Last updated: August 26, 2023
Clinical Partners are hospitals, clinics, practices, researchers, universities or other medical groups or health care systems that have contracted with Big Health to permit use of the System (as defined below) by their respective Health Care Providers and Participants; Health Care Providers are practitioners, patient advocates, coaches or other individuals who (as employees of or contractors to a Clinical Partner) provide health care or related services; Service Partners are service partners that have contracted with Big Health to facilitate the use of the System by their respective Health Care Providers and Participants; and Participants are individuals who use the System. Healthcare Services are the furnishing of medicine, medical or surgical treatment, clinical and therapeutic services, the dispensing of drugs or medical devices or any other clinical services provided for treatment or prevention of disease, medical condition or disorder.
We are registered with the UK Information Commissioner’s Office as a Data Controller (Reg No. Z2141968) and have in place a comprehensive Company data protection policy and code of practice.
The terms “we”, “us”, “our” and “ours” when used in these terms mean Big Health, which includes any parent company, subsidiaries, branches or affiliates under common ownership or control of Big Health. The terms “you”, “your” and “yours” when used in these terms mean any Participant of the System.
Participants must be registered on the Product Candidate and have an active account in order to use the System. We may receive Personal Data about Participants from a Health Care Provider, Clinical, Service, or Channel Partner (defined below) in order to establish an account and for you to be able to register for and use the Service and identify you as an authorized Participant. Big Health may collect Personal Data when Participants are registered through the Website and confirmed within the App.
It is always your choice whether or not to provide us with Personal Data, which we may share with the Health Care Provider, Clinical or Service Partner. Big Health uses Personal Data and information you provide to us through the App and the System:
We may collect the following categories of information that may, alone or in combination with other information, constitute Personal Data:
We collect and use information like your name, email address, and phone number.
We also collect your age, date of birth, and gender.
You may also be presented the opportunity to provide us with information such as race and ethnicity - this data is not required to be provided to use the System.
We use the information that you provide for the following purposes:
Subject to your consent, we may collect the following information about your health (“Health Information”):
We use the Health Information that you provide for the following purposes:
Subject to our contractual provisions with your employer or Service Partner (where applicable, in either case), we may receive the following information about you:
We use the information that your employer or Service Partner provides for the following purposes:
We may collect information about the devices you use to access the System, including (but not limited to) IP address, mobile device UDID and IMEI numbers, operating system, browser type, and screen size.
We may store cookies (small text files managed by your web browser) on your computer in order to improve your experience with the System. Example uses of these cookies include recognizing you when you return to the System, maintaining data you've entered across multiple sessions, and storing information about your personal preferences. We may also supplement the information we collect from you with information we receive from third parties, including third parties that have placed their own cookies on your device(s).
Cookies may be used to market or promote Big Health and the System. Certain cookies will remember that you have visited our Websites and enable us to serve you advertising when you are visiting other sites (“Retargeting Cookies”). We use Retargeting Cookies so that we may serve advertising to you after you have left our Website.
Our software may automatically generate a confirmation when you open an email from us, or click on a link in an email, if your computer supports this type of software. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. However, by opting out of further email communications after you sign up, you may limit program reminders and other valuable program content and components.
The software used in the System may also collect milestone data (e.g., number of sessions you complete or how many diaries you fill out).
We use the automatically collected information for the following purposes:
We may use Personal Data about you in creating aggregated data sets shared with our Clinical Partners. Once aggregated, the information no longer constitutes Personal Data, and such aggregated data would be used for supporting generalized statements (e.g., "men under the age of 30 have the worst sleeping habits in the UK").
We will process Personal Data only if and to the extent that at least one of the following legal bases of processing applies:
Big Health is required to maintain the confidentiality and integrity of Personal Data to provide Participants with notice of its legal duties and privacy practices with respect to PHI, and to notify affected individuals following a breach of unsecured PHI. As such, we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.
We follow a Minimum Necessary Access Policy so any required disclosure of Personal Data about you is minimized. The following categories describe the ways in which we disclose Personal Data to persons and entities outside of Big Health. All permitted disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.
Except as explicitly described herein, Big Health does not disclose Personal Data to third parties for any purpose materially different from the purpose(s) for which it was originally collected.
Payment information is stored by third-party vendors who help us deliver the services associated with the System and we are committed to ensuring that all such vendors meet our security and data protection standards. As such, we may use and disclose Personal Data about you to obtain payment for services that we provide to you. For example, we may make disclosures to claim and obtain payment from a Service Provider (e.g., your health insurer, HMO, or other company that arranges or pays the cost of some or all of your use of the System or to verify that your Service Provider will pay for health care.
We may disclose Personal Data about you in connection with providing services. To the extent you receive access to the System through your employer or your health plan, our services may include supporting, and sharing information with, your employer’s wellness program, your health plan or third-party administrator or other similar programs. Possible information to be shared may include participation data (i.e., the fact that you used Sleepio), milestone data (e.g., number of sessions you complete or how many diaries you fill out) to allow you to earn incentives and rewards (if those are offered as part of your wellness program), as well as data from your initial sleep questionnaire.
In connection with the System, we may use third-party service providers. Examples of third-party services providers include Service Partners, accounting services, server hosting and email delivery providers, business associates, software analytics vendors and other business partners and reputable companies in the industry who subcontract to us or to those of your employer as our corporate customers, where permitted by law. We may disclose Personal Data about you to our third- party services providers so that they can perform System related services. We may collect data from third-party service providers in order to ensure our System is current and as up to date as possible. For example, we may use open web services and APIs to complete and update the information we have about Participants and enrich it, thus allowing us to enhance, optimize and enrich the System. We collect information from the following third-party sources: (i) third parties who license, sell or otherwise provide data they have collected; or (ii) information from publicly available sources, such as via the Internet and social networks, including through public or licensed APIs. To protect Personal Data about you, we require appropriate contracts or written agreements be in place that safeguard Personal Data about you and limit the use of Personal Data for purposes of providing the services and for no other purpose.
Big Health is not responsible for and will not be a party to any transactions between you and a third-party provider of products, information or services. Big Health does not monitor such transactions or ensure the confidentiality of your Personal Data, including credit card information, for any third-party transaction. Any separate charges or obligations you incur in your dealings with these third parties linked to Big Health’s Site are solely your responsibility.
Most of the Sleepio Community isn’t shared publicly and is only visible to other logged-in members. However, there is a subset of ‘General chat’ discussions which may appear in public searches. The profile messages appearing on the Community homepage at any one time may also be visible to non-members. Whilst we’ve taken care to anonymize your username in such cases (as “Sleepio member”), we’re not able to change the content of your comment or message. For this reason, we recommend that you exclude identifying information if you would like to remain anonymous while using the Community. You may want to choose a username that is unique to your Sleepio account and which wouldn’t identify you in any context.
We may use and disclose Personal Data about you when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
We will disclose your information in response to valid legal process, for example, in response to a court order, a subpoena or other legal request for information, and/or to comply with applicable legal and regulatory reporting requirements. We also may disclose your information in response to a law enforcement agency’s request or other request for information from the U.S. or other government entities, or where we believe it is necessary to investigate, prevent, or take action regarding illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, or to verify or enforce compliance with the policies governing our products and/or services and with applicable laws, or as otherwise required or permitted by law or consistent with legal requirements.
We must use and disclose Health Information to anyone who has the legal right to act for you (your personal representative) in order to administer your rights. We may also use or disclose Health Information to a person involved in your care or who helps pay for your care, such as a family member, when you are incapacitated or in an emergency, or when you agree or fail to object when given the opportunity. If you are unavailable or unable to object, we will use our best judgment to decide if the disclosure is in your best interests. Special rules apply regarding when we may disclose Health Information to family members and others involved in a deceased individual's care. We may disclose Health Information to any persons involved, prior to the death, in the care or payment for care of a deceased individual, unless we are aware that doing so would be inconsistent with a preference previously expressed by the deceased.
In the event that we sell or buy any business or assets, we may disclose Personal Data to the prospective seller or buyer of such business or assets. If Big Health or substantially all of its assets are acquired by a third party, Personal Data about you may be one of the transferred assets.
Big Health uses firewalls, and encrypts data at rest and in transit to protect your Personal Data from unauthorized access, disclosure, alteration, or destruction. All Personal Data is transmitted, stored, and processed in a secure environment in accordance with applicable laws, based on your residency, including Privacy and Security Rules under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), the Data Protection Act, or the General Data Protection Regulation and related guidance. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee its security. We will retain Personal Data for as long as necessary to provide our services, but in no case later than six (6) years following termination of your participation with an App or withdrawal of your consent. We will retain and use Personal Data as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
Personal Data is stored in encrypted form on secure servers located in the US, which are owned and operated by Amazon Web Services (AWS). AWS are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepapers, found here:
We have signed European Commission approved Standard Contractual Clauses (also called 'model clauses') with our hosting providers in the US, to ensure that they adequately protect the data of EU/UK data subjects that they store for us. All passwords are stored in encrypted form and all sensitive traffic is transmitted securely via SSL by default. Personal Data about you may be transferred to, and stored at, other destinations inside the US, UK, or European Economic Area ("EEA") by or to staff who work for Big Health or one of our suppliers. Such staff may be engaged in, among other things, the provision of support services. Additionally, data can be transferred between constituent companies (e.g., Big Health Ltd and Big Health Inc.), which may include transfers into and/or out of the EEA.
A Participant has the right to view all Personal Data that Big Health has collected about them. In order to receive this information, please contact the Security, Privacy, and Compliance Officer. The first copy of this information is provided free of charge, and in a portable / common electronic form (e.g., CSV file).
A Participant has the right to ensure that the Personal Data we have stored is accurate. In most cases, the system allows you to directly modify Personal Data about you. However, if there is incorrect Personal Data within our system that you are not able to change, please contact us at email@example.com and we will work directly with you to update the Personal Data.
A Participant of the System has the right to request deletion of all data within the system. To request your data be deleted, please contact the Security, Privacy, and Compliance Officer. In most cases, this request will be completed within 30 days. If circumstances require a delay to this deletion, Big Health will notify you directly explaining the reason for the delay. Note also that in some cases, there may be a legal requirement to hold on to your data. Again, Big Health will notify you directly if this is the case.
A Participant of the System has the right to withdraw their consent relating to our processing of Personal Data at any time by contacting us at firstname.lastname@example.org. Please note that without consent to process Health Information, we will be unable to provide the System to you.
Under certain circumstances, you have the right to object at any time to our processing of your personal information for reasons relating to your particular situation (e.g., direct marketing).
Under certain circumstances, you may have the right to ask us to restrict processing of your personal information and/or sharing of your personal information to third parties.
Under certain circumstances, you may request that your personal information that you provide to us be handled without hindrance in a certain format (structured, commonly used, machine-readable format) and may have the right to transfer it to another company or organization.
Our System is intended to be made available only to individuals who have been specifically identified for onboarding and use of the System as indicated by the App’s indication. If you believe a child who is under the age of 13 has used the Service and entered personal health information, please contact us using one of the options provided herein.
If you are a California resident, California Civil Code Section 1798.83 permits you to request information regarding the disclosure of your personal information, as defined in California Civil Code Section 1798.83(e)(7), by Big Health or its subsidiaries to a third party for the third party’s direct marketing purposes. Upon your request, Big Health will provide (i) the types of personal information Big Health shared with third parties for the third parties’ direct marketing purposes during the immediately preceding calendar year; and (ii) the identities of the companies with which we shared the information. You may make this request once per calendar year.
Your browser may offer you a “Do Not Track” option, which allows you to signal to operators of websites and web applications and services (including behavioral advertising services) that you do not wish such operators to track certain of your online activities, over time and across different websites. We do not honor “Do Not Track” signals. To find out more about “Do Not Track,” you can visit www.allaboutdnt.com.
Big Health commits to resolving complaints about your privacy and our collection or use of your Personal Data. If you believe that any of your rights with respect to your or others’ Personal Data have been violated by us, our employees or agents, or you disagree with any action Big Health has taken with regard to your Personal Data, you may file a complaint with Big Health by emailing us at email@example.com.
If we are subject to the HIPAA, you may also file a complaint under HIPAA by contacting the Secretary of the U.S. Department of Health and Human Services, Office of Civil Rights ("OCR"). Under no circumstances will we take any retaliation against you for filing a complaint to the OCR.
Our EU Representative is DataRep, found at https://www.datarep.com . Participants in the European Union can contact our Representative directly with any issues or questions by following these instructions: https://www.sleepio.com/pdf/datarep-eu-representative-contact-information.pdf .
Please also visit the Terms of Service, available here: https://info.sleepio.com/terms, establishing the use, disclaimers, and limitations of liability governing the use of our App and the System.