My Possible Self Limited’s Privacy Policy
INTRODUCTION
My Possible Self Limited ("MPS", "we", "us" or "our") values the personal information which you provide to us in connection with your use of our app and website and wants to ensure that the way we deal with your personal information is in line with your expectations.
This Privacy Policy (together with our contract terms at app.mypossibleself.com/terms, and any other documents referred to in it) sets out the basis upon which any personal data we collect from you, or that you provide to us, will be processed by us.
Please read the following carefully to understand our practices regarding your personal data and how we will treat it. By visiting www.mypossibleself.com or app.mypossibleself.comm and related pages, you are accepting and consenting to the practices described in this policy.
1.Purpose of This Privacy Policy
This privacy policy:
- provides you with detailed information about the types of personal information we may collect about you when you register with our app or website;
- explains what we do with that information, how we store that information and keep it secure and safe;
- explains the legal basis under data protection laws for our processing of your personal information;
- explains what rights you have under data protection laws in relation to your personal information and how you can exercise those rights.
MPS respects personal privacy, is committed to protecting personal data and fully complying with its legal obligations under the GDPR and the Data Protection Act 2018.
Our Privacy Policy does not apply to services offered by other companies or individuals, including products, or sites, that you may access via our app or website, or other sites linked to our services.
2.What is MPS?
MPS is a company which was incorporated on 18 February 2009 in England and Wales under No.06823416 and whose registered office is at Cardale House Cardale Court, Beckwith Head Road, Harrogate, North Yorkshire, HG3 1RY.
The business of MPS is to make available educational self-help materials to improve the mental health and well-being of its customers and users.
MPS is registered with the Information Commissioners Office (ICO) under registration No.ZA315531.
3.Contacting MPS
You can contact MPS by writing to us at the above address, or by emailing us at hello@mypossibleself.com.
4.Who is responsible for the management of data protection at MPS?
We have appointed Simon Miller as our data protection officer. Simon is responsible for the management of data protection at MPS for dealing with any questions you may have in relation to this privacy policy. He can be contacted using the contact details given in sections 2. and 3. above.5.What sort of personal data do we hold and collect?
Personal data means any information about an individual (a data subject) from which that person can be identified. It does not include data from which the identity of an individual cannot be identified (anonymous data).
When you register to use and then use our app or website, we may collect personal data about you including the following types of data (User Personal Data):
- Contact Data – This may include, for example, your email address and contact telephone numbers.
- Technical Data – This may include, for example, internet protocol (IP) addresses, MAC addresses, login data, browser type and version, time zone settings, browser type, version and language, operating system and platform, other device-specific information and details about technology on the devices people use to access our systems.
- Usage Data – When you use our services we automatically collect and store certain information in server logs. This includes details of how you use our app such as device type, module progress and mood postings.
In relation to User Personal Data MPS is the data controller. A data controller is a natural or legal person, public authority, agency or other body which makes decisions about how and why we process your personal data. As the data controller in relation to your personal data, we are responsible for ensuring that it is used in accordance with data protection laws.
6.Location Services
All location data used by the “risky places” feature within the Drinking and Gambling Safely Guided Series is processed locally only within the app. We do not receive, send or share any location data.
- A user will programme their phone to identify a particular place as a “risky place”;
- A user is invited by the App to set a radius around the risky place which will trigger a notification in the event that they enter the area defined by them around the risk place;
- My Possible Self does not receive, store, or process any location data in relation to this notification;
- Accordingly, My Possible Self does not use, store, process, or share any user location data for the purpose of the “risk place” feature or any other service or feature that it provides.
7.How do we collect User Personal Data
We collect User Personal Data as a result of your registering to use and using our app or website and when you contact us with a query that you may have about using our services.
8.How do we use User Personal Data?
We will only process personal data when the law allows us to.
Most commonly, we use User Personal Data in the following ways:
- To register you as a user of our app or website and permit you to use it.
- To deliver services that we provide to you and to manage our relationship with you, to meet your needs and to enable our services to deliver more useful, customised content.
- To improve the quality of our services and the infrastructure that we use to provide such services and develop new ones.
- To improve security by protecting against fraud and abuse;
- To conduct analytics and measurements so as to better understand how our services are used.
- To monitor usage of our app and website so as to manage capacity and deal with any technical issues that may arise from time to time.
- To produce aggregate Usage Data (from which individual users cannot be identified) to understand how our services are used and to provide the same to third parties and group companies who may use it for analytics, trend analysis and to improve and provide the products and services provided by us.
- To inform you about our services, such as letting you know about upcoming services changes, technical issues, improvements or changes to our terms of use.
- To develop and carry out marketing activities about our services and to manage our network.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
- Where we need to comply with a legal obligation to provide personal date.
9.The legal basis upon which MPS processes personal data
The law on data protection provides a number of different grounds that a company such as MPS can rely on to make its processing of personal data lawful.
MPS relies on the following four legal grounds to process User Personal Data:
You Have Consented To Our Using Your Personal Data
We can collect and process your personal data with your consent.
MPS’ Contractual Obligations & Performance
We may process User Personal Data to comply with and perform our obligations and exercise our rights under our contract with you. We also rely on this basis when ascertaining whether or not you are complying with our Terms of Service [link] and enforcing those terms.
MPS’ Legitimate Interests
The law states that in specific situations, MPS can process User Personal Data to pursue our legitimate interests in a way which might reasonably be expected as part of running our business and which does not materially impact the rights, freedoms or interests of our customers. We rely on this basis to use your Contact Data to send you communications and information about other services we offer. We also rely on this basis to process your Usage Data to generate the anonymised data.
Legal compliance
We may process your User Personal Data to comply with any applicable legal obligation, law, regulation, legal process or enforceable governmental request or to detect, prevent or otherwise address fraud or crime prevention.
10.Sharing your User Personal Data
We may store your Technical Data and Usage Data on external log storage and with analysis providers. This allows us to improve the service we offer our customers.
MPS may share User Personal Data with any member of our group, for the purposes of data and trend analysis. Group in this context means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006.
We may disclose or share User Personal Data in order to comply with any legal obligation on us or to protect the rights, property, or safety of MPS or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection or the prevention of criminal conduct.
We may disclose User Personal Data to a purchaser of MPS or substantially all of its assets, in which case User Personal Data held by MPS will be one of the transferred assets.
We won’t share User Personal Data with any third party for the purpose of marketing unless you have given your consent to us doing that. If you do consent to receive information about third party products or services, we will provide you with relevant details of the third party (including who they are, where they are based and how they may be contacted) and will explain what User Personal Data will be shared with them.
11.How we protect your User Personal Data
We work hard to protect User Personal Data from unauthorised access, misuse, alteration, disclosure or destruction. We have put in place appropriate security measures to prevent User Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In particular the steps we take to protect User Personal Data include:
- The encryption, pseudonymisation and / or anonymisation of the User Personal Data we process and store, where reasonably feasible.
- The regular monitoring of our systems for possible vulnerabilities and attacks.
- The use of firewalls, web application firewalls, threat detection, vulnerability analysis and traffic encryption using strong protocols and ciphers.
- The restriction of access to User Personal Data to MPS employees, contractors and agents who need to know that information in order to process it and who are subject to strict contractual confidentiality obligations.
- The use of systems which run on industry leading cloud services providers which are compliant with the most rigorous industry standard certifications in order to guard against unauthorised access to systems.
- By putting in place procedures to deal with any suspected personal data breach.
12.Data breaches
In the unlikely event that there were to be any unauthorised access to (or an event occurs that creates a real risk of any unauthorised access to) any User Personal Data which MPS holds, then MPS will, if it considers that the such events give rise to a high risk of affected individuals being adversely impacted, notify the affected individuals (and the Information Commissioner) as soon as reasonably practicable.
13.How long will we keep your User Personal Data?
To determine the appropriate retention period for any particular type of User Personal Data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of such personal data, the purposes for which we process such personal data and whether we can achieve those purposes through other means, and the applicable legal and regulatory requirements.
We retain User Personal Data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. Generally these periods are as follows:
- Contact Data – this is kept for as long as the account is active and is retained for a further 60 days from the date each user’s account is deleted;
- Technical Data – 14 days; and
- Usage Data – 12 months 12 days.
At the end of the retention period, personal data will be deleted completely.
In some circumstances data subjects can ask us to delete their personal data.
14.Marketing
We may use your Contact Data to inform you about our services – for example we may send you emails or electronic notifications letting you know about upcoming service changes, technical issues, improvements or changes to our terms of use.
We may also use your Contact Data to send you emails containing information about products and services we offer or to conduct surveys but we won’t do that if you opted not to receive such emails when you registered with us. Any email of this type that we send you will contain an opt out option, which you can use to tell us that you no longer wish to receive this kind of email.
We won’t otherwise share your User Personal Data with any third party for marketing purposes without first obtaining your express opt-in consent.
You can ask us or any approved third parties to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.
15.Where User Personal Data may be processed
We will only process User Personal Data within the UK or the EEA. The EEA includes all 27 EU Member countries as well as Iceland, Liechtenstein and Norway.
We would only ever use a cloud based server, located outside the UK or the EEA, to store User Personal Data if our contractual relationship with the cloud services provider ensured sufficient protection of personal data.
16.What rights do you have in relation to your User Personal Data?
You have a number of legal rights in relation to the User Personal Data we hold about you including the right to request:
- Access to the personal data we hold about you.
- The correction of personal data relating to you when incorrect, inaccurate, out of date or incomplete.
- That we stop using your personal data for direct marketing.
- That we stop any consent-based processing of your User Personal Data after you withdraw that consent.
- That we stop processing your User Personal Data where you contest it as being inaccurate.
- That any decision made based solely on the basis of automatic processing of your data (i.e. where no human has yet reviewed the outcome and criteria for the decision) is reviewed by a human being.
- A copy of any information about you which MPS holds at any time, and the right to obtain certain prescribed information about how we process it. This is known as a Data Subject Access Request.
17.Exercising your rights in relation to your User Personal Data
If you wish to exercise any of the rights set out above, then you should contact our Data Protection Officer, whose details are set out in paragraphs 2 and 3 above.
No Fee Usually Required
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if the request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with such a request in these circumstances.
Verifying Your Identity
We may need to request specific information from you to help us confirm your identity and ensure your right to access personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. Typically we will require at least two valid types of data, being the email address that you used to sign up to our network services with and details of the devices you used to access our service (for example MAC Address).
We may also contact you to ask you for further information in relation to your request to speed up our response.
Time Limit to Respond
We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if the request is particularly complex or if you have made a number of requests. In this case, we will notify you and keep you updated.
18.Getting us to stop using or keeping your Personal User Data
If you ask us to, we will, subject to compliance with any overriding legal obligations we owe to third parties, remove, delete or stop using your User Personal Data information. If you want us to do this then please contact us at dpo@mypossibleself.com. We will need to verify your identity as set out in section 16 above.
19.Changes to our privacy policy and data subject’s duty to inform us of changes
We keep our privacy policy under regular review. This version was last updated 16 April 2020. Any changes we may make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by email. Please check back frequently to see any updates or changes to our privacy policy.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
20.MPS Policy on Cookies relevant to the Corporate Website (www.mypossibleself.com)
A cookie is a small file, which asks permission to be placed on your computer’s hard drive. Once you agree, the file is added and the cookie helps analyse web traffic or lets you know when you visit a particular site. Cookies allow web applications to respond to you as an individual. The web application can tailor its operations to your needs, likes and dislikes by gathering and remembering information about your preferences. In general, we use cookies and our records of the pages users have visited to gather information about all of our users collectively, such as what areas users visit most frequently and what services are accessed most. We only use such data in the aggregate. This information helps us determine what is most beneficial for our users, and how we can continually create a better overall experience for our users and improve our website in order to tailor it to customer needs. We use the following cookies for MPS:
Company | Name | Purpose |
---|---|---|
_ga | This cookie is used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. | |
Hubspot | hubspotutk | This cookie keeps track of a visitor's identity. It is passed to HubSpot on form submission and used when de-duplicating contacts. It contains an opaque GUID to represent the current visitor. It expires in 13 months. |
Hubspot | __hstc | The main cookie for visitors. It contains the domain, utk, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session). It expires in 13 months. |
Hubspot | _hssc | This cookie keeps track of sessions. This is used to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. It contains the domain, viewCount (increments each pageView in a session), and session start timestamp. It expires in 30 minutes. |
Hubspot | _hssrc | Whenever HubSpot changes the session cookie, this cookie is also set to determine if the visitor has restarted their browser. If this cookie does not exist when HubSpot manages cookies, it is considered a new session. It contains the value "1" when present. It expires at the end of the session. |
Hubspot | __cfduid | This cookie is set by HubSpot’s CDN provider, Cloudflare. It helps Cloudflare detect malicious visitors to your website and minimizes blocking legitimate users. It may be placed devices to identify individual clients behind a shared IP address and apply security settings on a per-client basis. It is necessary for supporting Cloudflare's security features. It is a session cookie that lasts a maximum of 30 days. |
Hubspot | __cfriud | This cookie is set by HubSpot’s CDN provider because of their rate limiting policies. It expires at the end of the session. |
Hotjar | __hjid | This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the Hotjar User ID, unique to that site on the browser. This ensures that behaviour in subsequent visits to the same site will be attributed to the same user ID. |
Cookies help us provide you with a better website, by enabling us to monitor which pages you find useful and which you do not. A cookie in no way gives us access to your computer or any information about you, other than the data you choose to share with us.
21.Contacting the regulator to make a complaint
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority in relation to data protection issues (www.ico.org.uk). If you feel that your data has not been handled correctly, or are unhappy with our response to any requests you have made to us regarding our use of your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office. We would, however, appreciate the chance to deal with any such concerns before you approach the ICO so please contact us in the first instance.
The ICO can be contacted by calling 0303 123 1113 or by going online at www.ico.org.uk/concerns.
If you are based outside the UK, you have the right to lodge a complaint with the relevant data protection regulator in your country of residence.
22.Further information
Questions, comments and requests regarding this privacy policy are welcomed and should be addressed to dpo@mypossibleself.com.