We are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. Z2141968), and have in place a comprehensive Company data protection policy and code of practice.
Big Health provides you (the “User”) with access to the online and mobile services associated with Sleepio, including but not limited to, sleepio.com and all associated subdomains (the “Website”), and the Sleepio mobile application (the “App”), collectively the “System”.
We process your data in order to provide a personalized sleep improvement program (and to support the delivery of that program).
We require consent from all users before processing their data. This consent can be withdrawn at any time.
We collect and use information like your name, email address, and phone number to personalize the course and communicate with you. You're able to opt out of any external communications (i.e., emails, phone calls, and SMS messages) at any time.
We use information such as your age and gender to assist our interpretation of your sleep, as your sleep patterns can vary based on these variables.
We collect information about your sleep (including, but not limited to, the time you spend in bed and time you spend asleep, number of interruptions in your sleep, and a self-reported evaluation of your sleep quality) in order to deliver our sleep improvement program.
We may collect information about pre-existing medical conditions in order to ensure the safety and efficacy of sleep improvement treatments we provide.
We also collect general information about your mental and physical wellbeing in order to evaluate progress against your self-defined goals.
We may collect information about the devices you use to access the System, including (but not limited to) IP address, mobile device UDID and IMEI numbers, operating system, browser type, and screen size. This information is used to provide you with customer support, for system administration, to tailor your experience of the System, to report aggregate information internally, and to assist communication (e.g., push notifications).
We may store cookies (small text files managed by your web browser) on your computer in order to improve your experience with the System. Example uses of these cookies include: recognizing you when you return to the System, maintaining data you've entered across multiple sessions, and storing information about your personal preferences.
We may include your data in aggregated data sets shared with our research partners. In these sets, your data is not personally identifiable, and would be used for supporting generalized statements (e.g., "men under the age of 30 have the worst sleeping habits in the UK").
Big Health understands that your identifiable health information is private and personal and is dedicated to maintaining its confidentiality and integrity. As such, we will never sell or rent it, and we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.
We follow a Minimum Necessary Access Policy so any required disclosure of your identifiable health information is minimized. The following categories describe the ways in which we use your identifiable health information and the rare instances that require us to disclose it to persons and entities outside of Big Health. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.
Big Health does not disclose Personal Information to third parties for any purpose materially different from the purpose(s) for which it was originally collected.
We may disclose information relating to your use of the System when requested by you. This disclosure at your request may require written authorization by you.
We do not store credit card or customer details with any 3rd parties except trusted suppliers who help us deliver the services associated with the System and we are committed to ensuring that all suppliers meet our security and data protection standards. As such, we may use and disclose your identifiable health information to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your use of the System (“Your Payor”) or to verify that Your Payor will pay for health care.
We may use and disclose your identifiable health information in connection with providing services, for our internal operations, which include administration, eligibility, planning, analytics and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve the quality of the service, satisfaction surveys, de-identifying health information, customer services and internal training. To the extent you receive access to our Website and App through your employer or your health plan, our services may include supporting, and sharing information with, your employer’s wellness program, your health plan or third-party administrator or other similar programs. Possible information to be shared may include participation data (i.e. the fact that you used Sleepio), milestone data (e.g. number of sessions you complete or how many diaries you fill out) to allow you to earn incentives and rewards (if those are offered as part of your wellness program), as well as data from your initial sleep questionnaire. Information that identifies you as an individual will not be shared with your employer.
We may receive a confirmation when you open an email from us, or click on a link in an email, if your computer supports this type of program. We use this confirmation to help us make emails more interesting and helpful. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. However, by opting out of further email communications after you sign up, you may limit program reminders and other valuable program content and components.
We may use and disclose your identifiable health information to contact you as a reminder to interact with, or complete tasks relating to your use of the System. You may make changes to the format and frequency of these reminders, or cancel these reminders and/or notifications by logging into your Sleepio account on the Website, and/or by accessing the native notification settings on your mobile device when using the App.
There are some services provided in our organization through third party services providers. Examples of third party services providers include accounting services, server hosting and email delivery providers, business associates, vendors and other business partners and reputable companies in the industry who subcontract to us or to those of your employer as our corporate customers, where permitted by law. We may disclose your identifiable health information to our third party services providers so that they can perform the job that is required of them. To protect your identifiable health information, we require appropriate contracts or written agreements be in place that safeguard your identifiable health information.
With your explicit permission, we may share your identifiable health information with third party medical professionals nominated by you, e.g. through Sleepio Clinic. You can revoke your permission at any time via your account page.
Most of the Sleepio Community isn’t shared publicly and is only visible to other logged-in members. However, there is a subset of ‘General chat’ discussions which may appear in public searches. The profile messages appearing on the Community homepage at any one time may also be visible to non-members. Whilst we’ve taken care to anonymize your username in such cases (as “Sleepio member”), we’re not able to change the content of your comment or message. For this reason we recommend that you exclude identifying information if you would like to remain anonymous while using the Community. You may want to choose a username that is unique to your Sleepio account and which wouldn’t identify you in any context.
We may use and disclose your identifiable health information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
Certain laws permit or require certain uses and disclosures of identifiable health information for example, for public health activities, health oversight activities and law enforcement. In these instances, Big Health will only use or disclose your identifiable health information to the extent the law requires.
We must use and disclose your identifiable health information to anyone who has the legal right to act for you (your personal representative) in order to administer your rights. We may also use or disclose your identifiable health information to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated or in an emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, we will use our best judgment to decide if the disclosure is in your best interests. Special rules apply regarding when we may disclose health information to family members and others involved in a deceased individual's care. We may disclose health information to any persons involved, prior to the death, in the care or payment for care of a deceased individual, unless we are aware that doing so would be inconsistent with a preference previously expressed by the deceased.
We may use identifiable health information for research purposes. While identifiable information will not be published, we may publish aggregate information about our users (for example, that men aged under 30 have the worst sleeping habits in the UK) in the context of providing public health information and conducting academic research.
In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If Big Health or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets. Big Health will ensure that information transferred to third parties will only be used in a way that is compliant with Privacy Shield Principles, and will remain liable in cases of onward transfers to third parties.
Information you provide to us is stored in encrypted form on secure servers located in the US, which are owned and operated by Amazon Web Services (AWS). AWS are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepapers: https://aws.amazon.com/security/security-resources/ .
We have signed European Commission approved Standard Contractual Clauses (also called 'model clauses') with our hosting providers in the US, to ensure that they adequately protect the data of EU/UK data subjects that they store for us. All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via SSL by default. Your data may be transferred to, and stored at, other destinations inside the EEA by or to staff who work for Big Health or one of our suppliers. Such staff may be engaged in, among other things the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.
Users of the System have certain specific rights with regard to their information.
A user of the System has the right to view all personal information that Big Health has collected about them, as well as the disclosure of this data. In order to receive this data, please contact the Security, Privacy, and Compliance Officer. The first copy of this information is provided free of charge, and in a portable / common electronic form (e.g., CSV file).
A user of the System has the right to ensure that the data we have stored is accurate. In most cases, the system allows you to directly modify your own information. However, if there is incorrect data within our system that you are not able to change, please contact the Security, Privacy, and Compliance Officer and we will work directly with you to update this information.
A user of the System has the right to request deletion of all data within the system. To request your data be deleted, please contact the Security, Privacy, and Compliance Officer. In most cases, this request will be completed within 30 days. If circumstances require a delay to this deletion, Big Health will notify you directly explaining the reason for the delay. Note also that in some cases, there may be a legal requirement to hold on to your data. Again, Big Health will notify you directly if this is the case.
A user of the System has the right to withdraw their consent at any time by contacting the Security, Privacy, and Compliance Officer. Please note that without consent to process your data, we will be unable to deliver the Sleepio program.
In addition to the right to request disclosures of your data specified in the "right to access" above, we will notify you as required by law if there has been a breach of the security of your identifiable health information.
If you believe that any of your rights with respect to your or others’ identifiable health information have been violated by us, our employees or agents, please communicate with the Big Health Security, Privacy, and Compliance Officer.
Questions relating to revisions to this Policy may be addressed to the Security, Privacy, and Compliance Officer.
Big Health's Security, Privacy, and Compliance Officer (and Data Controller) can be reached at:
If we are subject to the Health Insurance Portability and Accountability Act (“HIPAA”), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.
In compliance with the Privacy Shield Principles, Big Health commits to resolve complaints about our collection or use of your personal information. European Union and United Kingdom individuals with inquiries or complaints regarding our Privacy Shield policy should first contact the Big Health Security, Privacy, and Compliance Officer.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
Big Health commits to cooperate with the panel established by the EU/UK data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU/UK.
This Policy is effective as of July 31st, 2019.