Privacy Policy

Big Health Ltd (“we”) are committed to protecting and respecting your privacy. We are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. Z2141968), and have in place a comprehensive Company data protection policy and code of practice.

This Privacy Policy (“Policy”) (together with our Terms and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us and how you can get access to this information. Please review it carefully.

1. Purpose of this Policy

Big Health provides you (the “User”) with access to the online and mobile services associated with Sleepio, including but not limited to, and all associated subdomains (the “Website”), and the Sleepio mobile application (the “App”), collectively the “System”.

We may collect and process information provided by filling in forms on the Website or App, including information provided during completion of surveys, sleep diaries and other online tools, posting of comments in the Community or requesting further services, information provided when purchasing a product or paying for access to restricted content, entering a competition or promotion and when you report a problem with our System. If you contact us, we may also keep a record of that correspondence.

Throughout your use of the System we may collect and process information on pre existing medical conditions, medication along with other health profile information such as height, weight, body mass index (BMI), and smoking status, and details of your visits to our site including, but not limited to, traffic data, location data, weblogs and other communication data, whether this is required for our own billing purposes or otherwise and the resources that you access.

The health information described in this Policy is known as “protected health information” (“PHI”). We are required by law to maintain the privacy of your PHI and to provide you with this notice of our legal duties and privacy practices with respect to your PHI. When we use or disclose your PHI, we are required to abide by the terms of this Policy (or other Policy in effect at the time of the use or disclosure).

IP addresses and cookies

We may collect information about your device, including where available your IP address, operating system, browser type and screen size for use in system administration, to tailor your experience of the System, provide you with customer support and to report aggregate information internally and to advertisers, for example.

For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your device. Cookies help us to give you a smooth user experience, improve the System and deliver a better and more personalized service. They enable us:

  • To recognize you when you return to our site.
  • To maintain data you have entered e.g. during completion of a survey.
  • To speed up your searches.
  • To estimate our audience size and usage pattern.
  • To store information about your preferences, and so allow us to customize our site according to your individual interests.

Both Sleepio and third-party vendors, including Google, may use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize, and serve ads based on your past visits to the Website or App on sites across the Internet (also known as 'remarketing'). If you would like to opt out of this you can do so via your Google Ads Preferences Manager.

You may refuse to accept cookies by changing the settings on your device to prevent cookies from being set. However, if you select this setting you may be unable to access certain parts of the System. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you visit the Website and App.

Please note that when a third party advertises on our site they too may also use cookies. Unfortunately we have no control over these cookies.

2. The Use and Disclosure of Protected Health Information

Big Health understands that your PHI is private and personal and is dedicated to maintaining the privacy and integrity of your PHI. As such, we have policies and procedures and other safeguards to help protect your PHI from improper use and disclosure.

The following categories describe different ways that we use your PHI within Big Health and disclose your PHI to persons and entities outside of Big Health. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.

How much PHI is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure.

  • Disclosure at your request: We may disclose information relating to your use of the System when requested by you. This disclosure at your request may require written authorization by you.
  • Payment: We do not store credit card details nor do we share customer details with any 3rd parties except trusted suppliers who help us deliver the services associated with the System and we are committed to ensuring that all suppliers meet our security and data protection standards. As such, we may use and disclose your PHI to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your health care (“Your Payor”) or to verify that Your Payor will pay for health care.
  • Operations: We may use and disclose your PHI for our internal operations, which include administration, planning and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, satisfaction surveys, de-identifying health information, customer services and internal training.
  • Reminders and notifications: We may use and disclose your PHI to contact you as a reminder to interact with, or complete tasks relating to your use of the System.
  • Business associates: There are some services provided in our organization through contracts with business associates. Examples of business associates include accounting services, server hosting and email delivery. We may disclose your PHI to our business associates so that they can perform the job we have asked them to do. To protect your PHI, we require our business associates to sign a contract or written agreement stating that they will appropriately safeguard your PHI.
  • Threat to health or safety: We may use and disclose your PHI when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
  • As required by law: Certain laws permit or require certain uses and disclosures of PHI for example, for public health activities, health oversight activities and law enforcement. In these instances, Big Health will only use or disclose your PHI to the extent the law requires.
  • For research and publicity purposes: We may use PHI for internal and external research and publicity purposes. This may include publishing aggregate information about our users (for example, that men aged under 30 have the worst sleeping habits in the UK) in the context of providing public health information and conducting academic research. We may also use such aggregate information to help advertisers reach the kind of audience they want to target (for example, women in London), and make use of the personal data we have collected from you to enable us to comply with our advertisers' wishes by displaying their advertisement to that target audience. In certain instances, we may only provide such information with special waivers and permissions from you.
  • Transfer of business assets: In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If Big Health or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets.

3. Where we store your personal data

Information you provide to us is stored in encrypted form on secure servers located in the US. We have signed European Commission approved Standard Contractual Clauses (also called 'model clauses') with our hosting providers in the US, to ensure that they adequately protect the data of EU data subjects that they store for us. All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via SSL by default.

It may be possible that your data is transferred to, and stored at, other destinations inside the EEA by or to staff who work for Big Health or one of our suppliers. Such staff may be engaged in, among other things the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.

Unfortunately, despite these measures, the transmission of information via the internet is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the System, and any transmission is at your own risk. Once we have received your information, we will use strict procedures to try to prevent unauthorized access in accordance with our Company data protection policy and code of practice, and responsibilities as a registered Data Controller in the UK.

4. Your rights regarding your PHI

You have certain rights with respect to your PHI. If we do not agree to a request by you with respect to your PHI, please consult the Big Health Privacy and Security Officer whose contact information is below.

  • Restrictions: You have the right to request in writing that we do not disclose certain information about you. We do not have to agree to any restriction that you request. To request a restriction, please contact the Privacy and Security Officer whose contact information is at the end of this Policy.
  • Confidential Communications: You have the right to request in writing that we restrict the way in which we communicate information regarding your health and health care services, such as ceasing to send email or SMS messages to notify or remind you about aspects of the System or your progress through the Sleepio program. We will make reasonable efforts to accommodate your request.
  • Access: You have the right to inspect and copy most of your Health Information maintained by us. Normally, we will provide you with access within 30 days of your request. We may charge a reasonable fee for doing this.
  • Amendment: You have the right to request that we amend your written PHI. For instance, you can request that we correct an incorrect date of birth in your records. We will generally amend your information within 60 days of your request, and will notify you when we have amended your information. We can deny your request in certain circumstances, such as when we believe that your information is accurate and complete.
  • Accounting: You have the right to request an accounting from us of certain disclosures made by us. We will generally provide you with your accounting within 60 days of your request. In addition, we will notify you as required by law if there has been a breach of the security of your PHI.

5. Concerns or complaints

If you believe that any of your rights with respect to your Health Information have been violated by us, our employees or agents, please communicate with the Big Health Privacy and Security Officer at:

Privacy and Security Officer

If we are subject to the Health Insurance Portability and Accountability Act (“HIPAA”), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.

6. Amending this Policy

We reserve the right to revise this Policy and to make the revised Policy effective for all PHI that we created or received prior to the effective date of the revised Policy. Questions relating to revisions to this Policy may be addressed to the Privacy and Security Officer whose contact information is above. This Policy will be promptly revised if there is a material change to a policy described herein.

Effective Date: This Policy is effective as of September 9, 2014