Privacy policy.
*Updated on: May 17th, 2022* Thanks for downloading the Iona Mind App. In order for you to participate in this App We will need your consent to this Privacy Policy and the associated Terms of Service. Thank you.
Privacy Policy
Introduction
Iona Mind, Inc. and Iona Mind Ltd (both together as “we”, “us” or “Iona Mind”) are committed to protecting and respecting your privacy. This Privacy Policy (“Policy”) (together with our Terms and any other documents referred to on it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us and how you can get access to this information. If in doubt, the primary governing law of this policy is that of the United Kingdom. We are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No.ZA766249).
Purpose of this Policy
Iona Mind provides you (the “User”) with access to the online and mobile services associated with Iona Mind, including but not limited to, ionamind.com and all associated subdomains (the “Website”), and the Iona Mind mobile application (the “App”), collectively the “System”.
Our privacy policy is written to be compliant with numerous national and international laws and frameworks, including (but not limited to) the GDPR.
Processing your data
What is the purpose of our processing?
We process your data in order to provide a program of personalized self-help tools for improving your general mental wellbeing (and to support the delivery of that program).
What is our legal basis for processing?
We require consent from all users before processing their data. This consent can be withdrawn at any time.
What data do we collect?
Personal information
We collect and use information such as your name and email address to personalize the course and communicate with you. You're able to opt out of any external communications (i.e., email and “push notification” message) at any time.
We collect information about your general mental wellbeing (including, but not limited to, self-reported symptoms or difficulties associated with worry, anxiety, mood and stress and self-entered journal or diary entries) in order to personalize our program.
We also collect general information about your mental and physical wellbeing in order to evaluate progress against your self-defined goals.
Non-personal information
We may collect non-personal information, such as the pages and exercises you have accessed. We do this to determine how many people use the System, how many people visit on a regular basis, and how popular each of the parts, pages and exercises are. This information doesn't tell us anything about who you are or where you live. It simply allows us to monitor and improve the System.
Electronic identifiers
We may collect information about the devices you use to access the System, including (but not limited to) IP address, operating system, browser type, and screen size. This information is used to provide you with customer support, for system administration, to tailor your experience of the System, to report aggregate information internally, and to assist communication (e.g., push notifications). Finally this information may be used to protect Iona Mind from malicious activity or access.
Password
We store this in a secure one-way encrypted system. If you forget your password, you may request that it be reset, and we will send an email to you with instructions on how to do so.
Cookies
We may store cookies (small text files managed by your web browser) on your computer in order to improve your experience with the System. Example uses of these cookies include: recognizing you when you return to the System, maintaining data you've entered across multiple sessions, and storing information about your personal preferences.
You may refuse to accept cookies by changing the settings on your device to prevent cookies from being set. However, if you select this setting you may be unable to access certain parts of the System. Unless you have adjusted your browser setting so that it will refuse cookies, our system may issue cookies when you visit the System.
Non-identifiable information
We may include your data in aggregated data sets shared with our research partners. In these sets, your data is not personally identifiable, and would be used for supporting generalized statements.
Sensitive Personal Data
GDPR Article 9 specifies a set of special categories which are considered to be “sensitive personal data” (e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership) and which require special consideration by Data Controllers. When the System knowingly collects or processes any sensitive personal information it complies with the relevant regulations.
Who has access to that data?
Iona Mind understands that your identifiable information is private and personal and is dedicated to maintaining its confidentiality and integrity. As such, we will never sell or rent it, and we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.
We follow a Minimum Necessary Access Policy so any required disclosure of your identifiable personal information is minimized. The following categories describe the ways in which we use your identifiable personal information and the rare instances that require us to disclose it to persons and entities outside of Iona Mind. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.
Iona Mind does not disclose Personal Information to third parties for any purpose materially different from the purpose(s) for which it was originally collected.
Disclosure at your request
We may disclose information relating to your use of the System when requested by you. This disclosure at your request may require written authorization by you.
Payment
We do not store credit card or customer details with any 3rd parties except trusted suppliers who help us deliver the services associated with the System and we are committed to ensuring that all suppliers meet our security and data protection standards. We do not use and disclose your identifiable personal information to obtain payment for services that we provide to you.
Services and Operations
We may use and disclose your identifiable personal information in connection with providing services, for our internal operations, which include administration, eligibility, planning, analytics and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, satisfaction surveys, de-identifying personal information, customer services and internal training.
If your access to Iona Mind is paid for or provided in association with a third party, we may share the following information with that third party so they can provide a more seamless integration with their services and monitor the general utilization and quality of our service:
Aggregate statistics on your general usage of the Iona Mind app
Information on which exercises, lessons or features you have used inside the Iona Mind app
Your recent answers to any well being questionnaires inside the app
Emails
We may receive a confirmation when you open an email from us, or click on a link in an email, if your computer supports this type of program. We use this confirmation to help us make emails more interesting and helpful. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. However, by opting out of further email communications after you sign up, you may limit program reminders and other valuable program content and components.
Reminders and notifications
We may use your identifiable personal information to contact you as a reminder to interact with, or complete tasks relating to your use of the System. You may make changes to the format and frequency of these reminders, or cancel these reminders and/or notifications by logging into your Iona Mind account in the App, and/or by accessing the native notification settings on your mobile device when using the App.
Third party service providers
There are some services provided in our organization through third party services providers. Examples of third party services providers include accounting services, several hosting and email delivery providers, business associates, vendors and other business partners and reputable companies in the industry who subcontract to us or to those of your employer as our corporate customers, where permitted by law. We may disclose your identifiable personal information to our third party services providers so that they can perform the job that is required of them. To protect your identifiable personal information, we require appropriate contracts or written agreements be in place that safeguard your identifiable personal information.
Declaration of Personal Data Sub-Processors
To make an informed decision on whether to provide your personal data to Iona Mind when using the System, we need to make you aware of the organizations that act as Data Sub-Processors for Iona Mind, helping in the provision of the System and its functionality. These partners are as follows:
Google Firebase: Used to authenticate users and manage user accounts (e.g. send password reset emails etc.) . If the user does not create an account, then Firebase is used to assign a unique anonymous identifier to that user. Google, including Google Inc. and its wholly-owned US subsidiaries, comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
Google Analytics: Used to provide analytics to understand how the Service is used and help provide actionable insights for improvements. Google, including Google Inc. and its wholly-owned US subsidiaries, comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
Google G Suite: Used as email system, so any emails you send to support will be handled by G Suite. Google, including Google Inc. and its wholly-owned US subsidiaries, comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
Crashlytics (Part of Google): Used to provide actionable insights and analytics on crash reporting. Part of Fabric, acquired by Google’s Developer Products Group. Crashlytics complies with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
IBM and AWS: Hosting and cloud services. IBM and AWS comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
RevenueCat: Payment processing services. RevenueCat complies with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States. We do not share any unencrypted identifiable information such as e-mail addresses with RevenueCat. RevenueCat assist with processing notifications of payments made through Apple and Google payment services
Facebook Pixel: Used to provide analytics to understand how the Service is used and help provide actionable insights for improvements. Facebook, including Facebook Inc. and its wholly-owned US subsidiaries, comply with the EU-US Privacy Shield Framework, as set forth by the US Department of Commerce, covering the collection, use and retention of personal data transferred from the European Union to the United States.
As required by law
Certain laws permit or require certain uses and disclosures of identifiable personal information for example, for public health activities, health oversight activities and law enforcement. In these instances, Iona Mind will only use or disclose your identifiable personal information to the extent the law requires.
For research and publicity purposes
We may use private information for internal research purposes and to monitor the quality of our service. We will not look at identifying information such as email addresses when we review data in our system for internal research, quality and monitoring purposes. De-identified and aggregated data may be used for external research or publicity purposes. This may include publishing aggregate and de-identified information about our users in the context of providing public health information and conducting academic research. In certain instances, we may only provide such information with special waivers and permissions from you.
Transfer of business assets
In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If Iona Mind or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets.
How do we store your data?
Information you provide to us is stored in encrypted form on secure servers located in the UK, which are owned and operated by Amazon Web Services (AWS). AWS are industry leaders in the provision of hosting services and take security very seriously.
Your rights
Users of the System may have certain rights under applicable laws in the U.S. and the United Kingdom, and we will honor the rights described below.
Right to access
A user of the System has the right to view all personal information that Iona Mind has collected about them, as well as the disclosure of this data. In order to receive this data, please contact the Data Protection Officer ( privacy@ionamind.com ). The first copy of this information is provided free of charge, and in a portable / common electronic form (e.g., JSON file).
Right to accuracy
A user of the System has the right to ensure that the data we have stored is accurate. In most cases, the system allows you to directly modify your own information. However, if there is incorrect data within our system that you are not able to change, please contact the Data Protection Officer ( privacy@ionamind.com ) and we will work directly with you to update this information.
Right to deletion
A user of the System has the right to request deletion of all data within the system. To request your data be deleted, please contact the Data Protection Officer ( privacy@ionamind.com ). In most cases, this request will be completed within 30 days. If circumstances require a delay to this deletion, Iona Mind will notify you directly explaining the reason for the delay. Note also that in some cases, there may be a legal requirement to hold on to your data. Again, Iona Mind will notify you directly if this is the case.
Right to withdraw consent
A user of the System has the right to withdraw their consent at any time by contacting the Data Protection Officer ( privacy@ionamind.com ). Please note that without consent to process your data, we will be unable to deliver any functionality in the Iona Mind app.
Right to notification of disclosure
In addition to the right to request disclosures of your data specified in the "right to access" above, we will notify you as required by law if there has been a breach of the security of your identifiable personal information.
Right to restrict processing
You have rights to ‘block’ or suppress further use of your personal information. When processing is restricted We can still store your information, but may not use it further. We keep lists of people who have asked for further use of their information to be ‘blocked’ to make sure the restriction is respected in future. Access to your personal information is required to provide the Iona Mind app.
Right to object to processing
You have the right to object to certain types of processing at any time by contacting the Data Protection Officer ( privacy@ionamind.com )
Concerns or complaints
If you believe that any of your rights with respect to your or others’ identifiable personal information have been violated by us, our employees or agents, please communicate with the Iona Mind Data Protection Officer ( privacy@ionamind.com )
International Transfers of Personal Data
As described above, to be able to provide you with the System, we may transfer your personal data to partners in countries outside the UK (such as the United States). These countries’ privacy laws may be different from those in the UK. Should we transfer data to a country which has not been deemed to provide adequate data protection standards, we always have security measures and approved model clauses in place to protect your personal data.
External Links
The System includes relevant hyperlinks to external websites which are not directly controlled by Iona Mind. Whilst all reasonable care has been exercised in selecting and providing such links, you are advised to exercise caution before clicking any external links. We cannot guarantee the ongoing suitability of external links, nor do we continually verify the safety or security of the contents which may be provided to you. You are advised, therefore, that your use of external links is at your own risk and We cannot be responsible for any damages or consequences caused by your use of them.
Amending this Policy
We reserve the right to revise this Policy without notification. Any changes or updates will be effective immediately upon posting to the privacy policy inside the app or on the website. Your continued use of the System constitutes your agreement to abide by the Privacy Policy as changed. Under certain circumstances (for example, if we expand the ways in which we use your personal information beyond the uses stated in our Privacy Policy at the time of collection), we may also elect to notify you of changes or updates to our Privacy Policy by additional means, such as by sending you an email.
Questions relating to revisions to this Policy may be addressed to the Data Protection Officer ( privacy@ionamind.com )
Who can you contact?
Data Protection Officer
Iona Mind's Data Protection Officer can be reached at:
privacy@ionamind.com
Effective Date
This Policy is effective as of May 17th, 2022