Privacy Policy

 

To our Friends, Members and Community:

At Alta Flora, we have always taken privacy, data protection, trust and integrity very seriously. We have worked hard to build Eva with you, your privacy and data protection in mind.

The world of digital apps is a complex one. We acknowledge that using any digital service within the wider digital ecosystem may increase your data footprint. Each time you enter a data point into an app, it takes on a life of its own in the digital ecosystem. We have gone to great lengths to write this Privacy Policy in a manner that is clear and transparent, enabling you to navigate your personal data and make informed choices about it.

Please take a moment now to read and review our Privacy Policy below. We thank you for your continued support.

Team Alta Flora

 

This Privacy Policy contains important information about who we are, how and why we collect, store, use and share your personal information. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint. In conjunction with this Privacy Policy, please take the time to also read Eva Terms and Conditions of Service.

We collect, use and are responsible for certain personal information about you. When we do so we are subject to the General Data Protection Regulation which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws. 

Below, we have explained some key terms used in this Privacy Policy:

We, us, our Alta Flora Ltd. a company incorporated in England and Wales with registration number 11388347 and whose registered office is at Alta Flora, 1, Sans Walk, London, England, EC1R 0LT, England, UK and including our group companies (“Alta Flora”).

Eva (“the App”) provides an easy way for you to track and monitor your consumption of botanical medicines, experiential medicines and other novel therapeutics and their impact on your quality of life. Eva is available in the Apple App Store and Google Play Store (the “App Stores”).

Personal information means any information that can be used to identify a single person.

Sensitive personal information is personal information revealing racial or ethnic origin, genetic and biometric data, information concerning health, sex life or sexual orientation.

WHAT personal information we collect about you

We may collect and use the following personal information about you:

  • your contact details, including your name, email address and telephone number. We believe in data minimisation and will only collect any such details to the extent we need them. Your email address (and any passwords) are kept in a separate authentication service and are separated from our main production database
  • gender and date of birth to enable us to check and verify your identity. In certain jurisdictions, if required by law, we may ask for your government issued ID
  • your data entered into the App which may include certain Sensitive personal information such as:
    • your general health e.g. weight, mood, condition, symptoms 
    • type of product
    • how the product is administered
    • dosage
    • body measurements
    • EQ-5D-5L (or similar) scales
    • description of your mood (eg. good days, bad days)
    • adverse effects you may experience as a result of consuming a particular medicine or treatment
    • diagnosis specific questionnaires (e.g. GAD for anxiety, PHQ-9 for depression, chronic pain questionnaires)
    • name of the clinic attended by you
    • a study or trial you are taking part in
  • location data (country/metropolitan area). We do not collect your precise location
  • your billing information, transaction and payment card information if you chose to participate in support initiatives for research and study
  • information about how you use the App and related other systems
  • your responses to surveys
  • your responses to research and study related initiatives you may be taking part in

This personal information is required to provide our services to you. You are not required to provide it, but, if you choose not to do so, in many cases we will not be able to provide you with our products or services or respond to queries you may have.

We also collect the following types of data from you (minimised where possible to protect your privacy):

  • Device data: This data informs us about the device you use to access our services (model; application identifier; crash information). It helps us to fix bugs, tailor our services to your device and improve our services
  • Event and performance data: This is anonymised data, relating to which features of the App have been used and at what time, which is then aggregated. It helps us to:
    • better understand which features of the App are most relevant to you;
    • communicate with you about relevant and timely information; 
    • direct future efforts towards more popular features; and  
    • improve features where appropriate.
  • IP address: This is required for various security mechanisms and communication protocols within software systems. Your IP address may also be used as part of our regulatory compliance in different countries.
  • Other collection and processing necessary to comply with professional, legal and regulatory obligations that apply to Alta Flora.

HOW your personal information is collected

We collect most of this personal information directly from you in person, by phone, message or email and/or the App.

However, we may also collect information:

  • from publicly accessible sources, e.g. Companies House (if applicable)
  • directly from a third party, eg.
    • a clinic or a health service provider (with your consent)
    • an authorised patient alliance group or similar (with your consent)
    • from a third party (with your consent), eg your caregiver
    • via our IT systems, eg. communications systems, gmail and instant messaging systems

WHY we use and process your personal information

We may process your personal information for the following reasons:

  • To provide our services, communicate with you and understand your needs

We collect certain information that allows us to contact you, analyse how you interact with the App, fix any bugs, send you reminders about our services (by email, message, push notifications, phone) and to keep you posted on announcements, our software updates, new features and our upcoming events. You will always remain in control of your communication preferences with Eva. If you don’t want to be on our mailing list, you may opt out from receiving these at any time.

We may also use certain Personal information to help us: 

  • create, develop, operate, deliver, and improve our services and content;
  • for loss prevention and anti-fraud purposes;
  • for account and network security purposes, including in order to protect our services for the benefit of all our users; and/or 
  • scanning uploaded content for potentially illegal content.

We will also use your personal information to provide you with important notifications regarding changes in our policies, terms and conditions. As these are integral in our interaction with you, you may not opt out of receiving these notifications whilst you are an Account holder.

System Analytics

From time to time, we may use third party tools to help us with system analytics (eg. software performance analytics and cyber security services). We only let third parties process usage data and minimal personal information on Alta Flora’s behalf and not any of your Sensitive personal information. We only allow technology system providers to handle your Personal information if they take appropriate measures to protect it. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you. 

At present, we use Google Analytics (https://privacy.google.com/businesses/compliance/)  to collect information about how you use Eva. The data is anonymised before being used for analytics processing. For us, Google Analytics processes anonymised information about:

  • the screen you visit whilst in app; and
  • how long you spend in our app

We do not store any of your personal information through Google Analytics (for example your name or address).  We will not identify you through analytics information, and we will not combine analytics information with other data sets in a way that would identify who you are.

Advancing scientific and academic research and study

We will share data only with carefully vetted researchers, who have gone through our rigorous due diligence process, to advance health and well-being studies. For that purpose, your Personal information will be anonymised (or de-identified) by removing or hashing any personal identifiers so that neither researchers nor any third parties can link it to you. You can read about our collaborations on our website.

If you are a participant in a particular research and/or study that is run by a research facility or a study using Eva as a tool to collect information for that study, the use of your Personal information and any Sensitive personal information will be governed by the terms and conditions of such research and/or study participation agreements and Eva will only share your information in accordance with your express consent under those agreements. The research facility will be solely responsible for the usage of your Personal information and your Sensitive personal information in the context of their specific study. In this scenario, we and the research facility have a “joint and several responsibility” in the handling of your data.

Digital advertising

We do not sell or share your Personal information or Sensitive personal information with organisations outside the Alta Flora Group for advertising or marketing purposes. We do not allow others to advertise their products in the App.

Aggregated insights

Eva is and always will be free to use. However, we need to generate revenue in order to maintain Eva (including paying salaries and bills at the business). In return for free use of the App, we use anonymised and aggregated data to generate research, the majority of which can then be made publicly available to benefit not only healthcare systems around the world but hopefully you or someone you know. We also support academia and industry to run studies privately using our technology platform for which we charge a fee.

Legal Grounds

We may process your Personal information for compliance with a legal or regulatory obligation to which Alta Flora is subject, for the performance of a contract to which you are a party, in order to protect your vital interests, or when we have assessed it is necessary for the purposes of the legitimate interests pursued by Alta Flora (e.g to stop an unauthorised or a suspicious activity). In such circumstances, we will only disclose such information that is required or requested to a minimum necessary.

Preventing unauthorised access and modifications to our systems 

For our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity that could be damaging for us and for you.

Other 

It may be necessary to disclose your Personal information to an authorised third party. For example, in the event of a reorganization, merger, or sale we may transfer any and all Personal information we collect to the relevant third party. Usually, information will be anonymised but this may not always be possible. The recipient of the information (e.g a buyer of our business) will be bound by confidentiality obligations. This will not apply to your Sensitive personal information, which we will never transfer without your consent.

Consents and Your rights

When you create an Eva Account and use the App, your Personal information, including Sensitive personal information, is stored on your device and on our Eva servers and databases. By creating an Account, you consent that Eva may collect, store and process your Personal information and Sensitive personal information solely for the purposes set out in this Privacy Policy. Unless we have your express consent, Eva will not transmit any of your Personal information to third parties, except if it is required to provide services to you (e.g technology systems providers).

Your rights and a couple of other facts we think you should know

  • The existence of Automated Decision-Making, Including Profiling We do not take any decisions nor engage in activities which involve the use of algorithms or profiling that significantly affect you.
  • Integrity and Retention of your Personal information You are in control and can help ensure that your Personal information is accurate, complete, and up to date. And you also have the right to require us to correct any mistakes in your Personal information
  • We will retain your Personal information only for the period necessary to fulfil the purposes outlined in this Privacy Policy. We will retain it for the shortest possible period to realize the purpose of collection unless a longer retention period is required by law. For example, we will keep your personal information while you have an Account with us and/or we are providing services to you.
  • Different retention periods apply for different types of personal information and our records retention and management policy will be regularly reviewed and kept up to date. When it is no longer necessary to retain your Personal information, we will delete or anonymise it.

Request information on your personal data processed by Eva 

Upon your request, we will provide this information to you electronically. You can make an information request by contacting us at [email protected].  We also have an appointed Data Protection Officer (“DPO”). Please contact [email protected]  if you have any questions about this Privacy Policy.

Data Portability

In certain situations, you can request access to your information by requesting a backup of your data in a machine readable format that is commonly used by other organisations or companies. You can make a request by contacting us at [email protected]

Right to be forgotten

By deleting your Account (as explained in the Terms and Conditions of Service) you will irrevocably delete all your data, including all past data sent to third-party services used for tracking and analysis. 

Right to Object

You have the right to withdraw your consent from ongoing data processing at any time by deleting your Account and/or unsubscribing from our email communications by contacting us

Right to Complain

We hope that we can resolve any query or concern you raise about our use of your information. You can contact our DPO and you also have the right to lodge a complaint with a supervisory authority, in particular in a European Economic Area (EEA) state or in the United Kingdom if you work, normally live or if any alleged infringement of data protection laws occurred in the relevant state. 

The supervisory authority in the UK is the Information Commissioner (the ICO) who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.

For further information on each of those rights, including the circumstances in which they apply, please contact us [email protected]  or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.

Where your Personal information is held

We use servers located in the European Union to process and store your Personal information. When you create an Eva account, your personal profile data is stored separately from your daily log/tracking data and your service settings. This allows us to ensure the highest level of privacy for your Sensitive personal information. When you create an Account password with Eva, it is encrypted and cannot be read by us.

Wherever data is transferred between your device and our servers this is done so using HTTPS and only following an authentication process on the App. Data at rest, e.g. when stored on a server, is stored using an AES-256 encryption algorithm.

Transferring your personal information out of the UK and EEA

To deliver services to you, it is sometimes necessary for us to share your personal information outside the UK and/or European Economic Area (EEA), for example:

  • with our offices outside the UK/EEA
  • with your and our service providers located outside the UK/EEA
  • if you are based outside the UK/EEA
  • where there is an international dimension to the services we are providing to you

These transfers are subject to special rules under European and UK data protection law. The following countries to which we may transfer personal information have been assessed by the European Commission as providing an adequate level of protection for personal information: Canada (commercial organisations only), Switzerland, New Zealand.

Except for the countries listed above with ‘adequacy’, other non-UK/EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, ensure any such transfer complies with data protection law and all personal information will be secure, by using the approved Model Contractual Clauses and by observing applicable privacy regulations.

Keeping your personal information secure

We have appropriate security measures to prevent Personal information under our control from being accidentally lost, or used or accessed or altered unlawfully.

  • We limit access to your Personal information to those who have a genuine business to access it.
  • Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
  • We will continually test our systems and follow top industry standards for information security when transferring and storing your data.
  • We will use all reasonable efforts to prevent misuse, loss or alteration of information.
  • We have procedures in place to deal with any suspected data security breach.
  • We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.

We believe that the biggest threat to the security and privacy of your data is if a person (most likely someone you know) gains access to your devices without your consent. The data you log in Eva is private and it should stay that way (unless you actively choose to share it).

Protect your device – activate either PIN, Touch ID or Face ID (as appropriate) authentication – this will automatically encrypt your data (including Eva data) and will prevent any person from using your device without permission.

Activate Erase your Device – For iOS , activating this feature is a two-step process: first, you need to Activate ” Find My iPhone ” via iCloud (see instructions on Apple Support pages ) and then enable ” Erase your device ” (see instructions on Apple Support pages ).

For Android, download and set up Find My Device (formerly Android Device Manager) from the Google Play Store and, if needed, use the connected web interface to lock or wipe your phone remotely.

If you would like some other detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org . Get Safe Online is supported by HM Government and leading businesses.

NO COOKIES

We love cookies (especially freshly made ones)! However, here we are talking about electronic ‘cookies’ which are small text files that are intended to make a website better for you to use and/or ‘enhance your digital experience. In general, cookies are used to retain preferences, store information for things like shopping carts, and provide tracking data to third-party applications (such as Google Analytics or Amazon) or identify your device for special advertising purposes such as retargeting.

We cannot control third party ‘cookies’ but we have removed and do not use unnecessary cookies for the App and Alta Flora website.

Firebase

We use a suite of performance analysis and monitoring tools called Firebase (https://firebase.google.com/support/privacy), which is provided by Google Inc. Firebase allows us to monitor the overall performance and stability of the App, implement internal version control, identify bugs and prioritize fixes.

For this purpose Firebase collects your IP address, device identifier, as well as event and usage data specifically related to your use of the App. This data will be transferred to and stored on a server in the EU and operated by Google, Inc. It is not possible to opt-out of this as Firebase is an essential tool that we require in order to provide a functioning Eva App to you.

Changes to this Privacy Policy

We reserve the right to amend and update this Privacy Policy from time to time to reflect changes in the law, our data collection and data use practices, advances in technology or similar. If we materially change the way in which we process your Personal information or Sensitive personal information, we will provide you with prior notice, or where legally required, request your consent prior to implementing such changes. 

Please note that the English language version of this Privacy Policy is the original version, which prevails over all other versions (as we cannot 100% guarantee accuracy of our professional translators and proofreaders). The most up-to-date version of this Privacy Policy is always available in English language on our website.

This Privacy Policy was last modified on 12 January 2021.