Privacy Policy

Big Health Inc and Big Health Ltd (“Big Health”, “we,” “us”, together acting as joint Data Controllers) are committed to protecting and respecting your privacy and Personal Data about you. Big Health provides you (“you” or the “User”) with access to the online and mobile services associated with Sleepio, including but not limited to, sleepio.com and all associated subdomains (the “Website”), and the Sleepio mobile application (the “App”), collectively the “System”. The purpose of this Privacy Policy (“Policy”) (together with our Terms and any other documents referred to on it (the “Terms”)) is to describe our practices regarding information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual (collectively “Personal Data”). This Privacy Policy sets out the basis on which any Personal Data we collect from you, or that you provide to us, will be processed by us and how you can get access to Personal Data about you.

We are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. Z2141968) and have in place a comprehensive Company data protection policy and code of practice.

1. What Personal Data Do We Collect and for What Purposes?

We may collect the following categories of information that may, alone or in combination with other information, constitute Personal Data:

1.1 Information that You Provide to Us:

1.1.1 Identifiers and Other Information

We collect and use information like your name, email address, and phone number.

We also collect your age, date of birth, and gender.

You may also be presented the opportunity to provide us with information such as race and ethnicity - this data is not required to be provided to use the System.

We use the information that you provide for the following purposes:

• To provide you with any information that you request from us;
• To communicate with you; You may make changes to the format and frequency of these reminders, or cancel these reminders and/or notifications by logging into your Sleepio account on the Website, and/or by accessing the native notification settings on your mobile device when using the App, or by utilizing the unsubscribe function included in an email to you;
• To notify you about changes to the System;
• To enable us to issue a notice, administrative, or corrective action to you in relation to the System, if required;
• To assist our interpretation of your sleep, as your sleep patterns can vary based on age and/or gender;
• To protect against, identify and prevent fraud and other unlawful activity, claims and other liabilities;
• To comply with applicable legal requirements, industry standards, and our own policies; and
• To protect the System, our intellectual property rights, and other rights.

1.1.2 Health Information That You Provide

Subject to your consent, we may collect the following information about your health (“Health Information”):

• Information about your sleep (including, but not limited to, the time you spend in bed and time you spend asleep, number of interruptions in your sleep, and a self-reported evaluation of your sleep quality);
• Information about pre-existing medical conditions; and
• General information about your mental and physical wellbeing.

We use the Health Information that you provide for the following purposes:

• To provide a personalized sleep improvement program (and to support the delivery of that program);
• To determine eligibility for the System;
• To ensure the safety and efficacy of the System; and
• To evaluate progress against your self-defined goals.

1.2 Automatically Collected Information

The software used in connection with the System collects the following information that may, alone or in combination with other information, constitute Personal Data:

1.2.1 Electronic identifiers

We may collect information about the devices you use to access the System, including (but not limited to) IP address, mobile device UDID and IMEI numbers, operating system, browser type, and screen size.

1.2.2 Cookies and Other Software

We may store cookies (small text files managed by your web browser) on your computer in order to improve your experience with the System. Example uses of these cookies include recognizing you when you return to the System, maintaining data you've entered across multiple sessions, and storing information about your personal preferences.

You may refuse to accept cookies by changing the settings on your device to prevent cookies from being set. However, if you select this setting you may be unable to access certain parts of the System. Unless you have adjusted your browser setting so that it will refuse cookies, our system may issue cookies when you visit the System.

Our software may automatically generate a confirmation when you open an email from us, or click on a link in an email, if your computer supports this type of software. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. However, by opting out of further email communications after you sign up, you may limit program reminders and other valuable program content and components.

1.2.3 System Usage Data

The software used in the System may also collect milestone data (e.g., number of sessions you complete or how many diaries you fill out).

We use the automatically collected information for the following purposes:

• To operate and improve the System, including through internal analytics and reporting to help us understand how you use the System, so that we can present content in the best manner;
• To provide you with customer support, for system administration, to tailor your experience of the System, to report aggregate information internally, and to assist communication (e.g., push notifications);
• To allow you to earn incentives and rewards (if those are offered as part of your wellness program);
• To help us make emails more interesting and helpful;
• To protect against, identify and prevent fraud and other unlawful activity, claims and other liabilities;
• To comply with applicable legal requirements, industry standards, and our own policies; and
• To protect the System, our intellectual property rights, and other rights.

1.3 Non-identifiable information

We may use Personal Data about you in creating aggregated data sets shared with our research partners. Once aggregated, the information no longer constitutes Personal Data, and such aggregated data would be used for supporting generalized statements (e.g., "men under the age of 30 have the worst sleeping habits in the UK").

2. What is Our Legal Basis for Processing Personal Data?

We will process Personal Data only if and to the extent that at least one of the following legal bases of processing applies:

• Legitimate interest: We process the information that you provide as well as automatically collected information when the processing is necessary for the purposes of the legitimate interests pursued by Big Health and when these interests are not outweighed by your privacy interests;
• Performance of a contract: We process the information that you provide when the processing is necessary for the performance of a contract, and specifically the Terms, to which you are a party;
• Consent: We process Health Information when you have given consent to the processing of Health Information about you for the purposes described above. This consent can be withdrawn at any time.

3. When do we Disclose Personal Data?

Big Health is dedicated to maintaining the confidentiality and integrity of Personal Data. As such, we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.

We follow a Minimum Necessary Access Policy so any required disclosure of Personal Data about you is minimized. The following categories describe the ways in which we disclose Personal Data to persons and entities outside of Big Health. All permitted disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.

Big Health does not disclose Personal Data to third parties for any purpose materially different from the purpose(s) for which it was originally collected.

3.1 Disclosure at Your Request

We may disclose Personal Data relating to your use of the System when requested by you. This disclosure at your request may require written authorization by you.

3.2 Payment

Payment information is stored by third-party vendors who help us deliver the services associated with the System and we are committed to ensuring that all such vendors meet our security and data protection standards. As such, we may use and disclose Personal Data about you to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from your health insurer, HMO, or other company that arranges or pays the cost of some or all of your use of the System (“Your Payor”) or to verify that Your Payor will pay for health care.

3.3 Services and Operations

We may disclose Personal Data about you in connection with providing services. To the extent you receive access to the System through your employer or your health plan, our services may include supporting, and sharing information with, your employer’s wellness program, your health plan or third-party administrator or other similar programs. Possible information to be shared may include participation data (i.e., the fact that you used Sleepio), milestone data (e.g., number of sessions you complete or how many diaries you fill out) to allow you to earn incentives and rewards (if those are offered as part of your wellness program), as well as data from your initial sleep questionnaire. Information that identifies you as an individual will not be shared with your employer.

3.4 Third-Party Service Providers

In connection with the System, we may use third-party service providers. Examples of third-party services providers include accounting services, server hosting and email delivery providers, business associates, software analytics vendors and other business partners and reputable companies in the industry who subcontract to us or to those of your employer as our corporate customers, where permitted by law. We may disclose Personal Data about you to our third- party services providers so that they can perform the services. To protect Personal Data about you, we require appropriate contracts or written agreements be in place that safeguard Personal Data about you and limit the use of Personal Data for purposes of providing the services and for no other purpose.

3.5 Third-Party Medical Professionals

With your explicit permission, we may share Health Information about you with third-party medical professionals nominated by you, e.g., through Sleepio Clinic. You can revoke your permission at any time via your account page.

3.6 Public Access to Community Posts

Most of the Sleepio Community isn’t shared publicly and is only visible to other logged-in members. However, there is a subset of ‘General chat’ discussions which may appear in public searches. The profile messages appearing on the Community homepage at any one time may also be visible to non-members. Whilst we’ve taken care to anonymize your username in such cases (as “Sleepio member”), we’re not able to change the content of your comment or message. For this reason, we recommend that you exclude identifying information if you would like to remain anonymous while using the Community. You may want to choose a username that is unique to your Sleepio account and which wouldn’t identify you in any context.

3.7 Threat to Health or Safety

We may use and disclose Personal Data about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.

3.8 As Required by Law

Certain laws permit or require certain uses and disclosures of Personal Data for example, in connection with a court order or a government investigation, or for purposes of public health activities, health oversight activities and law enforcement. In these instances, Big Health will only use or disclose Personal Data to the extent the law requires.

3.9 Personal Representatives or Persons Involved with Your Care

We must use and disclose Health Information to anyone who has the legal right to act for you (your personal representative) in order to administer your rights. We may also use or disclose Health Information to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated or in an emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, we will use our best judgment to decide if the disclosure is in your best interests. Special rules apply regarding when we may disclose Health Information to family members and others involved in a deceased individual's care. We may disclose Health Information to any persons involved, prior to the death, in the care or payment for care of a deceased individual, unless we are aware that doing so would be inconsistent with a preference previously expressed by the deceased.

3.10 Transfer of Business Assets

In the event that we sell or buy any business or assets, we may disclose Personal Data to the prospective seller or buyer of such business or assets. If Big Health or substantially all of its assets are acquired by a third party, Personal Data about you may be one of the transferred assets.

4. How Do We Store and Transfer Personal Data?

Personal Data is stored in encrypted form on secure servers located in the US, which are owned and operated by Amazon Web Services (AWS). AWS are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepapers.

We have signed European Commission approved Standard Contractual Clauses (also called 'model clauses') with our hosting providers in the US, to ensure that they adequately protect the data of EU/UK data subjects that they store for us. All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via SSL by default. Personal Data about you may be transferred to, and stored at, other destinations inside the US, UK, or EEA by or to staff who work for Big Health or one of our suppliers. Such staff may be engaged in, among other things, the provision of support services. Additionally, data can be transferred between constituent companies (e.g., Big Health Ltd and Big Health Inc.), which may include transfers into and/or out of the EEA.

5. Your Rights

Users of the System have certain specific rights with regard to their information.

5.1 Right to Access

A User has the right to view all Personal Data that Big Health has collected about them. In order to receive this information, please contact the Security, Privacy, and Compliance Officer. The first copy of this information is provided free of charge, and in a portable / common electronic form (e.g., CSV file).

5.2 Right to Correct

A User has the right to ensure that the Personal Data we have stored is accurate. In most cases, the system allows you to directly modify Personal Data about you. However, if there is incorrect Personal Data within our system that you are not able to change, please contact the Security, Privacy, and Compliance Officer and we will work directly with you to update the Personal Data.

5.3 Right to Deletion

A user of the System has the right to request deletion of all data within the system. To request your data be deleted, please contact the Security, Privacy, and Compliance Officer. In most cases, this request will be completed within 30 days. If circumstances require a delay to this deletion, Big Health will notify you directly explaining the reason for the delay. Note also that in some cases, there may be a legal requirement to hold on to your data. Again, Big Health will notify you directly if this is the case.

5.4 Right to Withdraw Consent

A user of the System has the right to withdraw their consent relating to our processing of Health Information at any time by contacting the Security, Privacy, and Compliance Officer. Please note that without consent to process Health Information, we will be unable to provide the System to you.

6. Concerns or Complaints

If you believe that any of your rights with respect to your or others’ Personal Data have been violated by us, our employees or agents, please communicate with the Big Health Security, Privacy, and Compliance Officer.

7. Amending this Policy

We reserve the right to revise this Policy without notification. Any changes or updates will be effective immediately upon posting to www.sleepio.com/privacy. Your continued use of the System constitutes your agreement to abide by the Privacy Policy as changed. Under certain circumstances (for example, if we change the purposes for which we use Personal Data beyond the uses stated in our Privacy Policy at the time of collection), we may also elect to notify you of changes or updates to our Privacy Policy by additional means, such as by sending you an email.

Questions relating to revisions to this Policy may be addressed to the Security, Privacy, and Compliance Officer.

8. Who Can You Contact?

8.1 Security, Privacy, and Compliance Officer

Big Health's Security, Privacy, and Compliance Officer can be reached at:

8.2 HIPAA

If we are subject to the Health Insurance Portability and Accountability Act (“HIPAA”), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.

8.3 EU Representative

Our EU Representative is DataRep . Users in the European Union can contact our Representative directly with any issues or questions by following these instructions .