Privacy Policy

Big Health Inc and Big Health Ltd (both together as “we”) are committed to protecting and respecting your privacy. This Privacy Policy (“Policy”) (together with our Terms and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us and how you can get access to this information.

If in doubt, the primary governing law of this policy is that of the state of California, United States.

We are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. Z2141968), and have in place a comprehensive Company data protection policy and code of practice.

1. Purpose of this Policy

Big Health provides you (the “User”) with access to the online and mobile services associated with Sleepio, including but not limited to, and all associated subdomains (the “Website”), and the Sleepio mobile application (the “App”), collectively the “System”.

We may collect and process information provided by filling in forms on the System, including information provided during completion of surveys, sleep diaries and other online tools, posting of comments in the Community or requesting further services, information provided when purchasing a product or paying for access to restricted content, entering a competition or promotion and when you report a problem with our System. If you contact us, we may also keep a record of that correspondence.

Throughout your use of the System we may collect and process information, such as: personal information (name, date of birth, email address, etc.); pre-existing medical conditions; lifestyle; environment; medication; other health profile information and details of your visits to the System and the resources that you access (including, but not limited to, traffic data, location data, weblogs and other communication data), whether this is required for our own billing purposes or otherwise.

Not to worry, we are required by law to maintain the privacy of the information described in this Policy and to provide you with this notice of our legal duties and privacy practices with respect to it. When we use or disclose this information, we comply with law (including HIPAA, if applicable) and the terms of this Policy (or other Policy in effect at the time of the use or disclosure). For simplicity and the good of our users, we aim to treat all identifiable health information with the same protections, whether HIPAA is applicable or not, and have used the HIPAA requirements as a guide in developing our data privacy and security protections. We use the blanket term ‘identifiable health information’ below to refer to all identifiable health data (inclusive of PHI).

Data that has been aggregated or stripped of identifiers outlined in HIPAA will no longer constitute ‘identifiable health information’ for the purposes of this Policy and we will be free to use it without restriction in connection with providing services or otherwise.

IP addresses and cookies

We may collect information about your device, including where available your IP address, operating system, browser type and screen size. We may use this: to, provide you with customer support, for system administration; to tailor your experience of the System; to report aggregate information internally, to advertisers; and for research; or as described in ‘How we use your information’.

For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your device. Cookies help us to give you a smooth user experience, improve the System and deliver a better and more personalized service. They enable us:

  • To recognize you when you return to our system.
  • To maintain data you have entered e.g. during completion of a survey.
  • To speed up your searches.
  • To estimate our audience size and usage pattern.
  • To store information about your preferences, and so allow us to customize the System according to your individual interests.

Both Sleepio and third-party vendors, including Google, may use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize, and serve ads based on your past visits to the System on sites across the Internet (also known as 'remarketing'). If you would like to opt out of this you can do so via your Google Ads Preferences Manager.

You may refuse to accept cookies by changing the settings on your device to prevent cookies from being set. However, if you select this setting you may be unable to access certain parts of the System. Unless you have adjusted your browser setting so that it will refuse cookies, our system may issue cookies when you visit the System.

Please note that when a third party advertises on the System they too may also use cookies. Unfortunately we have no control over these cookies.

Big Health does not disclose Personal Information to third parties for any purpose materially different from the purpose(s) for which it was originally collected. However, should that change in the future, Big Health will provide individuals with the option to opt-out of having this information disclosed.

2. How we use your information

Big Health understands that your identifiable health information is private and personal and is dedicated to maintaining its confidentiality and integrity. As such, we will never sell or rent it, and we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.

We follow a Minimum Necessary Access Policy so any required disclosure of your identifiable health information is minimized. The following categories describe the ways in which we use your identifiable health information and the rare instances that require us to disclose it to persons and entities outside of Big Health. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.

How much identifiable health information is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure, and appropriate laws.

  • Disclosure at your request: We may disclose information relating to your use of the System when requested by you. This disclosure at your request may require written authorization by you.
  • Payment: We do not store credit card or customer details with any 3rd parties except trusted suppliers who help us deliver the services associated with the System and we are committed to ensuring that all suppliers meet our security and data protection standards. As such, we may use and disclose your identifiable health information to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your use of the System (“Your Payor”) or to verify that Your Payor will pay for health care.
  • Services and Operations: Services and Operations: We may use and disclose your identifiable health information in connection with providing services, for our internal operations, which include administration, eligibility, planning, analytics and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, satisfaction surveys, de-identifying health information, customer services and internal training. To the extent you receive access to our Website and App through your employer or your health plan, our services may include supporting, and sharing information with, your employer’s wellness program, your health plan or third-party administrator or other similar programs. Possible information to be shared may include participation data (i.e. the fact that you used Sleepio), milestone data (e.g. number of sessions you complete or how many diaries you fill out) to allow you to earn incentives and rewards (if those are offered as part of your wellness program), as well as data from your initial sleep questionnaire. Information that identifies you as an individual will not be shared with your employer.
  • Emails: We may receive a confirmation when you open an email from us, or click on a link in an email, if your computer supports this type of program. We use this confirmation to help us make emails more interesting and helpful. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. However, by opting out of further email communications after you sign up, you may limit program reminders and other valuable program content and components.
  • Reminders and notifications: We may use and disclose your identifiable health information to contact you as a reminder to interact with, or complete tasks relating to your use of the System. You may make changes to the format and frequency of these reminders, or cancel these reminders and/or notifications by logging into your Sleepio account on the Website, and/or by accessing the native notification settings on your mobile device when using the App.
  • Third party service providers: There are some services provided in our organization through third party services providers. Examples of third party services providers include accounting services, server hosting and email delivery providers, business associates, vendors and other business partners and reputable companies in the industry who subcontract to us or to those of your employer as our corporate customers, where permitted by law. We may disclose your identifiable health information to our third party services providers so that they can perform the job that is required of them. To protect your identifiable health information, we require appropriate contracts or written agreements be in place that safeguard your identifiable health information.
  • Third party medical professionals: With your permission, we may share your identifiable health information with third party medical professionals nominated by you, e.g. through Sleepio Clinic. You can revoke your permission at any time via your account page.
  • Public access to Community posts: Most of the Sleepio Community isn’t shared publicly and is only visible to other logged-in members. However, there is a subset of ‘General chat’ discussions which may appear in public searches. The profile messages appearing on the Community homepage at any one time may also be visible to non-members. Whilst we’ve taken care to anonymize your username in such cases (as “Sleepio member”), we’re not able to change the content of your comment or message. For this reason we recommend that you exclude identifying information if you would like to remain anonymous while using the Community. You may want to choose a username that is unique to your Sleepio account and which wouldn’t identify you in any context.
  • Threat to health or safety: We may use and disclose your identifiable health information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
  • As required by law: Certain laws permit or require certain uses and disclosures of identifiable health information for example, for public health activities, health oversight activities and law enforcement. In these instances, Big Health will only use or disclose your identifiable health information to the extent the law requires.
  • Personal representatives or persons involved with your care: We must use and disclose your identifiable health information to anyone who has the legal right to act for you (your personal representative) in order to administer your rights. We may also use or disclose your identifiable health information to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated or in an emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, we will use our best judgment to decide if the disclosure is in your best interests. Special rules apply regarding when we may disclose health information to family members and others involved in a deceased individual's care. We may disclose health information to any persons involved, prior to the death, in the care or payment for care of a deceased individual, unless we are aware that doing so would be inconsistent with a preference previously expressed by the deceased.
  • For research and publicity purposes: We may use identifiable health information for internal and external research and publicity purposes. This may include publishing aggregate information about our users (for example, that men aged under 30 have the worst sleeping habits in the UK) in the context of providing public health information and conducting academic research. In certain instances, we may only provide such information with special waivers and permissions from you.
  • Transfer of business assets: In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If Big Health or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets. Big Health will ensure that information transferred to third parties will only be used in a way that is compliant with Privacy Shield Principles, and will remain liable in cases of onward transfers to third parties.

3. Where we store your personal data

Information you provide to us is stored in encrypted form on secure servers located in the US, which are owned and operated by Amazon Web Services (AWS). AWS are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepaper:

We have signed European Commission approved Standard Contractual Clauses (also called 'model clauses') with our hosting providers in the US, to ensure that they adequately protect the data of EU data subjects that they store for us. All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via SSL by default.

Your data may be transferred to, and stored at, other destinations inside the EEA by or to staff who work for Big Health or one of our suppliers. Such staff may be engaged in, among other things the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.

Unfortunately, despite these measures, the transmission of information via the internet (especially by email) is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of any of your data transmitted to the System or transmitted from the System to you, and any transmission is at your own risk. Once we have received your information, we will use strict procedures to try to prevent unauthorized access in accordance with our Company data protection policy and code of practice, appropriate laws, and responsibilities as a registered Data Controller in the UK.

4. Your rights regarding your identifiable health information

You have certain rights with respect to your identifiable health information. If we do not agree to a request by you regarding your identifiable health information, please consult the Big Health Privacy and Security Officer, whose contact information is below.

  • Restrictions: You have the right to request in writing that we do not disclose certain information about you. We do not have to agree to any restriction that you request. To request a restriction, please contact the Privacy and Security Officer whose contact information is below.
  • Confidential Communications: You have the right to request in writing that we restrict the way in which we communicate information regarding your health and health care services, such as ceasing to send email or SMS messages to notify or remind you about aspects of the System or your progress through the Sleepio program. We will make reasonable efforts to accommodate your request, or to provide alternative means of communication where possible.
  • Access: You have the right to inspect and copy most of your Health Information maintained by us. Normally, we will provide you with access within 30 days of your request. We may charge a reasonable fee for doing this.
  • Amendment / Deletion: You have the right to request that we amend or delete your written identifiable health information if you feel it is inaccurate or was processed in violation of this policy. For instance, you can request that we correct an incorrect date of birth in your records. We will generally amend or delete your information within 60 days of your request, and will notify you when we have updated your information. We can deny your request in certain circumstances, such as when we believe that your information is accurate and complete. We cannot take responsibility for actions based on information incorrectly provided by you, such as emails sent to incorrect addresses.
  • Accounting: You have the right to request an accounting from us of certain disclosures made by us. We will generally provide you with your accounting within 60 days of your request. In addition, we will notify you as required by law if there has been a breach of the security of your identifiable health information.

5. Privacy Shield

Big Health complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Big Health has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit Big Health is subject to the investigatory and enforcement powers of the Federal Trade Commission.

In compliance with the Privacy Shield Principles, Big Health commits to resolve complaints about our collection or use of your personal information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Big Health at:

Big Health commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU.

6. Amending this Policy

We reserve the right to revise this Policy without notification, and to make the revised Policy effective for all data that we created or received prior to the effective date of the revised Policy. Any changes or updates will be effective immediately upon posting to Your continued use of the System constitutes your agreement to abide by the Privacy Policy as changed. Under certain circumstances (for example, if we expand the ways in which we use your personal information beyond the uses stated in our Privacy Policy at the time of collection), we may also elect to notify you of changes or updates to our Privacy Policy by additional means, such as by sending you an email.

Questions relating to revisions to this Policy may be addressed to the Privacy and Security Officer whose contact information is below. This Policy will be promptly revised if there is a material change to a policy described herein.

Concerns or complaints

If you believe that any of your rights with respect to your or others’ identifiable health information have been violated by us, our employees or agents, please communicate with the Big Health Privacy and Security Officer at:

Privacy and Security Officer

If we are subject to the Health Insurance Portability and Accountability Act (“HIPAA”), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.

Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.

Effective Date: This Policy is effective as of March 30, 2017.