Mobile Application Privacy Policy

Consent to installation of the ShinyMind App

Under data protection laws, we are required to provide you with certain information about who we are, how we process your personal data and for what purposes, and your rights in relation to your personal data.

Please read the policy, as by installing this App you are indicating your consent to our processing of your personal data (including, in a very limited sense, certain Special Categories of Personal Data that you may upload yourself) as specifically described in the policy. Full details of the personal data (and Special Categories of Personal Data) that we collect via the App are contained in the policy.

How you can withdraw consent

Once you provide consent by downloading the App, you may change your mind and withdraw consent at any time by contacting us at hello@shinymind.co.uk but that will not affect the lawfulness of any processing carried out before you withdraw your consent.

Who we are

ShinyMind Limited of Ranyell House, 10 Ellerbeck Way, Stokesley Business Park, Stokesley, Middlesbrough, TS9 5JZ (a company registered in England and Wales under company number 05290700) (we) are committed to protecting your personal data and respecting your privacy.

Introduction

This policy (together with our end-user licence agreement (EULA) as set out at https://shinymind.co.uk/app-licence-agreement/ and any additional terms of use incorporated by reference into the EULA, together our Terms of Use, applies to your use of:

  • the Shiny Mind mobile application software (App), once you have downloaded or streamed a copy of the App onto your mobile telephone or handheld device (Device).
  • any of the services accessible through the App (Services) that are available on the App, unless the EULA states that a separate privacy policy applies to a particular Service, in which case that privacy policy only applies. This policy sets out the basis on which any personal data (including any Special Categories of Personal Data) we collect from you, or that you provide to us, will be processed by us. This App is not intended for children, and we do not knowingly collect data relating to children. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

This policy is provided in a layered format so you can click through to the specific areas set out below.

Important information and who we are

ShinyMind Limited is the controller and is responsible for your personal data (collectively referred to as “Company”, “we”, “us” or “our” in this policy).

We have appointed a data privacy manager. If you have any questions about this privacy policy, please contact them using the details set out below.

Contact details

Our full details are:

  • Full name of legal entity: ShinyMind Limited
  • Name or title of data privacy manager: Jonathan Howard
  • Email address: hello@shinymind.co.uk
  • Postal address: ShinyMind Limited, Ranyell House, 10 Ellerbeck Way, Stokesley Business Park, Stokesley, Middlesbrough, TS9 5JZ

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues.

Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review.

This version was last updated on 2nd March 2022. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you when you next start the App. The new policy may be displayed on-screen, and you may be required to read and accept the changes to continue your use of the App or the Services.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.

Third party links

Our App may, from time to time, contain links to and from various third-party websites and applications (such as music streaming applications). Please note that these websites or applications and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. Please check these policies before you link through to such third-party websites or applications or submit any personal data to these websites or use these services.

The data we collect about you

We may collect, use, store and transfer different kinds of personal data about you as follows:

  • Identity Data.
  • Contact Data.
  • Device Data.
  • Content Data.
  • Profile Data.
  • Usage Data.

We do not collect any Financial Data, Transactional Data, Marketing and Communications Data or Location Data.

We explain these categories of data at the end of this policy.

We also collect, use, and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific App feature. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

We do not collect any information about criminal convictions and offences.

Special Categories of Personal Data

The term Special Categories of Personal Data includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about your health (both physical and mental), and genetic and biometric data).

Due to the nature of the App (and its focus on mental wellbeing) and the ability for the users of the App to input data, we may process (by storing on our secured servers only) Special Categories of Personal Data. The App does not request or automatically collect any Special Categories of Personal Data and, as such, we will only process Special Categories of Personal Data if you specifically place or input such data onto the App.

We do not process any Special Categories of Personal Data over and above storing the same on our secure servers in accordance with this policy. No Special Categories of Personal Data will be transferred to any third party other than the providers of our secure servers.

The GDPR confirms that Special Categories of Personal Data may be processed provided that we have explicit consent from the subject to do so. By downloading the App and inputting any Special Category of Personal Data on the App you explicitly consent to the storing of such data on the secure servers utilised by the App.

You may change your mind and withdraw consent to us storing such Special Categories of Personal Data at any time by contacting us at hello@shinymind.co.uk but that will not affect the lawfulness of any processing carried out before you withdraw your consent.

How is your personal data collected?

We will collect and process the following data about you:

  • Information provided to us by your employer. To enable us to e-mail you with details of how to download and register to use the App, your employer will have provided to us Identity and Contact Data to enable us to send an automated e-mail with detail of the App. We understand that your employer has consent to provide us with such data and such Identity and Contact Data will only be used to send the initial automated e-mail with details on how to download and register to use the App. If you do not decide to download and register to use the App, this data will not be used by us any further and will simply be stored and subsequently retained and destroyed in accordance with the Data Retention section of this policy.
  • Information you give us. This is information (including Identity and Contact Data) you consent to giving us about you by inputting data on the App, or by corresponding with us or other users of the App (for example, by email or chat). We may collect Special Categories of Personal Data when you expressly upload such data onto the App (please see the above section marked ‘Special Categories of Personal Data’) If you contact us, we will keep a record of that correspondence. This information may also include Profile Data which has been uploaded by you to the App (and is not uploaded automatically). Profile Data can include photos that are uploaded to the App. Such Profile Data which has been uploaded by you (and not obtained automatically by the App) will not be used by us (other than being stored on our secure severs in accordance with the Data Retention section below).
  • Information we collect about you and your device. Each time you use our App we will automatically collect personal data including Device, Content and Usage Data. We collect this data using cookies and other similar technologies. Please see our cookie policy information below for further details.
  • Information we receive from other sources including third parties and publicly available sources. We may receive personal data about you from various third parties and public sources such as analytics providers such as Google based outside the EU.

Cookies

We may use cookies from time to time to distinguish you from other users of the App and to remember your preferences. This helps us to provide you with a good experience when you use the App and also allows us to improve the App. For detailed information on the cookies we use (if any), the purposes for which we use them and how you can exercise your choices regarding our use of your cookies, see our cookie policy within our privacy policy https://shinymind.co.uk/app-licence-agreement/

How we use your personal data

We will only use your personal data when the law allows us to do so. Most commonly we will use your personal data in the following circumstances:

  • Where you have consented before the processing.
  • Where we need to perform a contract we are about to enter or have entered with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

We do not send direct marketing communications by email or text or share your personal data with any third party for marketing purposes. Purposes for which we will use your personal data:

Purpose/activityType of dataLawful basis for processing
To send an automated e-mail to you regarding installing and registering to use the AppIdentity ContactConsent obtained from your employer
To install the App and register you as a new App userIdentity Contact DeviceYour consent
To group users into specific user groups to enable certain groups (‘communities’) to communicate with one another (this will include allowing other members of the community to see that you are included within their community on the App)Identity ContactYour consent Performance of our contract with you
To manage our relationship with you including notifying you of changes to the App or any ServicesIdentity ContactYour consent Performance of our contract with you Necessary for our legitimate interests (to keep records updated and to analyse how customers use our products/ Services) Necessary to comply with legal obligations (to inform you of any changes to our terms and conditions)
To administer and protect our business and this App including storing data, troubleshooting, data analysis and system testingIdentity Contact Device UsageNecessary for our legitimate interests (for running our business, provision of administration and IT services, network security)
To monitor trends so we can improve the AppIdentity Contact Device Profile UsageYour consent Necessary for our legitimate interests (to develop our products/Services and grow our business)
To report unacceptable behaviour by users of the App
Identity Contact
Your consent Necessary for our legitimate interests (to develop our products/Services and grow our business) Necessary for our legitimate interests (to keep records updated and to analyse how customers use our products/ Services)

Disclosures of your personal data

When you consent to providing us with your personal data, you also consent to us sharing your personal data with the following third parties solely for the purposes set out in the table above:
  • Internal Third Parties as set out in the Glossary section below.
  • External Third Parties as set out in the Glossary section below.
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
We will not share any data or content that you have uploaded onto the App (and which has not been collected automatically via the App) with any third party except the third parties used in the provision of secured servers (and only for the purpose of that third party storing such data on the secured servers they are providing to us). Contained within the App are facilities that allow you to communicate with other users of the App that are in the same ‘community’ (this feature, to function, allows members of the same allocated community to see that they are members of the same community). Such communications will be accessible by the intended recipient and may be recorded or duplicated by the recipient on media outside of the App. We cannot control any personal data which is contained in any such communications and subsequently communicated by the recipient to a third party or otherwise recorded or duplicated by the recipient on media outside of the App. Please exercise caution when sending any personal data via such communication facilities as we cannot be responsible for subsequent disclosure by the recipient of any such personal data. Contained within the App is a reporting function to report unacceptable behaviour by users of the App. If a report is logged by a user, that report is sent directly to the user’s employer. The report only confirms that a user is reporting unacceptable behaviour (not the identity of the person accused of unacceptable behaviour or the nature of such unacceptable behaviour). The employer may contact such user to confirm the extent of the unacceptable behaviour and may request to see the content which forms the allegation of such unacceptable behaviour. By using the App you agree to the presence of such reporting functions and that users may share your communications to them with their (and your) ultimate employer.

International transfers

We do not transfer your personal data outside the European Economic Area (EEA).

Data security

All information you upload onto the App or provide to us is stored on our secure servers. Where we have given you (or where you have chosen) a password that enables you to access certain parts of the App, you are responsible for keeping this password confidential. We ask you not to share a password with anyone. Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way. Certain services include the ability to communicate (and share messages and media) with other members of your community. Ensure when using these features that you do not submit any personal data that you do not want to be seen, collected, or used by other users. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

Data retention

Details of retention periods for different aspects of your personal data are available upon request by contacting us. In some circumstances you can ask us to delete your data: see the “Your legal rights” section below for further information. If you request us to delete your data, all of the user generated content that is contained on the App will be deleted from our secure serves and will no longer be accessible to us or you. You can request specific user generated content be supplied to you prior to requesting that we delete your data but only prior to or simultaneously with a request for deletion. Once the data has been deleted from our secure servers, we may be unable to retrieve such data. Any request for deletion of data will be undertaken within 3 months of the request. Deleting the App will not necessarily delete the data we hold in respect of you, and you should contact us direct to ensure such deletion occurs. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you. In the event that you do not use the App for a period of 12 months then we may treat the account as expired and your personal data may be deleted.

Your legal rights

Under certain circumstances you have the following rights under data protection laws in relation to your personal data. You can exercise any of these rights at any time by contacting us at hello@shinymind.co.uk or by post to ShinyMind Limited of Ranyell House, 10 Ellerbeck Way, Stokesley Business Park, Stokesley, Middlesbrough, TS9 5JZ.

Glossary

Lawful basis:

Consent means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.

GDPR: the General Data Protection Regulation ((EU) 2016/679).

Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

Third parties:

Internal third parties

None

External third parties

Service providers acting as processors based in the United Kingdom who provide IT and system administration services. Our current provider of secure servers is Rackspace, one of the world’s leading cloud computing companies, and who are NHS Security and Toolkit Registered.

Professional advisers acting as processors or joint controllers including lawyers, bankers, auditors and insurers based in the United Kingdom who provide consultancy, banking, legal, insurance and accounting services.

HM Revenue and Customs, regulators and other authorities acting as processors or joint controllers based in the UK who require reporting of processing activities in certain circumstances.

Your NHS employer Trust as part of the reporting of unacceptable behaviour on the App.

Your legal rights

You have the right to:
  • Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. Please read the above section Data Retention before making such a request
  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  • Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    1. if you want us to establish the data’s accuracy;
    2. where our use of the data is unlawful but you do not want us to erase it;
    3. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
    4. you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  • Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you. Such a request can only be made prior to any request for erasure or deletion of the data or prior to any circumstances where we may automatically delete such personal data in accordance with the above section Data Retention.
  • Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
Description of categories of personal data
  • Identity Data: first name, last name, maiden name, username or similar identifier, title, NHS identification number, NHS job role (and grouping within the NHS).
  • Contact Data: email address and telephone numbers.
  • Financial Data: bank account and payment card details.
  • Transaction Data: includes details about payments to and from you.
  • Device Data: includes the type of mobile device you use, a unique device identifier (for example, your Device’s IMEI number, the MAC address of the Device’s wireless network interface, or the mobile phone number used by the Device), mobile network information, your mobile operating system, the type of mobile browser you use, time zone setting.
  • Content Data: includes information stored on your Device, including friends’ lists, login information, photos, videos or other digital content or check-ins.
  • Profile Data: includes your username and password, your interests, preferences, feedback, content you have uploaded (including photographs) and survey responses.
  • Usage Data: includes details of your use of any of our Apps including, but not limited to, traffic data and other communication data.
  • Marketing and Communications Data: includes your preferences in receiving marketing from us and our third parties and your communication preferences.
  • Location Data: includes your current location disclosed by GPS technology.