If in doubt, the primary governing law of this policy is that of the state of California, United States.
We are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. Z2141968), and have in place a comprehensive Company data protection policy and code of practice.
Big Health provides you (the “User”) with access to the online and mobile services associated with Sleepio, including but not limited to, sleepio.com and all associated subdomains (the “Website”), and the Sleepio mobile application (the “App”), collectively the “System”.
We may collect and process information provided by filling in forms on the System, including information provided during completion of surveys, sleep diaries and other online tools, posting of comments in the Community or requesting further services, information provided when purchasing a product or paying for access to restricted content, entering a competition or promotion and when you report a problem with our System. If you contact us, we may also keep a record of that correspondence.
Throughout your use of the System we may collect and process information, such as: personal information (name, date of birth, email address, etc.); pre-existing medical conditions; lifestyle; environment; medication; other health profile information and details of your visits to the System and the resources that you access (including, but not limited to, traffic data, location data, weblogs and other communication data), whether this is required for our own billing purposes or otherwise.
Not to worry, we are required by law to maintain the privacy of the information described in this Policy and to provide you with this notice of our legal duties and privacy practices with respect to it. When we use or disclose this information, we comply with law (including HIPAA, if applicable) and the terms of this Policy (or other Policy in effect at the time of the use or disclosure). For simplicity and the good of our users, we aim to treat all identifiable health information with the same protections, whether HIPAA is applicable or not, and have used the HIPAA requirements as a guide in developing our data privacy and security protections. We use the blanket term ‘identifiable health information’ below to refer to all identifiable health data (inclusive of PHI).
Data that has been aggregated or stripped of identifiers outlined in HIPAA will no longer constitute ‘identifiable health information’ for the purposes of this Policy and we will be free to use it without restriction in connection with providing services or otherwise.
We may collect information about your device, including where available your IP address, operating system, browser type and screen size. We may use this: to, provide you with customer support, for system administration; to tailor your experience of the System; to report aggregate information internally, to advertisers; and for research; or as described in ‘How we use your information’.
For the same reason, we may obtain information about your general internet usage by using a cookie file which is stored on the hard drive of your device. Cookies help us to give you a smooth user experience, improve the System and deliver a better and more personalized service. They enable us:
Both Sleepio and third-party vendors, including Google, may use first-party cookies (such as the Google Analytics cookie) and third-party cookies (such as the DoubleClick cookie) together to inform, optimize, and serve ads based on your past visits to the System on sites across the Internet (also known as 'remarketing'). If you would like to opt out of this you can do so via your Google Ads Preferences Manager.
Big Health does not disclose Personal Information to third parties for any purpose materially different from the purpose(s) for which it was originally collected. However, should that change in the future, Big Health will provide individuals with the option to opt-out of having this information disclosed.
Big Health understands that your identifiable health information is private and personal and is dedicated to maintaining its confidentiality and integrity. As such, we will never sell or rent it, and we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.
We follow a Minimum Necessary Access Policy so any required disclosure of your identifiable health information is minimized. The following categories describe the ways in which we use your identifiable health information and the rare instances that require us to disclose it to persons and entities outside of Big Health. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.
How much identifiable health information is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure, and appropriate laws.
Information you provide to us is stored in encrypted form on secure servers located in the US, which are owned and operated by Amazon Web Services (AWS). AWS are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepaper: https://d0.awsstatic.com/whitepapers/aws-security-whitepaper.pdf.
We have signed European Commission approved Standard Contractual Clauses (also called 'model clauses') with our hosting providers in the US, to ensure that they adequately protect the data of EU data subjects that they store for us. All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via SSL by default.
Your data may be transferred to, and stored at, other destinations inside the EEA by or to staff who work for Big Health or one of our suppliers. Such staff may be engaged in, among other things the provision of support services. By submitting your personal data, you agree to this transfer, storing or processing.
Unfortunately, despite these measures, the transmission of information via the internet (especially by email) is never completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of any of your data transmitted to the System or transmitted from the System to you, and any transmission is at your own risk. Once we have received your information, we will use strict procedures to try to prevent unauthorized access in accordance with our Company data protection policy and code of practice, appropriate laws, and responsibilities as a registered Data Controller in the UK.
You have certain rights with respect to your identifiable health information. If we do not agree to a request by you regarding your identifiable health information, please consult the Big Health Privacy and Security Officer, whose contact information is below.
In compliance with the Privacy Shield Principles, Big Health commits to resolve complaints about our collection or use of your personal information. European Union individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Big Health at: firstname.lastname@example.org.
Big Health commits to cooperate with the panel established by the EU data protection authorities (DPAs) and comply with the advice given by the panel with regard to data transferred from the EU.
Questions relating to revisions to this Policy may be addressed to the Privacy and Security Officer whose contact information is below. This Policy will be promptly revised if there is a material change to a policy described herein.
If you believe that any of your rights with respect to your or others’ identifiable health information have been violated by us, our employees or agents, please communicate with the Big Health Privacy and Security Officer at:
Privacy and Security Officer email@example.com
If we are subject to the Health Insurance Portability and Accountability Act (“HIPAA”), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.
Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option may be available before a Privacy Shield Panel.
Effective Date: This Policy is effective as of March 30, 2017.