Aspedan Privacy Policy 2024

Version 2.0.0

Effective Date: 18/12/2023  Review By Date: 17/01/2024

At Aspedan, we are committed to protecting your privacy and ensuring the security of your personal information. This Privacy Policy outlines how we collect, use, disclose, and protect your data in accordance with the General Data Protection Regulation (GDPR) and NHS Digital Technology Assessment Criteria (DTAC). Please read this policy carefully to understand our practices regarding your personal information.

1. Data Collection and Use
2. Legal Basis for Processing
3. Data Sharing and Disclosure
4. Data Security
5. Information Security
6. Your Rights
7. Cookies and Tracking Technologies
8. Children’s Privacy
9. Changes to the Privacy Policy
10. Contact Us
11. Interpretation
12. Data Collection and Use

1.1 Personal Information: We collect personal information, including but not limited to your name, email address, contact number, date of birth, gender, and health-related information, when you create an account with Aspedan. This information is necessary to provide you with personalised health plans and daily health scores, and for Aspedan to offer our services to you.

1.2 Health Data: Aspedan collects and processes health-related data, including: Name, Full Name, Nickname or First Name Only), Mobile Number / Device Number / Home Phone Number, Email, Full Address/Postcode, Age / DOB, General Wellness Data, Physical Description, Cookies / Web Beacons etc. (used for tracking an individual’s online browsing behaviours/movements), Usage Data, Race / Ethnic Origin, Genetic or Biometric Data (where this is used for identification purposes eg. fingerprint or facial recognition), Physical and/or Mental Health Data, Gender (self-declared or observed) Email, Mobile Number / Device Number / Home Phone Number, Gender (self-declared or observed), Physical and/or Mental Health Data, General Wellness Data, Usage Data, Age / DOB, Cookies / Web Beacons etc. (used for tracking an individual’s online browsing behaviours/movements), medical history, fitness activities, nutrition habits, biometric information (such as heart rate, blood pressure, body weight and sleep patterns), data relating to mood and mental health, data related to and including a broad range of blood biomarkers (derived from blood testing), genetic data, and demographic data including age, gender and ethnicity. This information helps us create Personalised Health Plans and Daily Health Scores tailored to your specific needs.

1.3 All personal and health-related data collected is that which is willingly provided by the user to Aspedan; for example, information collected through the onboarding questionnaire; health biomarker data collected through synchronising the Aspedan app with Apple Health Kit/Android Health Kit/Google Health Kit or equivalent; biomarkers collected through synchronisation of a wearable device; biomarkers collected through blood test; genetic metadata (i.e. genetic traits discerned through 3rd party genetic results, as opposed to raw genetic data).

1.4 Usage Information: We collect information about your interactions with our app, including but not limited to the features you use, the content you access, and the duration of your sessions. This data is utilised to improve our services, provide personalised recommendations, and enhance user experience.

1.5 Data Minimisation Principles: Aspedan only collects the minimum data items required to provide our services, in order to ensure data minimisation principles. The collection of additional biometric data will enhance and improve personalised health plans; however, we will never collect data and not put it to use in the context of specifically delivering our personalised health plans and app-related service.

2.1 Consent: By creating an account and using our services, you provide your explicit consent to the collection, processing, and storage of your personal information and health data as described in this Privacy Policy.

2.2 Contractual Necessity: We process your personal information to fulfil our contractual obligations and provide you with the services you have requested.

2.3 Legitimate Interests: We may process your data based on our legitimate interests, such as improving our services, conducting research and development, and enhancing the overall user experience. However, we ensure that your fundamental rights and freedoms are not overridden by our interests.

2.4 Health Data Processing: Aspedan will never sell or share your health-related data outside of Aspedan Ltd and their direct associates without the explicit consent of the user. Aspedan employees may see health-related information, however this will be anonymised where possible and only accessed in order to improve our services. All employees who may have access to user personal data and health data must have a documented business reason to do so, and must have completed mandatory training prior to being given access to an administrative account. All employees who do access user personal data and health data must ensure to avoid wherever possible the viewing of this data.

3.1 Service Providers: We may share your personal information and health data with trusted service providers who assist us in delivering our services, such as hosting providers, data analytics providers, cloud-based server providers, contractually recruited IT developers, and customer support services. These service providers are bound by contractual obligations, non-disclosure agreements and have read and agreed to the Aspedan Cyber Security Policy and this Privacy Policy, to maintain the security and confidentiality of your data.

3.2 Anonymised and Aggregated Data: We may aggregate and anonymise your personal information and health data to generate statistical insights, conduct research, and improve our services. This data is stripped of any identifiable information and cannot be used to identify you personally.

3.3 Legal Requirements: We may disclose your personal information and health data if required by law, regulation, legal process, or government request.

4.1 We employ industry-standard security measures to protect your personal information and health data from unauthorised access, disclosure, alteration, or destruction. We are Cyber Essentials certified by the UK National Cyber Security Centre. However, no method of transmission over the internet or electronic storage is entirely secure, and we cannot guarantee absolute security.

4.2 We will retain your personal information and health data for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

5.1 Confidentiality of User Data

5.1.1 Aspedan collects, stores, and processes sensitive user information, including personally identifiable information (PII) and health records. It is critical that all individuals subject to this policy maintain the confidentiality and integrity of this information.

5.1.2 Access controls: Aspedan implements appropriate access controls to limit user access to sensitive information based on the principle of least privilege.

5.1.3 Encryption: All user data at rest and in transit must be encrypted to ensure confidentiality and integrity.

5.1.4 Physical security: All storage media containing sensitive information must be secured in a locked room or cabinet when not in use.

5.1.5 Data disposal: All media containing sensitive information must be securely disposed of when no longer needed.

5.2 Data Classification and Handling

5.2.1 Aspedan classifies its data based on its sensitivity level and defines appropriate handling procedures to ensure confidentiality, integrity, and availability.

5.2.2 Data sensitivity levels: Data is classified as confidential, sensitive, or public based on its sensitivity level.

5.2.3 Handling procedures: The following handling procedures are required for data classified as confidential and sensitive:

Encryption: All data must be encrypted at rest and in transit.

Access controls: Only authorised individuals should have access to the data.

Data backups: Regular backups are required to ensure data availability and disaster recovery.

Secure transmission: All data transmission should be performed through secure channels.

5.2.4 Records of the types of data Aspedan processes across the organisation can be found in the Information Asset Register.

5.2.5 Data collected by the Aspedan app will be stored in a combination of on-device and externally via secure cloud storage technologies, shown below.

5.2.6 Aspedan stores data using recognised secure data storage technologies. A diagram which illustrates where user data is stored through the Aspedan App and Clinician Access Platform can be viewed upon request – please email accounts@aspedan.com for further information.

5.3 Data Backup and Recovery

5.3.1 Aspedan maintains backups of its data to ensure its availability and quick recovery in the event of data loss or corruption.

Backup procedures: Regular backups are performed according to the backup schedule defined by the dedicated individual/department within Aspedan.

Backup storage: All backup data must be stored in an off-site location or in the cloud.

Recovery procedures: Procedures must be in place to recover data in the event of a disaster or system failure.

5.4 Incident Response

5.4.1 Aspedan has established an incident response plan to detect, respond to, and recover from security incidents.

5.4.2 Incident reporting: All individuals subject to this policy must report security incidents immediately to the dedicated individual/department within Aspedan.

5.4.3 Incident investigation: The dedicated individual/department within Aspedan will investigate and contain any security incidents to prevent further damage.

5.4.4 Incident recovery: Procedures are in place to recover systems and data affected by a security incident.

5.5 Vulnerability Management

5.5.1 Aspedan implements a vulnerability management program to identify, assess, and mitigate vulnerabilities in software, systems, and networks.

5.5.2 Vulnerability scanning: Regular vulnerability scans are performed on all systems and applications.

5.5.3 Vulnerability assessment: The dedicated individual/department within Aspedan assesses the severity of vulnerabilities and determines appropriate mitigation measures.

5.5.4 Mitigation measures: Appropriate measures are taken to mitigate vulnerabilities, such as installing security patches and updates; utilising Virtual Private Networks (VPNs) on all devices (including computers, laptops and mobile phones); applying access controls; the use of firewalls; the use of malware protection and daily anti-virus scans on computers; ensuring secure configurations; and more.

5.6 Asset Management

5.6.1 We keep record of, and regularly update, the following (hyperlinks direct to live list links for authorised personnel):

• Computers and laptops
• Thin client devices
• Mobile devices
• Network routers and equipment
• Cloud-based software and infrastructure
• Browser versions

6.1 Right to Access and Rectification: You have the right to access, update, and correct inaccuracies in your personal information and health data stored by Aspedan. You can do so by accessing the account settings within the app or by contacting our customer support.

6.2 Right to Erasure: You may request the erasure of your personal information and health data from our systems, subject to any legal obligations or legitimate interests that require us to retain such data.

6.3 Right to Withdraw Consent: You have the right to withdraw your consent to the processing of your personal information and health data at any time. However, withdrawing your consent may limit or prevent us from providing you with certain services.

6.4 Right to Data Portability: Upon your request, we will provide you with a copy of your personal information and health data in a structured, commonly used, and machine-readable format, to the extent technically feasible.

6.5 Right to Object: You have the right to object to the processing of your personal information and health data based on legitimate interests or for direct marketing purposes.

6.6 Right to Lodge a Complaint: If you believe that we have violated your privacy rights or failed to comply with applicable data protection laws, you have the right to lodge a complaint with the relevant supervisory authority.

7.1 We do not use cookies as part of the services we provide through our smartphone app or Clinician Access Portal. 

7.2 We use cookies and similar tracking technologies to enhance your experience and collect information about how you use our website. This information helps us analyse trends, administer the app, track users’ movements, and gather demographic information.

7.3 You can manage your cookie preferences through your app settings or browser settings. Please note that disabling cookies may affect certain features and functionality of the app.

7.4 You can read further information in our Cookie Policy.

8.1 Our services are not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected personal information from a child without parental consent, we will take steps to delete that information.

9.1 We may update this Privacy Policy from time to time to reflect changes in our data practices or legal requirements. We will notify you of any material changes by posting the updated Privacy Policy on our website or through other communication channels.

10.1 Aspedan has a specified Data Retention Policy that details the intentions and policy regarding data construction. This can be accessed via the Aspedan website.

11.1 Users can opt-out of each of the processing activities conducted by Aspedan at any time by emailing accounts@aspedan.com and requesting as such.

11.3 Users are able to exercise their rights at any time to restrict the use of their personal data. Please contact accounts@aspedan.com with any queries or requests, and we will respond to your request to exercise your right to restrict the use of your personal data within ten working days of the receipt of your request.

11.3 Users have the right to request that they are not subject to a decision based solely on automated processing, including profiling, which produces significant effects concerning the user. Aspedan uses automation throughout its service, and so if you would like to request to opt-out, please contact accounts@aspedan.com with any queries or requests, and we will respond to your request to exercise your right to not be subject to a decision based solely on automated processing, within ten working days of the receipt of your request.

12.1 In the event that a change is made to our privacy policy, we will contact all users via email (provided upon sign-up to our services) and will request that we must re-obtain user consent of this privacy policy.

12.2 Consent must be re-obtained in order to allow the user to continue to use our app and services.

13.1 If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Aspedan Ltd

Address: Unit 4 Capenhurst Technology Park, Capenhurst, Chester, CH1 6ES

Email: accounts@aspedan.com 

Phone: +447701078309

13.2 We will provide at least a first response to any queries within ten working days of the receipt of your query (excluding weekends and UK bank holidays).

13.3 You can contact us at any time and request to exercise your data protection rights. Please email accounts@aspedan.com and we will make a first response to your query within ten working days of the receipt of your query (excluding weekends and UK bank holidays).

14.1 The headings and subheadings in this Privacy Policy are for convenience only and do not affect its interpretation.

14.2 This Privacy Policy shall be governed by and construed in accordance with the laws of the United Kingdom.

By using the Aspedan app and services, you acknowledge that you have read and understood this Privacy Policy and agree to the collection, use, and disclosure of your personal information and health data as described herein.