or older to use our services (Akesio website and application). By using our website and agreeing to our Terms, you warrant that you are at least 18 years of age.

1. Introduction

Akesio Limited (“Akesio”,“We”,“Us”, “Our”) administer the website https://www.akesio.com (the “Website”) and the Akesio web application (our “App”); they are collectively named our “Services”

We are committed protecting and respecting your privacy and it is crucial for us that you feel safe while you’re using our services.

This Privacy Policy (“Privacy”), together with our Terms & Conditions Policy (“Terms”) , our Cookies Policy (“Cookies”) and any other document referred to on it, sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed. 

Therefore, by carefully reading this Privacy Policy you will understand the types of data we collect from you, how we manage your data, including the circumstances we will share it with third parties (as for example the laboratory that analyse your samples), your rights relatives to the personal data you provide us etc.

We are complying with Data Protection Laws and General Data Protection Regulation including the 'Directive 96/46/EC' but not limited to (“GDPR”) and all the other regulatory legislations relatives to data protection effective in the UK.

2. About us

Akesio is a company incorporated in England, our company number registration is 11191446 and our registered address is: 4th Floor 8 Old Jewry, London, England, EC2R 8DN. 

We are registered with the UK Information Commissioner’s Office as a “Data Controller” (Reg No. ZA315403), and have in place a comprehensive Company data protection policy, procedures and practices to meet the standards of high quality data protection. Our Data Protection Officer is Lavinia Ionita (lavinia@akesio.com).


3. Personal data we collect

We need to collect and process your data in order to provide you with a personalised stress management programme and to improve your mental and overall well being (the scope of our services).

3.1.Information you’ll be asked to provide us

Personal Information

Before starting using our Services, you’ll be asked to provide us with relevant information like (but not limited to):

  • your full name
  • email address
  • address, ZIP/Postal code, City, Country
  • phone number 
  • date of birth
  • gender

This data will be used to identify you and/or to allow further communications with you, in particular when:

  • you purchased one of the offer of our Services and proceed with the registration or login on your Akesio account (your dedicated user portal)
  • you fill forms on our website 
  • you subscribe to our Newsletter
  • there is any update to the information you’ve provided us

You can opt out at any moment for any external communication such as phone calls, text messages, chat, emails including Newsletters, marketing or promotional campaigns about our services.

Health Data

When you register to our Services, we may collect lifestyle and health data (“Health Data”) from you in order to provide you with a personalised report regarding stress and mental well-being and with an ongoing follow up to evaluate progress against your health goals.

We will collect information about your general health, mental health and your sex life. You’ll be asked for example information about your current symptoms, medical history, habits and behaviours etc. You can opt out if you don’t want us to process a particular subset of information, like for example ‘sex life’ data but certain information is mandatory.

We may use your Health Data to fulfil our obligations and commitments towards you for a high quality service, therefore we may need use of appropriate information for our internal procedures and practices, which includes healthcare, operations, administration, planning.

We keep records for all your health information, including lifestyle, and behaviours, as well as for all interactions we may have with you to ensure a high quality of care and support. In order to monitor and improve our service quality and user experience, we may retain records of all our interactions regarding your demands, suggestions, greetings or complaints you could have about our services regarding to your health and mental wellness.

Financial data

In order to have access to your personalised wellbeing programme you’ll need to make a payment for our Services. The payment processing is done through third-party services (e.g. payment processors) that are receiving the information directly from you (we will not store or collect your payment card details, we will only retain basic details of the transaction). 

Our payment processor is compliant with the Payment Card Industry Data Security Standards (PCI DSS).

adhere to the standards set by PCI-DSS as managed by the PCI Security Standards Council, which is a joint effort of brands like Visa, MasterCard, American Express and Discover. PCI-DSS requirements help ensure the secure handling of payment information.

3.2. Information we collect automatically when you’re visiting our website

Technical information and usage analytics 

We may collect technical information about the devices you use to access our Services and also analytical information on your visit on our website and/or app. Therefore, while you’re visiting our Services, your browser is sending us information about your device such as (but not limited to) the IP address, the operating system, the browser type, the pages you visit, the date and time, how much time you’ve spent on the website, etc.

This information is kept anonymous as much as possible and we will not use this data to identify you, but merely to improve the user experience of our Services, to improve our offres, to assist communication, etc.

Cookies

We may use cookies (small file text) and similar tracking technologies (beacons, tags, etc.) in order to improve your user experience with our Services (we use the term “cookies” for all of them).

When you first visit our website, cookies are sent to your browser and stored on your computer or mobile device. For example, in this way, we may recognise your device next time you’re visiting our Services, storing data about your preferences etc. that will allow us to improve your experience.

Data collected in this manner is pseudonymized, and is not stored together with other personal data of the user.

You are free to decide whether you’re willing or not to accept cookies on your device by changing the settings of your browser (you can decide to refuse all cookies). However, if you choose this option you may not benefit from the integrality of our Services.

4. How we use your personal data 

4.1. Data usage purposes (We use the above personal data for various purposes)

  • to conceive and provide you with a personalised wellness programme (the reason for which you may register for our Services)
  • to ensure communication between you and our Services
  • to monitor and improve the quality of our Services
  • to keep you up to date (notifying your about the eventual changes in our Services, punctual marketing campaigns for our products that might be of interest for you, etc.)
  • to prevent, monitor and address technical problems
  • to improve security and safety
  • educational purposes: Newsletters, events, webinars - that you may be invited to.

4.2. Who has access to your data

We do have policies, procedures and other operating systems in place in order to take reasonable steps to limit the use or disclosure of your personal data (i.e. we restrict access to your personal data to dedicated persons for a specific task following the principle of minimum necessary access to  identifiable health information).

4.3. Data sharing

Akesio doesn’t share any of your personal information with any third parties without your explicit consent (you can change and/or remove your consent at any time; see below in “Your rights” how to withdraw consent).

We may use providers and sub-contractors (third parties) to support our Service, perform Service-related services or assist us in analysing how our Service is used.

In case we need to share your personal data for the purposes for which data was initially collected (i.e. having your samples processed by an external laboratory), the sharing of your personal information will always be done with your consent and following strict rules of security and confidentiality. These third parties will only legally be able to use your data for the purpose of providing a service to us and are obliged not to disclose or use it for any other purpose. We request that these service provider contractors (third parties) have in place solid privacy and security measures for data protection.

The third parties we may use include but not limited to:

  • technical suppliers to operate and maintain our Services
  • payment processors
  • cloud providers
  • analytics and search engines
  • medical analysis laboratories
  • marketing, advertising and promotional services to which you agreed.

In order to meet the highest quality and safety standards and minimise the risks, we may use pseudonymised data wherever applicable.

We may share aggregate statistics from anonymised data (non-identifiable data) to our partners, for research and to contribute to the innovation in the healthcare and mental wellness areas (i.e., x% of your group of 50 individuals present high levels of stress). This type of data is irreversibly anonymised.

Under certain exceptional circumstances, we may disclose your information in good faith as a legal obligation in order to comply with a regulation, legal process or governmental request:

  • to comply with the law
  • to assert legal rights or defend against legal claims
  • to prevent or investigate illegal activities related to our service (fraud, abuse, etc.)
  • to prevent or investigate security threats to our service or to preserve physical safety of the users and general public
  • if we are acquired by a third party, all of our assets, including personal data, will be transferred to this third party that will be responsible for your data
  • If we sell or buy any business or assets, we may disclose your personal data to the prospective seller or buyer of such business or assets.

4.4. Data retention

We will hold the above data for as long as is necessary for the purposes set out in this Privacy Policy, in order to provide you with our Services, manage any specific issues that may arise or, otherwise, as it is required by law or by any relevant regulatory body. 

In accordance with current legislation, we will retain health data for 10 years.

When you use our website, your data is removed after 14 days, unless any unless any security-relevant event occurs (e.g. a DDoS attack). If there is a security-relevant event, server log files are stored until the security-relevant threat has been fully eliminated and solved.

When you use our app and you request deletion of your account or when you delete your account in the App, your data is deleted or irreversibly anonymised (and cannot be associated with a specific natural person). If your account is inactive for more than 24 months, we will contact you to check whether you wish to continue using our Services. If you then leave your user account unused for another 12 months, we will delete your account and anonymise your data (in a way that it cannot be associated with a specific natural person).

We may retain personal data for reasonable business needs (i.e. for the purpose of the internal analysis) and when your personal data is no longer needed it is either irreversibly anonymised (and the anonymised data may be retained) or securely destroyed.

4.5. Transfer of data

If you are located outside the United Kingdom and choose to use our Services and provide information to us, we may transfer the data, including Personal Data, from where you are located to the United Kingdom and process it here. Therefore, your information, including Personal Data, may be transferred to/ maintained on computers located outside of your state, province, country or other governmental jurisdiction where the data protection laws may differ from those of the UK.

By consenting to this Privacy Policy, the submission of such information represents your agreement to that transfer.

If it is necessary, any data transfer will be done on the same principles set out by this Privacy Policy following the highest standards of security and privacy. No transfer of your Personal Data will take place to an organisation or a country unless there are necessary controls in place for ensuring the security of this process.

 

4.6. Data Security and storage

We use OVH to store all the personal data we collect from you. OVH have implemented an information systems security policy, and meet the requirements for several standards and certifications: PCI DSS, ISO/ IEC 27001 certification, SOC 1 type 2 and SOC 2 type 2 attestations, etc. They also have an accreditation for hosting healthcare data (HDS). 

We send personal data to OVH servers in an encrypted form. The information transferred between your browser and our website is also encrypted using Transport Layer Security (“TLS”). All passwords are stored in encrypted form and all traffic is transmitted securely via “SSL”  by default. When transmitting sensitive information, you should always make sure that your browser can validate our certificate.

The security of your data is of crucial importance to us and we do our best to mitigate the risks, but remember there is no “risk zero” in the digital world (there is no method of transmission over the Internet or method of electronic storage that is 100% secure, therefore we cannot guarantee the absolute security of your personal data).

 

4.7. Your rights

According to General Data Protection Regulation (GDPR), you have several rights regarding your personal data as a resident of the European Economic Area (EEA) as following:

  • right to transparency: you have the right to know how your data is being used (we are committed to providing you with transparent information, communication and modalities for the exercise of the rights regarding your data conforming with Art.12 GDPR)
  • right to be informed: you have the right to have access to your personal information (Art.15 GDPR), including the confirmation from us whether we are processing your personal data. If it is the case, you have the right to access the information regarding the purposes of processing, the categories of your personal data that are processed, the recipients or categories of recipients to whom the personal data have been or will be disclosed etc. (Art.15.1. GDPR)
  • right to rectification: you have the right to have your information rectified if there is inaccurate or incomplete information about you (Art.16 GDPR)
  • right to erasure/’right to be forgotten’: you have the right to obtain the erasure of your personal data from our Services (Art.17 GDPR). This means that we are obliged to erase your data without further delay once you request this of us for one of the reasons listed in Art.17.1 GDPR.
  • right to restricting processing: you have the right to obtain from us the restriction of processing of your data if one of the reasons listed in Art.18.1GDPR applies (for example, if you contest the accuracy of the personal data); restriction means that stored personal data is “labeled” as having a restriction for future processing.
  • right to object: you have the right to object at any time about how your personal data is processed according to Art.21G DPR. Examples of particular situations when you can exercise this right:

         - processing for direct marketing purpose, including profiling

          - processing for statistical purposes

        Once you object to the processing of your personal data by us, we will no longer process your data.

  • right to withdraw consent: you have the right to withdraw at any time your consent you gave Akesio to process your information; 
  • right to data portability: you have the right to receive your personal data that you have provided us in a structured, commonly used and machine-readable format and to transmit that data to another controller without hindrance from us if the processing is based on consent based on Art. 6.1 or Art. 9.2 GDPR or on a contract pursuant to Art. 6.1 GDPR and the processing is carried out by automated means (Art. 20.1GDPR). In exercising your right to data portability, you also generally have the right to have your personal data transmitted directly from us to another controller if technically feasible.
  • right to complain: you have a right to lodge a complaint about your personal data with a supervisory authority (Art. 77 GDPR) in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of your personal data infringes General Data Protection Regulation (GDPR).The supervisory authority responsible for us is the Information Commissioner’s Office (ICO): Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF, UK.

For any of these requests listed above, you need to contact us at: dpo@akesio.com and/or at our registered office address (4th Floor 8 Old Jewry, London, England, EC2R 8DN). Asking us to stop processing your personal data or deleting your personal data will mean that you are no longer able to use our Services or part of the Services related to the processing of the types of personal data you have asked us to delete. This may remove your access and the use of our Services. 

5. Links to other websites

Our Service may contain links to other sites that are not operated by us. We strongly advise you to carefully read the Privacy Policy of every external website you visit from our website (we are not responsible for their privacy and security policies).

 

6. Our Services are for adults only

You must be 18 years or older to use our “Services” (Akesio website and application). By using our website and agreeing to our Terms, you warrant that you are at least 18 years of age.

7. Updates of Privacy Policy

We reserve the right to revise, change and update our Privacy Policy, with changes being effective from the date published on this document. You’ll be notified by email prior to any change and update, but we encourage you regularly read our Policies. 


8. Glossary- terms definition:

  • When we refer to “we”, “us”, “ours” this means “Akesio Limited”
  • Our “App” is our web application
  • Services”: “Website”, “App”
  • Consent”of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
  • “Personal Data”: means data about a living individual who can be identified from that data (or from those and other information either in our possession or likely to come into our possession). This means any information relating to an identified or identifiable natural person (“data subject”).  
  • “Health Data”: means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveals information about his or her health status.
  • “Data Subject” (or “User”): is any living individual who is using our Services and who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  • “Usage data”: is data collected automatically either generated by the use of the Service or from the Service infrastructure itself. This could be technical information about your device and/or details of your visits to the Website and App (i.e. date and time you’re spending visiting a page of our website or symptoms you’re searching on our app).
  • “Pseudonymisation”: is a technique that replaces or removes information in a data set that identifies an individual. This means that the processing of the personal data is done in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information (pseudonymisation may involve replacing names or other identifiers which are easily attributed to individuals with, for example, a reference number or a key code). This additional information (i.e. key- code, reference etc.) is kept separately from the personal data and is subject to technical and organisational measures of how it is used (i.e. when re-identification is needed etc.). Data pseudonymisation can reduce the risk to data subjects and reinforce security. However, it does not change the status of this type of data as “personal data”.
  • “Anonymisation” (non-identifiable data): the processing of personal data is done in such a manner that the identification of a specific natural person is impossible. This type of data is irreversibly anonymised. It may be used for example for aggregated statistics for our partners, research, and to contribute to innovation in the healthcare and mental wellness areas. For example, x% of your group of 50 individuals present a high levels of stress.
  • “Data processing” : any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • “Data processors”: any natural or legal person who processes the data on behalf of the Data Controller.
  • “Data controller”: means the natural or legal entity who (either alone or jointly with others) determines the purposes for which and the manner in which any personal information is or is going to be processed (for example, Akesio is your data controller).
  • “Third parties”: means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
  • “Cookies”: are small text files managed by your internal browser of your device (computer, tablet or mobile device).