Date: 25th August 2020
To our Friends, Members and Community:
At Alta Flora, we have always taken privacy, data protection, trust and integrity very seriously. We have worked hard to build Eva with you, your privacy and data protection in mind.
In a nutshell, throughout all your interactions with us, you have control of your information, what happens to your data and who has access to it:
- we don’t sell your personal data to any third party
- we don’t give you any information that isn’t fact checked and evidence based
- we don’t accept any stereotyping based on gender, sexuality, religion or race
- we believe in data minimisation (and will only collect details we need to provide the services)
- WE GIVE YOU CONTROL OF YOUR DATA AND ACCESS TO IT.
If we make any changes to Eva, or how we handle your data, those changes will be shared with you immediately, will require your active and ‘in-the-know’ consent, will contain details about exactly what information we will be able to collect, how we collect it, what we are able to do with it, who may get access to it (and in what form and capacity) – and how we will keep it safe.
Team Alta Flora
We take your privacy very seriously. We acknowledge that using any digital service within the wider digital ecosystem may increase your data footprint. We fully accept the responsibility that comes with safeguarding your sensitive personal data.
We collect, use and are responsible for certain personal information about you. When we do so we are subject to the General Data Protection Regulation, which applies across the European Union (including in the United Kingdom) and we are responsible as the ‘controller’ of that personal information for the purposes of those laws.
The world of digital apps is a complex one. Each time you enter a data point into an app, it takes on a life of its own in the digital ecosystem. In many cases, it is unlikely that you as a user know what really happens to that single, or any subsequent, data points once it enters an application or a website. And the only way to know is to read often endless and highly technical legal documentation, which is more often than not, written in a language that is difficult to read and/or understand.
We have gone through great lengths to write these documents in a manner that is easy to understand, enabling you to learn how to navigate your personal data privacy and make informed choices about your data.
We, us, our Alta Flora Ltd. a company incorporated in England and Wales with registration number 11388347 and whose registered office is at First Floor, Moray House, 23-31 Great Titchfield Street, London, W1W 7PA, England, UK and including our group companies (“Alta Flora”).
Account holder a person of 18 years (minimum age) or older.
Eva (“the App”) provides an easy way for you to track and monitor your consumption of botanical medicines and novel therapeutics and their impact on your quality of life. Eva is available in the Apple App Store and Google Play Store (the “Apps Store”).
Eva has an appointed Data Protection Officer (“DPO”). Please contact [email protected] if you have any questions.
Personal information means any information that can be used to identify a single person.
Sensitive personal information is personal information revealing racial or ethnic origin. Genetic and biometric data. Data concerning health, sex life or sexual orientation.
What personal information we collect about you
We may collect and use the following personal information about you:
- your name and contact information, including email address and, if you provide it to us, your telephone number. We believe in data minimisation and will only collect any such details to the extent we need them and you should know that your email address (and any passwords) are kept in a separate authentication service and are separated from our main production database
- information to enable us to check and verify your identity, eg your date of birth to determine the age of our account holders. In certain jurisdictions, we may ask for your government issued ID, if we are required by law.
- your gender information, if you choose to give this to us
- your data entered into the App which may include certain Sensitive personal information, eg:
- type of condition/symptom
- type of product
- how the product is administered
- body measurements
- EQ-5D-5L (or similar) scales
- description of your mood (eg. good days; bad days)
- adverse effects you may experience as a result of consuming a particular medicine
- diagnosis specific questionnaires (e.g. GAD for anxiety, PHQ-9 for depression, chronic pain questionnaires)
- name of the clinic attended by you
- a study or trial you may be taking part in
- location data (country/metropolitan area). To be clear we do not collect your precise location
- your billing information, transaction and payment card information in very limited circumstances and with your express consent at such time that you choose to participate in support initiatives for research and studies
- information about how you use our Eva app and related other systems
- your responses to surveys
- your responses to a research and study related initiatives you may be taking part in
This personal information is required to provide our services to you. You are not required to provide the personal information that we have requested, but, if you chose not to do so, in many cases we will not be able to provide you with our products or services or respond to queries you may have.
How your personal information is collected
We collect most of this personal information directly from you in person, by phone, via message or email and/or the App.
However, we may also collect information:
- from publicly accessible sources, e.g. Companies House (if applicable)
- directly from a third party, eg.
- a clinic or a health service provider (with your consent)
- an authorised patient alliance group or similar (with your consent)
- from a third party (with your consent), eg your caregiver
- via our IT systems, eg. communications systems, Gmail and instant messaging systems
How and why we use and process your personal information
- To provide our services, understand your needs and communicate with you we collect certain information that allows us to contact you, analyse how you interact with the App, fix any bugs, send reminders to your smartphone via in-App messages and push notifications, to keep you posted on announcements, our software updates, new features and our upcoming events. We are very thoughtful about how we communicate and how often. You will always remain in full control of your communication preferences with Eva. If you don’t want to be on our mailing list, you may opt out from receiving these at any time.
From time to time, we do use third party tools to help us with system analytics (eg. software performance analytics, cybersecurity services and similar). We are careful to only let third parties process usage data and minimal personal data on Alta Flora’s behalf, and are not using any of your Sensitive personal data related to your condition, symptoms or any other health and wellbeing data. We only allow our technology system providers to handle your personal information if we are satisfied they take appropriate measures to protect your personal information. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you.We may use certain personal information to help us create, develop, operate, deliver, and improve our services and content and for loss prevention and anti-fraud purposes. We may also use your personal information for Account and network security purposes, including in order to protect our services for the benefit of all our users, and/or scanning uploaded content for potentially illegal content.We will also use your personal information to provide you with important notifications regarding changes in our policies, terms and conditions. As these are integral in our interaction with you, you may not opt out of receiving these notifications whilst you are an Account holder.Types of data we collect (minimised wherever possible to protect your privacy) :
- Device data: This data informs us about the device you use to access our services (model; application identifier; crash information) and helps us to fix bugs, tailor our services to our members’ devices and improve our services
- Event and performance data: aggregated data so we can better understand which features in our App are most relevant to you and to communicate with you about relevant and timely information. This is anonymous data relating to which features of the App have been used and at what time. This data helps direct future efforts towards more popular features and improve features where problems are seen in the data.
- IP address: this is required for various security mechanisms and communication protocols within our software systems. Your IP address may also be used as part of our regulatory compliance in different countries.
- With your explicit consent, we may collect data about how you use your device and our application in order to help the App developers improve our App
- Other collection and processing necessary to comply with professional, legal and regulatory obligations that apply to Alta Flora
- Advancing scientific research We fight stigma with facts and data. We will share data only with credible and carefully vetted researchers to advance health and well-being studies. For that purpose, your personal data will be anonymised (or de-identified) by removing or hashing any personal identifiers so that neither researchers nor any third parties can link it to you. You can read about our collaborations here.If you are a participant in a particular research and/or study that is run by a research facility or a study using Eva as a tool to collect information for that study, the use of your personal data and any Sensitive personal information will be governed by the terms and conditions of such research and/or study participation agreements and Eva will only share your information in accordance with your express consent under those agreements. The research facility will be solely responsible for the usage of your personal and your Sensitive personal and health data in the context of their specific study. In this scenario, we and the research facility have a “joint responsibility” in the handling of your data.
- Digital advertising; aggregated insights We do not sell or share your data for advertising or marketing purposes (this is not our business model).We may share a minimal amount of data about our members’ community in general with our networks to talk about our App and what we do (but this will never be your personal data or other health data you track in the App). We do not allow others to advertise their products in our App.Eva is and always will be free for you as an individual to use. However, we need to make some money in order to maintain Eva (including paying salaries and bills at the business). In return for the free use of the App, we use anonymised and aggregated data to generate research. We aim to make the bulk of the research publicly available to benefit healthcare systems around the world. However, organisations looking to answer specific research questions pay for more customised studies. We also support academia and industry to run studies privately using our technology platform which they also pay for. In summary, you pay us with your trust—rather than money—in return the Eva App is free and hopefully we can provide some research that benefits you or someone you know.
- Preventing unauthorised access and modifications to our systems For our legitimate interests or those of a third party, ie to prevent and detect criminal activity that could be damaging for us and for you
- Other It may be necessary to disclose your personal and non-personal information by law, legal process, litigation and to comply with our legal and regulatory obligations, in which case we will only disclose such information that is required or requested to a minimum necessary.Additionally, in the event of a reorganization, merger, or sale we may transfer any and all personal information we collect to the relevant third party. Usually, the information will be anonymised but this may not always be possible. The recipient of the information (e.g a buyer of our business) will be bound by confidentiality obligations. This will not apply to your Sensitive personal data, which we will never transfer without your consent.
Consents and Your rights
As mentioned earlier, we may use your personal information to send you updates (by email, message, push notifications, phone) about our services, new features, reminders, events and updates. When you create an Eva Account, your personal data, including Sensitive personal data, is stored on your device and is also stored on our Eva servers and databases. By creating an Account, you consent that:
- Eva may collect, store and process personal data you provide through the usage of the App and through the account creation process solely for the purpose of providing Eva services to you and to improve Eva’s service features.
- Such personal data you provide to Eva through the Account creation process includes personal data you enter into the App, such as your account data (e.g. your username and email address), and depending on the data you provide, it may also contain information about your general health (e.g. weight, mood, condition, symptoms and so on)
- Unless we have your consent (where consent is needed, we will ask for this consent separately and clearly), Eva will not transmit any of your personal data to third parties, except if it is required to provide services to you (e.g technology systems providers)
- We may use your data to create de-identified sets of data for scientific and academic research and study. Each of Eva’s collaborators will be carefully selected, will go through our rigorous due diligence and vetting process. This pseudonymised data will not contain any information that would allow such research partners to identify you as an individual.
We will always treat your personal (including sensitive) information with the utmost respect and never sell OR share it with other organisations outside the Alta Flora group for marketing purposes.
Your rights and a couple of other facts we think you should know
- The existence of Automated Decision-Making, Including Profiling Alta Flora and Eva do not take any decisions nor engage in activities which involve the use of algorithms or profiling that significantly affect you.
- Integrity and Retention of your Personal information you are in control and can help ensure (and we will try and make it easy for you) your personal information is accurate, complete, and up to date. And you also have the right to require us to correct any mistakes in your personal information
- Our services and the App have been designed to minimise the use of your personal data
- Request information on your personal data processed by Eva Upon your request, we will provide this information to you electronically. You can make a request by contacting us at [email protected]
- Data Portability In certain situations, you can request to gain access to your information by requesting a backup of your data in a machine readable format that is commonly used by other organisations or companies. You can make a request by contacting us at [email protected]
- Right to be forgotten by deleting your Account (as explained in Eva Terms and Conditions of Service) you will irrevocably delete all your data, including all past data sent to third-party services used for tracking and analysis
- Right to Object you have the right to withdraw your consent from ongoing data processing at any time by deleting your Account and/or unsubscribing from our email communications by contacting us
- Right to Complain We hope that we can resolve any query or concern you raise about our use of your information. You also have the right to lodge a complaint with a supervisory authority, in particular in a European Economic Area (EEA) state or in the United Kingdom if you work, normally live or if any alleged infringement of data protection laws occurred in the relevant state. The supervisory authority in the UK is the Information Commissioner (the ICO) who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
For further information on each of those rights, including the circumstances in which they apply, please contact us [email protected] or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
Where your personal information is held
Eva is London born and uses servers located in the European Union to process and store your personal data. When you create an Eva account, your personal profile data is stored separately from your daily log/tracking data and your service settings. This allows us to ensure the highest level of privacy for your Sensitive personal information. When you create an Account password with Eva, it is encrypted and cannot be read by us.
Wherever data is transferred between your device and our servers this is done so using HTTPS and only following an authentication process on the App. Data at rest, e.g. when stored on a server, is stored using an AES-256 encryption algorithm.
Please also see above: ‘Who we share your personal information with’.
Some of the third parties (mentioned in Who we share your personal information with) may be based outside the European Economic Area. Alta Flora has a few legal entities in different jurisdictions which are responsible for the personal information which they collect and which is processed on their behalf by Alta Flora (London). Personal information, relating to Alta Flora and Eva services, regarding individuals who reside in a member state of the European Economic Area, the United Kingdom and Switzerland is controlled by Alta Flora, and processed on its behalf by only those who are legally authorised to do so.
Transferring your personal information out of the UK and EEA
To deliver services to you, it is sometimes necessary for us to share your personal information outside the UK and/or European Economic Area (EEA), for example:
- with our offices outside the UK/EEA
- with your and our service providers located outside the UK/EEA
- if you are based outside the UK/EEA
- where there is an international dimension to the services we are providing to you
These transfers are subject to special rules under European and UK data protection law. The following countries to which we may transfer personal information have been assessed by the European Commission as providing an adequate level of protection for personal information: Canada (commercial organisations only), Switzerland, New Zealand.
Except for the countries listed above with ‘adequacy’, other non-UK/EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, ensure any such transfer (eg. if you are based outside the UK/EEA etc) complies with data protection law and all personal information will be secure, by using the approved Model Contractual Clauses and by observing applicable privacy regulations.
Keeping your personal information secure
We have appropriate security measures to prevent personal information under our control from being accidentally lost, or used or accessed or altered unlawfully.
- We limit access to your personal information to those who have a genuine business need to access it.
- Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
- We will continually test our systems and follow top industry standards for information security when transferring and storing your data.
- Though we cannot ensure or guarantee that misuse, loss or alteration of information will never occur, we use all reasonable efforts to prevent it.
- We also have procedures in place to deal with any suspected data security breach.
- We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We believe that the biggest threat to the security and privacy of your data is if a person (most likely someone you know) gains access to your devices without your consent. The data you log in Eva is private and it should stay that way (unless you actively choose to share it – we would advise you to regularly review whether that still makes sense for you to share that information).
Protect your device – activate either PIN, Touch ID or FaceID (as appropriate) authentication – this will automatically encrypt your data (including Eva data) and will prevent any person from using your device without permission.
Activate Erase your Device – For iOS, activating this feature is a two-step process: first, you need to Activate “Find My iPhone” via iCloud (see instructions on Apple Support pages) and then enable “Erase your device” (see instructions on Apple Support pages).
For Android, download and set up Find My Device (formerly Android Device Manager) from the Google Play Store and, if needed, use the connected web interface to lock or wipe your phone remotely.
If you would like some other detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org. Get Safe Online is supported by HM Government and leading businesses.
And finally COOKIES
We love cookies (especially freshly made ones)! However, here we are talking about electronic ‘cookies’ which are small text files that are intended to make a website better for you to use and/or ‘enhance your digital experience. In general, cookies are used to retain preferences, store information for things like shopping carts, and provide tracking data to third-party applications (such as Google Analytics or Amazon) or identify your device for special advertising purposes such as retargeting.
We cannot control third party ‘cookies’ but we have removed and Do Not use unnecessary cookies for the Eva App and Alta Flora website.
Eva uses a suite of performance analysis and monitoring tools called Firebase, which is provided by Google Inc. Firebase allows us to monitor the overall performance and stability of the App, implement internal version control, identify bugs and prioritize fixes.
For this purpose Firebase collects your IP address, device identifier, as well as event and usage data specifically related to your use of our App. This data will be transferred to and stored on a server in the EU and operated by Google, Inc.
It is not possible to opt-out of this as Firebase is an essential tool that we require in order to provide a functioning Eva App to you.