HealthHero Symbio Privacy Notice
This Privacy Notice contains important information on who we are and how and why we collect, store, use and share your personal information. It also explains your rights in relation to your personal information and how to contact us or supervisory authorities in the event you have a complaint.
This privacy notice aims to inform you about how we collect and process any information that we collect from you, or that you provide to us. It covers information that could identify you (“personal information”) and information that could not. In the context of the law and this notice, “process” means collect, store, transfer, use or otherwise act on information. It tells you about your privacy rights and how the law protects you.
We are committed to protecting your privacy and the confidentiality of your personal information. Our privacy notice is not just an exercise in complying with the law, but a continuation of our respect for you and your personal information.
We undertake to preserve the confidentiality of all information you provide to us and hope that you reciprocate.
Our privacy notice complies with the Data Protection Act 2018 (Act) accordingly incorporating the UK General Data Protection Regulation (GDPR).
The Symbio mobile and web applications are a HealthHero Group initiative, managed by the operating entities within the HealthHero family. The application is manufactured by our Product & Technical teams within the HealthHero Group, HealthHero Technologies Limited and healthcare services delivered by HealthHero Solutions Limited in the United Kingdom.
When you use our product in the UK, HealthHero product and technical teams within the HealthHero Group act as Data Processor, acting on instructions from the customer organisation.
Where users are signposted to our healthcare services such as GP and Mental Health, HealthHero Solutions Limited are the Data Controller (as defined under UK/EU GDPR), for all data submitted by service users using the Symbio mobile and web applications and related services accessed within.
For simplicity, we will refer to ourselves as HealthHero for the remainder of this notice.
Data will be processed within secure data centres located in the UK and France. These data centres are committed to respecting the rules for protecting the privacy of users of our website (or Client web application) and our mobile app, Symbio.
How is your Personal Data collected?
In the course of using its services, and in particular the services accessible on its mobile and web applications, HealthHero may collect and process personal data about you.
To ensure that these rules are applied, HealthHero has appointed a Data Protection Officer who is the main contact for the UK supervisory authority: the Information Commissioner’s Office (ICO). We also implement appropriate internal procedures to raise awareness and ensure compliance within our organisation.
Your personal data is collected through sign up and use of Symbio. Your organisation will initially use the Symbio to input your email address to create your account. You will then receive an email with a link to the application and a sign-up page in order for you to complete your account details.
Once the account is set up, all data collected is submitted by you through the application by interacting with your Symbio chatbot and completing forms/ answering questions or undertaking activities within the app.
None of your personal data entered into the Symbio mobile application is shared with your organisation. Please see “Data Shared with your Organisation” section below for further details. Symbio might share anonymised data relating to usage and self-declared information to the organisation, displayed on the Client web application.
What is HealthHero's commitment to data protection?
HealthHero is committed to ensuring a high-level of protection for the personal data of users of its website and mobile app (Symbio) and of any other person whose personal data it processes.
HealthHero is committed to complying with the regulations applicable to all processing of personal data that it implements. In particular, the following principles:
- your personal data are processed lawfully, fairly, and transparently (lawfulness, fairness, transparency);
- your personal data is collected for specified, explicit and legitimate purposes and is not further processed in a way incompatible with those purposes (purpose limitation);
- your personal data are kept adequate, relevant, and limited to what is necessary for the purposes for which they are processed (data minimization);
- your personal data is accurate, kept up to date and every reasonable step is taken to ensure that inaccurate data, having regard to the purposes for which it is processed, is erased, or rectified without delay (accuracy).
HealthHero implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk inherent in its processing operations, to meet regulatory requirements, and to protect the rights and data of data subjects at the design stage of processing operations, particularly in a health data context.
In addition, HealthHero contractually imposes the same level of personal data protection on its subcontractors (service providers, suppliers, etc.).
Finally, HealthHero is committed to complying with any other principles that may be required by applicable data protection regulations, including rights of data subjects, retention periods, and obligations regarding cross-border transfers of personal data.
What is the purpose of the data that may be collected by HealthHero?
Purposes Of Processing and Legal Bases
The purpose is, in particular, and without this list being exhaustive, to allow users to benefit from all the services available on the Symbio mobile app (creation of an account, discussion with the chatbot, configuration of reminders, feedback on bugs or improvements), to allow personalised browsing in the app, to improve the parts that are of most interest to you. For the web application, it is to allow users manage access to the Symbio mobile application, and to access the dashboards.
HealthHero processes your information for the purposes described in these rules and in accordance with the following legal bases:
- with your consent to process your information for purposes of personalising your experience on Symbio, to set up your notifications, and for connection with third party apps such as the Apple Health app. You can also opt in to receive our newsletter and HealthHero marketing communications. You are free to withdraw your consent.
- for the purposes of HealthHero's legitimate interests (enhancing security, providing the user with identification data)
- for statistical and research purposes using anonymised data
- for product and service performance, quality, and monitoring
If a basis on which we process your personal information is no longer relevant, then we shall immediately stop processing your data.
If the basis changes, then if required by law, we shall notify you of the change and of any new basis under which we have determined that we can continue to process your information.
How long will your data be kept?
HealthHero will keep your personal data for no longer than is necessary for the purposes for which it is processed. In addition, HealthHero retains your personal data in accordance with the retention periods imposed by applicable laws, including data related to health information.
These retention periods are defined according to the purposes of the processing carried out by HealthHero and take into account, in particular, applicable legal provisions imposing a specific retention period for certain categories of data, any applicable statute of limitations, as well as the recommendations of the ICO concerning certain categories of data processing.
Your Symbio account will remain accessible for the duration of your organisation’s contract with HealthHero. After the contract ends, depending on the contract end terms, your account will be deactivated. Please see account deactivation for further detail.
Your account may be deactivated in a number of ways:
- By HealthHero, when the contract between HealthHero and the contracting party ends (often your employer);
- As part of a Subject Access Request/Erasure Request made by the data subject (you);
- By a Manager of the contracting organisation (for example, when you leave their organisation);
When an account is deactivated, any personal data on your account will be deleted/anonymised and you will no longer be able to access your account.
Please note, data processed outside of the application in related services is NOT deleted when your account is deactivated as these services are governed by separate privacy policies.
If you decide to deactivate your account and later wish to re-register, a new account will need to be created for you. You will not have access to any data entered into your previous account.
What Personal Data is stored in the App?
The following categories of data may be kept on the Mobile app:
- scores on your mood, emotions, sleep quality, energy quality, personality;
- self-assessment data and results;
- exchanges with the chatbot;
- Where applicable data from the Apple health app, specifically the number of steps taken per day, specifically the number of steps taken per day;
- your profile data: e-mail address, gender, surname, first name, name used by the chatbot;
On the web application, the following categories of data are collected:
- First name
- Last name
- Work e-mail address
Related services and the relevant privacy information are listed below. This information is also provided within the application when accessing any of the related services.
Your organisation may have chosen to provide access to our GP Booking Services via the Symbio App. Please be aware, the GP Booking Service is provided separately by HealthHero Solutions and has a separate Privacy Notice linked here, with terms and conditions listed here.
Mental Health Counselling
Who may have access to your personal data in Symbio?
Your personal data within the application is not accessed by anyone and remains private to you. This includes your account information, contact details and any data you input into the application. As above, when you access related services your contact information will be shared with those services.
Supporting Issues with the app
Bug reports are submitted through use of Instabug within the application via the “Report a bug” option in settings. You can also submit queries through the “Ask a question option. In order to properly assess your issue and support you, some data is shared with our support team. This includes the following:
- Email address
- Date and time of submission
- Device make/model
- Your last 10 steps made within the app
- The description of the issue/question submitted by you
In order to resolve the issue, our support team may contact you via email.
Data shared with your organisation
Some anonymised/statistical data is shared with your organisation within the Symbio app. These include usage data such as adoption rate of the application, top categories completed, number of active users and average mood evolution.
None of your personal data collected by Symbio is shared with your organisation.
The health data collected on Symbio Website and Mobile app are not communicated to third parties
The technical and navigation data collected on the Symbio Website and its mobile app may be communicated to authorise HealthHero personnel, its partners or its service providers in the context of the performance of all or part of the services. We remind you that HealthHero requires its service providers to implement strict confidentiality and data protection measures. In addition, HealthHero may be required to provide personal information to authorized French or UK public authorities.
These partners/providers include:
- Data for the use of Symbio app
- In the EU (France): the data, stored at health data hosts (AWS and Azure), concerning the creation of the account and the profile, and the exchanges with the chatbot.
- Data for feedback on Symbio app
- Outside the Eurozone (USA): Instabug to provide feedback on bugs or improvements for Symbio app
- Technical data of Symbio app
- In the Eurozone (Germany): Datadog to analyse logs for improvement and bug fixes
- Marketing data:
- In the Eurozone (Ireland): Adjust to do channel attribution and measure audience and traffic
Under the Data Protection Act 2018 and the GDPR, you have several rights which may apply to the services we provide including the right:
- to ask us for copies of your personal information (the right of access).
- to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete (the right to rectification).
- under certain circumstances, to require us to delete your personal information (the right to be forgotten).
- under certain circumstances, to require us to restrict processing of your personal information e.g., if you contest the accuracy of the data (the right to restrict processing).
- under certain circumstances, to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party (the right to data portability).
- under certain circumstances, to object to our continued processing of your personal information e.g., processing carried out for the purpose of our legitimate interests (the right to object).
You can withdraw your consent to future processing at any time, but this right cannot be applied to data already processed.
For further information on each of those rights, including the circumstances in which they apply, please contact us.
Except as set out in this notice, we do not share or disclose to a third party, any information collected through our website.
How can you exercise your rights?
In accordance with the applicable regulations on the protection of personal data, you may, at any time, exercise your rights of access, rectification, deletion of data concerning you as well as your rights to limit and oppose the processing and portability of your personal data.
In addition, you have the legal right to define directives concerning the fate of your personal data after death.
These rights can be exercised by post or by e-mail to the following address:
The Data Protection Officer
HealthHero Solutions Ltd
In this context, we kindly ask you to accompany your request with the elements necessary for your identification (surname, first name, email) as well as any other information necessary to confirm your identity.
For some specific services, these rights may be exercised directly online (managing your user account).
You also have the right to raise any concerns about how your personal data is being processed by us with the Information Commissioner’s Office (ICO):
0303 123 1113
HealthHero as a Data Controller and Data Processor
While in the majority HealthHero acts as the Data Controller for data within Symbio Digital, there are certain processing actions that are undertaken where HealthHero act as Data Processor. These circumstances are laid out below for clarity.
The Customer as Controller, HealthHero as Processor
During the initial sign up to Symbio Services, HealthHero creates a Customer account on Symbio Hub (part of Symbio Digitial) authorising access to Symbio Digital for designated HR managers of the Customer.
The HR Manager of the Customer add the list of Service Users to whom they wish to give Symbio access on the Symbio Hub. This triggers instruction emails to be sent to the Service Users, which includes:
- A link to download Symbio Digital; and
- A code unique to that Service User to create their Symbio Account.
HealthHero as a Controller
- The terms and conditions establish the relationship between the Service User and HealthHero surrounding the Service User’s use of Symbio Digital.
- With regards to the transfer, processing and hosting of data, to the extent HealthHero is acting as a Data Controller, it has primary liability should anything go wrong in terms of protection of that data. HealthHero, in any event, undertakes to comply with relevant and applicable data protection legislation in relation to any personal data it processes in the provision of the Services.
- Personal Data processed in relation to clinical services is processed and hosted within the UK.
HealthHero implements all appropriate technical and organizational measures, taking into account the nature, scope and context of the personal and health data you provide to us and the risks presented by their processing, to safeguard the security of your personal data and, in particular, to prevent any accidental or unlawful destruction, loss, alteration, disclosure, intrusion or unauthorized access to such data.
The security and confidentiality of personal data depends on the good practices of everyone. That is why we invite you not to share your passwords with third parties, to always log out of your profile and to lock your phone when it is not in your field of vision. This will prevent other users from accessing your personal data.
Links to Other Websites
On the Symbio Website page and in the app, you are offered the possibility to click to access other websites of other companies. We advise you to read the privacy notice of these websites, as the terms and conditions on these websites may differ and HealthHero will not be responsible for the processing of personal data by these other websites.
HealthHero reserves the right to change this privacy notice from time to time and will post any modifications or additions to this notice within the application and any other locations this privacy statement is displayed.
This version was implemented on 31/01/2023.