GroHealth.com and our Gro Health mobile app (each of and together the “Sites” or "Service") are owned and operated by DDM Health Ltd of Technology House, Science Park, University of Warwick, Coventry, CV4 7EZ (“we”, “us”, “our“).
For the purposes of data protection law: the data processor and data controller is DDM Health Ltd with registration number Z3613413. To learn more about data processors and data controllers, please see the ICO definition of what are processors and controllers.
Last updated: November 10, 2021.
1. WHAT IS PERSONALLY IDENTIFIABLE INFORMATION (PII) / PERSONAL DATA?
1.1. Personal data or PII means any information relating to a person who can be identified either directly or indirectly by that information; it may include name, address, email address, phone number, credit / debit card number, IP address, location data, purchase history (“Personal Data”).
2. INFORMATION WE MAY COLLECT FROM YOU
2.1. We may collect and process the following data about you:
- Information you provide to us – This includes:
- Information provided at the time of registering to use our Sites, for the purchase of products and/or use of our services, posting material, submitting testimonials, reviewing products, raising quotes or general enquiries, completing an offer submission, entering a competition or requesting further services. We may also ask you for information when you report a problem with our Sites or regarding the products and services provided by us.
- Sensitive Personal Data concerning health matters from or about you if you disclose such information on our Sites (when signing up for an account with us, when registering to take part in clinical trials, making enquiries or otherwise). This includes information relation to your health condition, treatments and medications you make take and healthcare and medical devices you may use.
- If you contact us, we may keep a record of that correspondence and/or any video or audio uploads or telephone calls.
- We may also ask you to complete surveys that we use for research purposes, although you do not have to respond to them.
- Details of transactions you carry out through our Sites and of the fulfilment of your orders.
- Payment details including but not limited to the name on your bank card, the invoice address and partial card number.
- Information we collect about you – When you visit the Sites we may automatically collect information about your computer or device, including your IP address, information about your visit, your browsing history, and how you use the Sites. This information may be combined with other information you provide to us, as described above.
- Information we receive from other sources – We are also working closely with third parties (including, for example, business partners, advertising networks, analytics providers, and search information providers) and may receive information about you from them. This may be combined with other information you provide to us, as described above.
2.2. Please note you have the option of what information in your account is publicly displayed. Furthermore, within your account, you have the option to opt-in or opt-out of automatically generated e-mails from us.
2.3. Please note that as a user of the Gro Health platform you will have limited accessibility to the program (i.e. free trial) and the features within it until a subscription is purchased. As a free user of the Gro Health we hold the right to contact you with a personalised journey specifically for non-paying customers. The journey you receive will be in accordance with the communication preferences that you select. We may contact you via email, SMS, and push notifications. Communication preferences can be edited at any time via the preference centre in the settings section of the program. Toward the expiry of your free user subscription, we may contact you with information on how to purchase a subscription and the benefits of doing so.
2.4. Data security is extremely important to us. All data is stored encrypted-at-rest (i.e. in storage) and also during transit. Your data is stored in the United Kingdom, using Google Cloud and Microsoft Azure services located in the United Kingdom.
2.5. Anonymised, aggregate data may be transferred outside of the United Kingdom for the purposes detailed in Section 7.
2.6. Only data exported by the end user, with their consent to share, is sharable outside of the platform over and above what is listed in section 6.
2.7. What data do you collect and why? Gro Health is a personalised platform that moves away from a ‘one size fits all’ approach to the treatment and care of people and instead uses data to better manage peoples’ health and target experiences and therapies to achieve the best outcomes in the management of health or predisposition to disease. As our health is determined by our inherent differences combined with our lifestyles and environment, by combining and analysing information that patients wish to share, with other clinical and diagnostic information, patterns can be identified that can help to determine our individual risk of developing disease; detect illness earlier; and, determine the most effective interventions to help improve our health, be they medicines, lifestyle choices, or even simple changes in diet.
To sign up, you just need to enter your date of birth, gender, email address and choose a password. We need your date of birth to ensure you are of legal age to use the app in your jurisdiction, and your gender to tailor your experience (education, resources, coaching, activities).
After signing up, you are asked to choose:
- Username: your username is used as a handle for your account when you converse with others in the community or through coaching.
- Goal: your goal enables the education and support you receive to be tailored to your health goals.
This is the minimum amount of information required to create your account.
After this, you can choose to tailor and improve your user experience optionally as follows, and use features of the app that track data:
- Health conditions: selecting your health condition will provide you with the appropriate education tailored to your health condition and resources.
- Medications: selecting your medications will ensure you see resources that are suited to the medications you take.
- Diet: selecting your dietary preferences and allergies enables appropriate meal plans to be shown to you. You can also decide which dietary approach you would like your education to be focused on.
- Activity level: by sharing your current activity level, recommended activities and exercise classes are tailored to your level, you can change this as you progress through the program.
- Units of measurement: choose the units you"d like to track your health in.
- Lifestyle: enter your weight, height and HbA1c (if you have it) to start with a baseline set of data so you can see your progress, and select whether you smoke or test your blood glucose to see education on these topics.
- Food diary: you can track the food that you eat via barcode scanning, text input of photos, the nutritional information is used against your preset macro ratios to share with you how many grams of carbs, fats and protein you have left to consume within the day to meet your targets.
- Health tracking: This data can be tracked by integrating your wearable device, self-inputted or logged from workouts you complete within the app. This data is used to track how active you have been and used to visually represent your data over time.
We also collect usage data from use of the web and app, which you can opt-out of by contacting the Support Team. To get in touch, tap on Help > Contact us. You can set, accept and reject your cookies on the GroHealth.com website.
3. NOTIFICATIONS (EMAIL, IN-APP NOTIFICATIONS)
3.1. You may choose to opt-in and out to receive our email and in-app communications. No marketing notifications are dispatched.
3.2. In order to unsubscribe from emails, please select “Unsubscribe” from an email or toggle in-app. Similarly, toggle notifications from Settings > Notifications. Please contact us at firstname.lastname@example.org if you require any assistance with unsubscribing from our newsletter.
4. MEDICAL INFORMATION
4.1. You should be aware that information captured via our Sites may be viewed by our medical team. None of this information will be passed to any other person except for:
- disclosure for the prevention of crime;
- in accordance with applicable law;
- compliance with the direction of any regulatory or governing bodies;
- for the purposes of preventing injury or harm to you as the data subject; or
- when registering to receive services or take part in clinical trials/surveys, to the responsible organisation(s).
5. PURPOSES FOR WHICH WE PROCESS PERSONAL DATA
5.1. The platform has been developed to ensure that data minimisation principles are met. What this means is, that we build solutions that use as little data as required to provide a clinically safe and enjoyable user experience. We will only process your Personal Data, in accordance with applicable law, for the following purposes:
- creating and maintaining your customer account, if you become a registered customer with us;
- handling and fulfilling your requests, if you request goods and/or services from us;
- offering our services to you in a personalised way, for example, we may provide you with information that you request from us or which we feel is tailored to your preferenced, where you have consented to be engaged for such purposes;
- facilitating your relationship with your health or life insurance company, if you have been referred to us by them and based solely on your involvement with the Gro Health;
- to publish testimonials you submit about us and/or the Sites and to identify you as the author of such testimonial(s) (identification will be limited to your [first name, age, gender and location];
- for research and statistical purposes, but any Personal Data relating to your health will always be anonymised and aggregated and will not identify you;
- administering any promotion or competition, that you enter via the Sites or via email communication;
- to allow you to participate in interactive features of our services, when you choose to do so;
- resolving any disputes, if you lawfully exercise your rights or if you wish to dispute any part of our service offering;
- sending you personalised behavioural change communications, where you have agreed that we may do so, in order to keep you engaged and sustained in your health through our services;
- providing you, or allow carefully selected third parties to provide you, with information about products or services, that may interest you;
- ensuring the security of your account and our business, preventing or detecting fraud or abuses of our Sites, for example, by requesting verification information in order to reset your account password (if applicable);
- developing and improving our products and services, for example, by reviewing visits to the Sites and its various subpages, demand for specific products and services and user comments;
- to administer the Sites and for internal business administration and operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
- to notify you about changes to our services and to send you service emails relating to the activities you have asked us to undertake on your behalf;
- as part of our efforts to keep the Sites safe and secure; and
- to comply with applicable law, for example, in response to a request from a court or regulatory body, where such request is made in accordance with the law.
5.2. Your consent, as the “Data Subject”, to the processing as specified in this Policy is the primary legal ground for our processing of your Personal Data. However, there may be circumstances where we may also rely on other valid legal grounds for the processing of your Personal Data, such as:
- your request for content, products or services necessitating steps including processing of your Personal Data to be taken prior to entering into contract with you and any processing that is necessary for the performance of such contract;
- legitimate interests we pursue as a business, except where such interests are overridden by your interests and fundamental rights; and
- compliance with any legal obligation to which we are subject, such as, for example, the processing for the purposes of complying with applicable law.
5.3. Should the purpose of data collection change, you will be informed and opt-in consent re-obtained.
5.4. The platform does not send marketing emails. Emails and in-app notifications you receive are part of the behaviour change pathway, which you can toggle on/off from the Settings area. Informed consent will be requested for the purpose of marketing.
5.5. No user data is intended to be shared or processed for any purpose that has not been made clear to the user. The platform has been developed to ensure that data minimisation principles are met. What this means is, that we build solutions that use as little data as required to provide a clinically safe and enjoyable user experience. DDM has followed data minisation principles by ensuring that data collected and processed is not be held or further used unless:
- this is essential for reasons that were clearly stated in advance to support data privacy; and
- explicit opt-in re-consent is obtained
5.6. To opt out of each, or any, of the processing activities, please contact us at email@example.com. If you opt out of us holding and maintaining your account or us complying with applicable law you will not be able to use the Service because these processing activities are required to deliver you the Service.
6. DISCLOSURE OF YOUR INFORMATION
6.1. There are circumstances where we wish to disclose or are compelled to disclose your Personal Data to third parties. This will only take place in accordance with the applicable law and for the purposes listed above. These scenarios include disclosure to:
- our subsidiaries, branches or associated offices;
- your NHS Clinical Commissioning Group, if they have referred you to Gro Health. Any information shared with your NHS Clinical Commissioning Group will be in anonymised aggregated form and will not identify you. You will always be asked to opt-in to sharing any identifiable data;
- to comply with our legal obligations to carry out the instructions of the controller, for example, if you are referred to the Service by your NHS GP, we may adopt the legal basis of the controller to allow us to carry out their instructions, and may, for instance, share data with the NHS Clinical Commissioning Group (CCG) or care organisations that provided you access to the Service. This will be in anonymised format. You will always be asked to opt-in to sharing any identifiable data, with any new party or for any new purpose;
- your health insurance company (who may have referred you to the Gro Health or who you have otherwise notified us of) in order for them to contact you to discuss your insurance policy in connection with your participation in the Gro Health;
- the Swiss Re Group, who is a leading global reinsurer and who facilitates our relationship with your health or life insurance company. This data is only shared if you have been provided Gro Health by your insurance company and you have consented to share this information. Any information shared with the Swiss Re Group will be in anonymised aggregated form only and will not identify you;
- the commissioning NHS CCG, Trust, ICS or local authority of Gro Health;
- our selected marketing agents, where you submit testimonials about us and/or the Sites, in order for those agents to publish such testimonials via various media (which may include online and printed publications and/or film);
- to facilitate the provision of goods and/or services to you, together with such other goods and/or services as we and/or they feel may interest you;
- to research organisations where the information has been anonymised and aggregated;
- our advertising partners who enable us to deliver personalised ads to your devices or similar advertising;
- analytics and search engine providers that assist us in the improvement and optimisation of the Sites. Your Personal Data is generally shared in a form that does not directly identify you;
- third party analytics providers that assist us in establishing trends amongst our users based on the information you provide to us and generating associated content (for example, news articles and/or social media posts);
- selected third party service providers in order to share the statistical and analytical information generated above, in an anonymised and aggregated format only;
- third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons;
- another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution or similar event. In the case of a merger or sale, your Personal Data will be permanently transferred to a successor company;
- public authorities where we are required by law to do so;
- if required, in order to receive legal advice; and
- any other third party where you have provided your consent.
7. INTERNATIONAL TRANSFER OF PERSONAL DATA
7.1. We may transfer your Personal Data to a third party in countries outside the country in which it was originally collected for further processing in accordance with the purposes set out above. In particular, your Personal Data may be transferred throughout our group and to our outsourced service providers located abroad. In these circumstances we will, as required by applicable law, ensure that your privacy rights are adequately protected by appropriate technical, organisation, contractual or other lawful means. Please contact firstname.lastname@example.org for a copy of the safeguards which we have put in place to protect your Personal Data and privacy rights in these circumstances.
8. RETENTION OF PERSONAL DATA
8.1. Your Personal Data will be retained until your last use of our services and normally for a period of three years thereafter, unless longer retention is required by applicable local law or where we have a legitimate and lawful purpose to do so. However, we will not retain beyond this period any of your Personal Data that is no longer required for the purposes set out in this Policy. The retention of your Personal Data will be subject to periodic review.
8.2. We may keep an anonymised form of your Personal Data, which will no longer refer to you, for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.
8.3. Please contact us at email@example.com if you would further details about our data retention periods.
8.4. If you no longer wish for Gro Health to process your personal information, you are free to withdraw your consent by deleting your account. To do so, please navigate in the app to Main Menu -> Help -> Contact us -> Account Deletion, and send us a request to delete your account.Please note that after you withdraw your consent and delete your account, you will still be able to access some of the features and content available on our websites, but you will not be able to log in. If you have any questions or concerns about deleting your account or withdrawing your consent, please reach out to our Support Team for assistance.
9. DATA SUBJECT RIGHTS
9.1. Data protection law provides Data Subjects with numerous rights, including the right to: access, rectify, erase, restrict, transport, and object to the processing of, their Personal Data. Data Subjects also have the right to lodge a complaint with the relevant data protection authority if they believe that their Personal Data is not being processed in accordance with applicable data protection law. To execute any of your rights listed, please contact us by writing at firstname.lastname@example.org. We will get back to you in 1 working day, and respond to any requests to exercise your rights within 21 working days.
- Right to make subject access request/access your Personal Data (SAR) (Article 15 GDPR): Data Subjects may, where permitted by applicable law, request copies of their Personal Data. If you would like to make a SAR, i.e. a request for copies of the Personal Data we hold about you, you may do so by writing to email@example.com. The request should make clear that a SAR is being made. You may also be required to submit a proof of your identity.
- Right to rectification (Article 16 GDPR): You may request that we rectify any inaccurate and/or complete any incomplete Personal Data.
- Right to withdraw consent (Article 7 GDPR): You may, as permitted by applicable law, withdraw your consent to the processing of your Personal Data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent. Please note that if you withdraw your consent, you may not be able to benefit certain service features for which the processing of your Personal Data is essential.
- Right to object to processing including automated processing and profiling (Article 21 GDPR): You may, as permitted by applicable law, request that we stop processing your Personal Data. In relation to automated processing and profiling, you may object to the processing and you will have the right to obtain human intervention.
- Right to erasure (Article 17 GDPR): You may request that we erase your Personal Data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your Personal Data, such as, a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations.
- Right to data portability (Article 20 GDPR): In certain circumstances, you may request that we provide your Personal Data to you in a structured, commonly used and machine readable format and have it transferred to another provider of the same or similar services. We will comply with such transfer as far as it is technically feasible. Please note that a transfer to another provider does not imply erasure of your Personal Data which may still be required for legitimate and lawful purposes.
- Your right to lodge a complaint with the supervisory authority. We suggest that you contact us about any questions or if you have a complaint in relation to how we process your Personal Data. However, you do have the right to contact the relevant supervisory authority directly. To contact the Information Commissioner’s Office in the United Kingdom, please visit the ICO website for instructions.
9.2. We do not knowingly collect Personal Data online from individuals under 18. If you become aware that a child has provided us with Personal Data without parental consent, please contact us at firstname.lastname@example.org. If we become aware that an individual under 18 has provided us with Personal Data without parental consent, we will take steps to remove the data and cancel that individual’s account.
9.3. Gro Health retains your Personal Data:
- for as long as you maintain an account or as needed to provide you the Services and/or
- as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
9.4. Personal Data is destroyed when it is no longer necessary for the purposes listed in 9.3. The specific destruction process and method are as follows:
- Personal Data printed on the paper is shredded, burned, pulped, pulverized, or incinerated; and
- Personal Data stored in electronic form is deleted using technology designed to prevent the recovery of the Personal Data.
9.5 NHS login: Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.
10.1. DDM Health Ltd comply with recognised International Data Management Standards, including ISO9001 and ISO27001 and have been accredited as part of this process.
10.2. DDM Health Ltd are fully compliant with The Data Protection Act 1998 and General Data Protection Regulation (GDPR).
10.3. Sites are developed alongside recognised compliance standards such as NHS Data Standards, including the NHS Information Governance toolkit.
10.4. The iOS and Android Gro apps are compliant with OWASP Mobile Application Security Verification Standard (MASVS) Level 2+R.
10.5. Gro Health is a MHRA-regulated Class I Medical Device.
10.6. Our MHRA number is 8939.
11.1. The Sites may, from time to time, contain links to and from the websites of our partner networks, advertisers, affiliates and other third parties. If you follow a link to any of these websites, please note that these websites may have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.
12. DATA PROTECTION OFFICER
12.1. The Data Protection Officer is Amar Singh. To contact the DPO, please email email@example.com or use the in-app contact form.
1.2. You may delete and block all cookies from our Sites by changing your browser settings to refuse the setting of all or some cookies. Making this change may affect the functionality of our Sites and you may not be able to access all or parts of the Sites.
2. OUR COOKIES
2.1. Strictly necessary cookies: these are cookies that are required for the operation of our Sites for example, cookies that enable you to log into secure areas of our Sites or use the shopping basket.
2.2. Tracking cookies and pixels:
- Tracking cookies are used to provide information on the pages that are viewed. Tracking cookies set from our Sites will be predominantly from Google Analytics and Hitslink. Common cookies you may encounter on our Sites are __utma, __utmb, __utmc, __utmz, __utmv which are for Google Analytics (see How Google uses data when you use our partners’ sites or apps for more information: https://policies.google.com/technologies/partner-sites?hl=en-GB&gl=uk)
- Tracking pixels may also be set in emails and banner display advertising to monitor the number of times that an email or banner has been seen. They are not used for any other purpose.
- Cookies may occasionally be used to display some users’ surveys or different versions of a page. We then use analytics to identify which version of a page provides a better user experience.
- Cookies may also be set to see how well certain banners ads are received. This helps to identify how many times an advertisement has been seen, clicked on or downloaded.
- Quantast cookies are set for 365 days and store your tracking cookies (first-party, third-party) preferences (see more information here: https://www.quantcast.com/privacy/).
3. MORE INFORMATION
3.1. For more detailed information about cookies please visit https://www.allaboutcookies.org.
4. CONTACT US