This privacy notice sets out what personal information we collect, how and why, how we look after it, who we share it with, how long we keep it for and your privacy rights.
Our website and services are not intended for children and we do not knowingly collect data relating to children.
Last updated: 21 May 2021
Telephone: +44 (0)333 577 3210
Office: BioMe Health and Performance Limited, 22 Farfield Road, Shipley, United Kingdom, BD18 4QP
What personal information we collect
We collect your personal information when you visit or use our website, enquire about, book or use our services, sign up to our weekly email, or otherwise contact us.
Typically we will collect the following information.
- Identity data includes first name, last name, username or similar identifier.
- Contact data includes billing address, street address, email address and telephone numbers.
- Wellbeing data means the data you provide through our wellbeing questionnaire and any other information you provide before, during, or after any service provided by BioMe. (This data may be provided in online questionnaires, via email or other forms of electronic communication, or verbally during in-person sessions.) This may include information about your health and lifestyle, your wellbeing goals, your work environment and culture, and your views on your organisation’s approach to employee health and wellbeing.
- Financial data includes bank account and billing details.
- Transaction data includes details about payments to and from you and other details of BioMe Services you have purchased from us.
- Technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website.
- Profile data includes your username and password, purchases or orders, interests, preferences, feedback and survey responses.
- Marketing and communications data includes your marketing preferences and your communication preferences.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data may be derived from your personal data but this data does not directly or indirectly reveal your identity. For example, we may aggregate data to calculate the percentage of users with a particular health problem, or to understand how well the programmes or other BioMe services are working and how they can be improved. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in line with this privacy notice.
To provide the services we collect and process data about your health, which is a ‘special category of data’ under data protection legislation. This means we ask for your consent and take extra care to keep it secure.
Withdrawing your consent for health information
You can withdraw your consent at any time by letting us know. However, this means we won’t be able to provide the service to you.
How we collect personal information
- Directly from you. You may give us your identity, contact, wellbeing and financial data by filling in forms / questionnaires or contacting us by post, phone, email or otherwise. This includes personal information you provide when you book or attend a programme or return our questionnaire.
- Typeform. We use Typeform for our questionnaires, as well as for other forms including programme registration and evaluation. They act on our behalf and their privacy notice is here: https://admin.typeform.com/to/dwk6gt.
- Your employer. If your employer pays for you to attend a programme or for our services, they may, in some circumstances, provide us with your identity and contact data.
What we use personal information for
We have set out below, in a table format, a description of all the ways we use your personal information, and which of the lawful bases we rely on.
|Purpose||Type of information||Lawful basis|
|To register you as a new customer||(a) Identity (b) Contact||Performance of a contract with you|
|To process your order including:(a) managing payments, fees and charges;(b) collecting and recovering money owed to us||(a) Identity (b) Contact (c) Financial (d) Transaction (e) Marketing and communications||Performance of a contract with you Necessary for our legitimate interests (to recover debts due to us)|
|To deliver our services to you||(a) Identity (b) Contact (c) Wellbeing(d) Profile||Explicit consent for health dataPerformance of a contract with you |
|To manage our relationship with you which will include:(a) notifying you about changes to our terms or significant changes to our privacy notice;(b) asking you to leave a review or take a survey;(c) keeping health data to provide you with ongoing or repeated wellbeing services over time||(a) Identity (b) Contact (c) Profile (d) Marketing and communications(e) Wellbeing||Performance of a contract with you Necessary to comply with a legal obligationNecessary for our legitimate interests (to keep our records updated and to study how customers use our products / services)Explicit consent for health data|
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity(b) Contact(c) Technical||Necessary for our legitimate interests (for running our business, administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)Necessary to comply with a legal obligation|
|To use data analytics to improve our website, products / services, marketing, customer relationships and experiences||(a) Technical (b) Usage||Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)|
|To make suggestions and recommendations to you about goods or services that may be of interest to you||(a) Identity (b) Contact (c) Technical (d) Usage (e) Profile||Necessary for our legitimate interests (to develop our products / services and grow our business)Consent for marketing to personal contact details (rather than work ones)|
|To send you our weekly email||(a) Identity(b) Contact(c) Profile||Consent: you will need to sign up to our newsletter or tell us you want this.|
We will only send you marketing if you have opted into it. You can unsubscribe at any time. There is an unsubscribe option in every email.
Who we share personal information with
We may have to share your personal information with organisations we use to run and support our business and to provide the services.
- Email service providers such as Mailchimp.
- The hosting partner who stores our customer database.
- Professional advisers including lawyers, bankers, auditors and insurers.
- HM Revenue and Customs, regulators and other authorities.
- Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may acquire other businesses or merge with them. If a change happens to our business, then we will let you know and the new owners can only use your personal information as set out in this privacy notice. They will communicate with you as regards any other proposed use of your information and your choices.
We require all third parties to respect the security of your personal data and to treat it in line with the law. We do not allow our third-party service providers to use your personal information for their own purposes and only allow them to process your personal information for specific purposes and in line with our instructions.
If you take part in a programme through your employer, we may share aggregated information with them.
How long we keep personal information for
We will only keep your personal information for as long as necessary to fulfil the purposes we collected it for, including to provide the services, and for any legal, accounting, or reporting requirements.
By law, for tax purposes, we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they stop being customers.
We generally keep the information relevant to providing the service for as long as we are working with you plus 1 year, in case you come back to us for further services within a year.
In some circumstances we may anonymise your personal information (so that it can no longer be associated with you) for research, evaluation, or statistical purposes, in which case we may keep this information indefinitely.
Some of our service providers are based in other countries. We make sure that we have appropriate arrangements in place, as required under data protection law. Please contact us if you want more information on this.
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to your personal information to only those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal information on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
To make any rights request, please contact email@example.com
Access: you can request a copy of the personal information we hold about you.
Correction: you can correct or update any incomplete or inaccurate information we hold about you.
Deletion: in certain circumstances you can ask us to delete your personal information. This right does not apply to all information in all circumstances and we do not have to delete information where we have a legal obligation or legitimate business purpose to hold it.
Objection: in certain circumstances you can object to us processing your personal information. You can object to us sending you marketing at any time.
Restriction: In certain circumstances you are entitled to ask us to restrict our processing of your personal information. You can ask us to do this if:
- you dispute the accuracy of your personal information;
- our processing is unlawful but you prefer restriction to deletion;
- we no longer need the information but you need it for legal reasons; or
- you have objected to our processing and we are still dealing with this objection.
Portability: In certain circumstances you can request the personal information you have provided us in a structured, commonly used and machine-readable format. Where technically feasible, you can also ask us to transfer it directly to another organisation.
Complain to the regulator: you can complain at any time to the Information Commissioner’s Office (ICO), the UK regulator for data protection law (http://www.ico.org/). The ICO will ask you if you have tried to resolve the issue with us first, so please contact us in the first instance.