Last updated: 20 February 2023
At Beanbag Health we take your privacy seriously. We have written this document to tell you about how we protect your personal data and keep you safe.
Categories of Personal Data we collect
This list details the categories of Personal Data that we collect and have collected over the past 12 months as well as data we subsequently process:
When you sign up for Beanbag Health we collect the following customer information:
Your name (you can provide any name you choose, it does not have to be your real name.
Your email address
Your telephone number
The name and telephone number of an emergency contact
The name and email address of a parent or guardian (if you are under 18 years old)
Your country or state location
This is information about you that we use to manage your account and to determine whether particular national or state laws apply. This includes contacting you by telephone or email as part of your use of the app and to confirm appointments with one of our Beanbag Guides. We need this information in order to deliver the service to you which means that you will not be able to sign up to an account without providing it.
We may also use your email address, in order to send you emails for the following purposes:
Providing you with information about our products or services.
Keeping in touch with you about the app and its performance as well as about new versions of the app or similar apps we may develop.
Sending you updates on our latest developments and scientific discoveries.
Inviting you to register for webinars we host in relation to our research.
Our legal basis for doing so is our legitimate interest in promoting our services. For more information, see the “User Research” and “Mailing Lists” sections below.
We keep this customer information for a period of 6 years after the end of your subscription. Keeping it for this length of time allows us to recognise you if you wish to subscribe again, and is also necessary for us in case we need to resolve any legal disputes that might arise.
Personal Health Information
We also collect self-reported personal health information.
The following personal health information is collected in order to determine your eligibility for our services:
Date of birth
Whether you have a diagnosis of Avoidant/Restrictive Food Intake Disorder or Diabetes
We use this data to:
Determine your eligibility for our services or scientific research studies.
Allow us to carry out general scientific research.
You have the option to provide the following personal health information as part of your use of the app:
Your height and weight
Information relating to your meals
Notes regarding your experiences, thoughts, feelings and behaviours relating to eating, exercise and body image issues, and coping strategies, plans and goals for your recovery
Name and email address of supporters
We use this data to:
Provide you with a record for your personal use to support your self-monitoring, reflection and building self-awareness, and to facilitate behaviour change.
Alert you if you are underweight or have lost significant weight over a short period of time and encourage you to seek medical help for your own safety and wellbeing.
Provide information and updates to your supporters regarding your engagement with and progress in using the app.
User Experience Data
If you participate in a trial of our app or agree to participate in user research with us, we may with your explicit consent collect information regarding your experience of using our the app, your experience with your eating disorder or your opinions as to how we could improve our app.
Device & Browser Data
If you visit our website, or use our app, then we will also collect information about you. Some of this information is direct: such as your IP address, the type of browser you are using, the make of your mobile phone and the contents of cookies we set. We also use third party analytics providers such as Google Analytics, who collect similar information and then supply us with further analysis derived from it.
We process this data in order to:
Locate errors in our systems or problems our systems may be facing with other systems (such as compatibility with a web browser)
Improve the functioning of our Service
Prevent fraud or other criminal activity
This information is automatically sent to us – although there are technical ways you can prevent us from receiving this information (for example by changing the information your browser supplies to us) – the way in which browser and app software works means it is inevitable that we process it.
We routinely delete our web server logs after 90 days, unless we are aware of any serious problem that requires investigation (for example fraud or a hostile attack to our systems), in which case we may preserve any information necessary for that investigation for as long as it is needed. Once the investigation is concluded, we will delete the data.
Where you directly correspond with us (such as sending us an email, online chat message, or call us) we will process information about you concerned with that correspondence, including your email and our responses. We keep that information for as long as necessary to deal with the correspondence – for example if you have made a complaint, as long as needed to deal with the complaint – and then for a further 6 years, in case we need it to defend or establish a legal claim.
Scientific Research Studies
Our purposes for using Personal Data
We have explained specific reasons for processing categories of personal data above. Our core purpose is to support you in your recovery journey relating to eating, exercise and body image issues. For this purpose we process your self-reported personal health information and some customer information.
We may process any of the information you provide us for the purposes of providing support and assistance in using the Service.
We may also process your personal information if we are legally required to do so in circumstances where this cannot be reasonably resisted.
We will not collect additional categories of Personal Data or use the Personal Data we collected for different purposes without providing you notice.
How we share your Personal Data
We do not share Personal Data with anyone else, other than with:
Contractors providing us services we use for processing Personal Data, which include:
Hosting, technology and communication providers.
Security and fraud prevention consultants.
Support and customer service vendors.
Our professional advisors, such as if we need to consult an attorney for legal advice. In all cases these will be advisors under a professional duty of confidence.
Data that is not Personal Data
We may convert Personal Data into anonymous data, that is data which can no longer be linked with identifiable individuals, for example by aggregation of data about multiple individuals. We may create aggregated, de-identified or anonymized data from the Personal Data we collect, including by removing information that makes the data personally identifiable to a particular user.
We may use such anonymous data and share it with third parties for our lawful business purposes, including to analyze, build and improve the Service and promote our business, provided that the data remains anonymous. We do not delete anonymous data on any particular timetable. You may assume that we could keep it indefinitely.
Tracking tools, advertising and your rights to opt-out
You can subscribe to our mailing lists to get the latest updates and information about our products without creating a Beanbag Health account and we will use the data you provide us with for these purposes. To join our mailing list we ask for your name, email address and country or state location.
We process this data because you have consented to us doing so.
If you do not wish to receive emails from us regarding this information, then you can opt out by clicking “unsubscribe from this list” at the bottom of our email.
If you unsubscribe from our mailing lists, we will need to keep just enough information on file to make sure we respect your preferences in the future.
If you are a Beanbag Health customer, we may email you to invite you to answer some questions regarding our products or services or share feedback with you from customer surveys, interviews or focus groups.
Data security and retention
We seek to protect your Personal Data from unauthorized access, use and disclosure using appropriate physical, technical, organizational and administrative security measures based on the type of Personal Data and how we are processing that data. You should also help protect your data by appropriately selecting and protecting your password and/or other sign-on mechanism; limiting access to your computer or device and browser; and signing off after you have finished accessing your account. Although we work to protect the security of your account and other data that we hold in our records, please be aware that no method of transmitting data over the internet or storing data is completely secure.
The periods for which we retain individual categories of Personal Data are explained under the heading “Categories of Personal Data we collect”, but in some cases we retain Personal Data for longer, if doing so is necessary to comply with our legal obligations, resolve disputes or collect fees owed, or is otherwise permitted or required by applicable law, rule or regulation.
Your rights as a European Union Data Subject
Our headquarters, at Beanbag Health Limited, are in the United Kingdom. As a result, you are protected by the United Kingdom’s General Data Protection Regulation ("GDPR"), regardless of your citizenship or where you live in the world. You may have additional rights under the GDPR with respect to your Personal Data, as outlined below.
For this section, we use the terms “Personal Data” and “processing” as they are defined in the GDPR, but “Personal Data” generally means information about a person, and “processing” generally covers actions that can be performed in connection with data such as collection, use, storage, amendment, deletion and disclosure. Beanbag Health will be the controller of your Personal Data processed in connection with the Service.
Personal Data We Collect
The “Categories of Personal Data We Collect” section above details the Personal Data that we collect from you.
Personal Data Use and Processing Grounds
The “Our Purposes for Using Personal Data” section above explains the purposes for which we process your Personal Data.
We will only process your Personal Data if we have a lawful basis under the GDPR for doing so. Lawful bases for processing include:
Consent: Except for the specific situations explained below, we process your customer information, self-reported health information; samples and Test Results by consent. You may withdraw your consent at any time and we will stop processing your Personal Data in this way.
Contractual Necessity: In order to be able to perform our contract, we need to collect customer information we have marked as required and all payment information.
Compliance with a legal obligation: As explained above, we will sometimes have to process personal data in order to comply with a legal obligation imposed on us. Where those obligations are imposed by UK law, that law will provide us with a lawful ground for processing.
Legitimate Interest: We process the following categories of Personal Data when we believe it is in our legitimate interest to do so and we do not believe that your rights of freedoms will be unduly interfered with by our processing:
Device data is justified by our legitimate interest in maintaining a reliable and secure system, free from errors and external security threats.
All information about your health, which we would normally be forbidden from processing by the GDPR, is processed by us because you have consented to us doing so.
Sharing Personal Data
The “How We Share Your Personal Data” section above details how we share your Personal Data with third parties.
Data Subject Rights
You have certain rights with respect to your Personal Data, including those set forth below. For more information about these rights please see the UK Information Commissioner’s guide to data subject rights. To submit a request to exercise any of these rights, or to ask for more information, please email us at email@example.com.
Some of the rights below apply only in specific circumstances. In other situations, we may not be able to fully comply with your request, for example if it would be impossible or would involve a disproportionate effort; or if it jeopardizes the rights of others; but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request.
Access: You can request more information about the Personal Data we hold about you and request a copy of such Personal Data.
Rectification: If you believe that any Personal Data we are holding about you is incorrect or incomplete, you can request that we correct or supplement such data.
Erasure: In some situations you may have a right to request that we erase some or all of your Personal Data from our systems.
Withdrawal of Consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note, however, that if you exercise this right, you may have to then provide express consent on a case-by-case basis for the use or disclosure of certain of your Personal Data, if such use or disclosure is necessary to enable you to utilize some or all of our Service.
Portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another controller where technically feasible.
Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes, such as for direct marketing purposes.
Restriction of Processing: You can ask us to restrict further processing of your Personal Data.
Right to File Complaint: You have the right to lodge a complaint about Beanbag Health’s practices with the UK’s Information Commissioner..
Our Data Protection Officer is contactable at firstname.lastname@example.org.
You have the right to request certain information about our collection and use of your Personal Data over the past 12 months. In response, we will provide you with the following information:
The categories of Personal Data that we have collected about you.
The sources from which that Personal Data was collected.
The business or commercial purpose for collecting or selling your Personal Data.
The categories of third parties with whom we have shared your Personal Data.
The specific pieces of Personal Data that we have collected about you.
If we have disclosed your Personal Data to any third parties for a business purpose over the past 12 months, we will identify the categories of Personal Data shared with each category of third party recipient. If we have sold your Personal Data over the past 12 months, we will identify the categories of Personal Data sold to each category of third party recipient.
You have the right to request that we delete the Personal Data that we have collected about you.
Exercising your rights
To exercise the rights described above, you or your Authorized Agent (defined below) must send us a request that (1) provides sufficient information to allow us to verify that you are the person about whom we have collected Personal Data (we will use our existing authentication practices (your username and password) as the mechanism for verifying your identity, or if such information is unavailable then we will use alternative validation data to verify your identity to a reasonable degree of certainty), and (2) describes your request in sufficient detail to allow us to understand, evaluate and respond to it. Each request that meets both of these criteria will be considered a “Valid Request.” We may not respond to requests that do not meet these criteria. We will only use Personal Data provided in a Valid Request to verify your identity and complete your request. You do not need an account to submit a Valid Request.
We will work to respond to your Valid Request within 45 days of receipt. We will not charge you a fee for making a Valid Request unless your Valid Request(s) is excessive, repetitive or manifestly unfounded. If we determine that your Valid Request warrants a fee, we will notify you of the fee and explain that decision before completing your request.
You may submit a Valid Request by email tot: email@example.com
You may also authorize an agent (an “Authorized Agent”) to exercise your rights on your behalf. To do this, you must provide your Authorized Agent with written permission to exercise your rights on your behalf, and we may request a copy of this written permission from your Authorized Agent when they make a request on your behalf.
How to contact us:
You may use the following information to contact our Data Protection Officer: firstname.lastname@example.org