Privacy Notice

OUR PRIVACY NOTICE

This Privacy Notice describes how we collect, use, and disclose Personal Data when you interact with us, whether through our website, services or other interactions. Please refer to our key terminology section located at the bottom of this Privacy Notice for explanations of any capitalised words. 

1. Who are we? 

We run our business out of Constellation Wellbeing Ltd which is incorporated in England & Wales and has the registration number of 12994401 and the registered address of 7 Vine Court Road, Sevenoaks, England, TN13 3UU.

We have registered with the Information Commissioner’s Office (“ICO”) which is the data protection supervisory authority in England & Wales. Our registration reference with the ICO is ZB686549 

2. What is our status under Data Protection Laws?  

Data Protection Laws have created the concepts of a Data Controller and a Data Processor. Our status is that of a Data Controller. As a Data Controller, we ensure to safeguard your privacy and rights and are also accountable in ensuring compliance with Data Protection Laws. 

3. What is our approach to data protection compliance? 

We comply with Data Protection Laws not only because of our legal obligations but importantly because we believe that it is essential for us to develop and maintain the trust of the categories of Data Subjects that we interact with in the course of our business. 

As we believe that protecting the confidentiality and integrity of Personal Data is a critical responsibility that we must always take seriously, we have built a data protection compliance program. Our data protection compliance program includes a data register / record of processing of activities, notices, policies procedures and technical security controls. 

In the launch and development of our business, we have integrated privacy considerations into the design and development of our services and systems from the outset. We implement privacy-enhanced technologies, conduct data protection impact assessments, apply privacy-preserving measures and embed privacy into our organisation’s culture and practices.

4. What principles under Data Protection Law do we follow? 

We adhere to all of principles under Data Protection Laws including those outlined below.  

• We only Process Personal Data lawfully, fairly and in a transparent manner. 
• We only collect Personal Data which is adequate, relevant and limited to what is necessary in relation to the purposes for which it is Processed. 
• We ensure that Personal Data that we collect and maintain is accurate and kept up to date.
• We ensure that Personal Data is not kept in a form which permits identification of individuals for longer than is necessary. 
• We ensure that Personal Data is processed in a manner that ensures its security, using appropriate technical and organisational measures, to protect it against unauthorised Processing and against accidental loss, destruction or damage. 

5. Have we appointed a data protection officer? 

We have conducted an assessment of our organisation under Data Protection Laws and have determined that we are not required, at this stage, to appoint a data protection officer. This is because we do not conduct regular and systemic monitoring of Data Subjects on a large scale and neither do we conduct large-scale Processing of Special Category Data. We will review our determination on a regular basis and will appoint a data protection officer if necessary. 

Please note that while we do not have a data protection officer, we do have legal & compliance team, along with our management team, that is committed to protecting the privacy and security of your Personal Data.  

6. What types of Personal Data do we collect?

We collect, use, store and transfer different kinds of Personal Data depending on our relationship with you. 

Examples of the Personal Data which we collect on Data Subjects (based on our relationship with you and the necessity of collecting such Personal Data) is outlined below. 

• Identity Data (e.g., first name, maiden name, last name, title, date of birth).
• Contact Data (e.g., phone number, email address, home address, business address and billing address).
• Profile Data (e.g., information about your professional background/organisation, agreements you’ve made with us).
• Special Category Data (e.g., details concerning your racial or ethnic origin, sexual orientation, and mental and physical health including the details of your doctor/general practitioner).
• Criminal Convictions Data (e.g., information on whether you have a criminal conviction or a caution).
• Transaction Data (e.g., invoices and payment details).
• Financial Data (e.g., bank account details and value-added tax numbers).
• Technical & Usage Data (e.g., internet protocol addresses, browser type and version, time zone settings, location and information about your interactions with our website).
• Communications & Marketing Data (e.g., your preferences regarding cookies and marketing).

We are committed to protecting the privacy and security of your Personal Data (and especially that which is classified as Special Category Data and Criminal Convictions Data due to its sensitivity). 

7. Do we aggregate any of your Personal Data? 

We do aggregate data such as statistical or demographic data for other purposes including research and analysis. Aggregated data could be derived from your Personal Data but is not considered Personal Data under Data Protection Laws as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Technical & Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your Personal Data so that it can directly or indirectly identify you, then we treat the combined data as Personal Data which will be used in accordance with this Privacy Notice. 

8. What are the categories of Data Subjects that we interact with?  

We interact with the following categories of Data Subjects in the course of our business: 

• Prospective and existing website users. 
• Prospective employees. *
• Prospective and existing coaches and other suppliers. 
• Prospective and existing clients. 

*Please note that we have an internal privacy notice for existing employees. 

9. Are you a prospective or existing website user that is interested to find out more about us?  

What do we gather? We gather Technical & Usage Data (for tracking purposes), along with Identity Data, Contact Data, and Communications & Marketing Data (if you choose to contact us).

How do we gather this? When you interact with our website, this data about you is automatically collected through cookies and similar technologies (see Cookies Notice). Additionally, we obtain this data through direct interactions, such as when you reach out to us via our website.

What legal grounds do we have for Processing? One or more of the following:

• Consent (i.e., you willingly provide us with your details for contact purposes).
• Legitimate Interests (i.e., it’s necessary for our legitimate interests in managing and enhancing our business, including our marketing strategy).
• Legal obligation (i.e., it’s necessary for us to comply with a legal obligation, such as honouring your request to cease direct marketing communications).

Please note that where we rely on Consent as the legal grounds for Processing your Personal Data, we do not rely on any other legal grounds in that situation. 

10. Are you a prospective employee that wants to join us?   

What information do we gather? We collect Technical & Usage Data (for tracking purposes), Identity Data, Contact Data, and Profile Data (when you submit an application to join us). Additionally, we may collect certain Special Category Data about you, such as health information if required to implement reasonable adjustments for your interview. We may also collect Criminal Convictions Data about you, such primarily through a Disclosure & Barring Service background screening check. We only collect this type of Personal Data when legally permitted to do so (i.e., with your Consent).

How do we gather this information? Your interaction with our website results in the automatic collection of this data through cookies and similar technologies (see Cookies Notice). We also acquire this information through direct interactions with you and third-party sources (e.g., background check providers including uCheck).

What legal grounds do we have for Processing? One or more of the following may apply:

• Consent (i.e., you choose to provide us with your details so we can contact you regarding a vacancy).
• Contract (i.e., this information is necessary for potentially entering into a contract with you).

Please note that where we rely on Consent as the legal grounds for Processing your Personal Data, we do not rely on any other legal grounds in that situation. 

11. Are you a prospective or existing coach or other third party that wants to join or work with us?

What information do we gather? We collect Technical & Usage Data (for tracking purposes), Identity Data, Contact Data, and Profile Data (when engaging your services). Where you are a coach, we may collect certain Special Category Data about you, such as health information if required to implement reasonable adjustments for your interview to join our array of esteemed coaches. We may also collect Criminal Convictions Data about you, such primarily through a Disclosure & Barring Service background screening check. We only collect this type of Personal Data when legally permitted to do so (i.e., with your Consent).

How do we gather this information? Your interaction with our website leads to the automatic collection of this data through cookies and similar technologies (see Cookies Notice). Additionally, we gather this data through direct interactions with you (e.g., holding Personal Data on your staff who have engaged with us).

What legal grounds do we have for Processing? One or more of the following may apply:

• Consent (i.e., you choose to provide us with your details so we can contact you regarding an opportunity to be a coach).
• Contract (i.e., this information is necessary to enter into or fulfil a contract with you).
• Legitimate Interests (i.e., it’s necessary for our legitimate interests in maintaining records to develop our business strategy).
• Legal obligation (i.e., it’s necessary for us to comply with legal obligations, such as those related to financial, tax, and legal affairs).

Please note that where we rely on Consent as the legal grounds for Processing your Personal Data, we do not rely on any other legal grounds in that situation. 

12. Are you a prospective or existing client?    

What information do we gather? We collect Technical & Usage Data (for tracking purposes), as well as Identity Data, Contact Data, Financial Data, Transaction Data, Profile Data, Special Category Data, and Communications & Marketing Data (when entering into a contract with us for the delivery of our services).

How do we gather this information? Your interaction with our website results in the automatic collection of this data through cookies and similar technologies (see Cookies Notice). Additionally, we gather this data through direct interactions with you and third parties (including clinical providers authorised by you to share your personal data with us).

What legal grounds do we have for Processing? One or more of the following may apply:

• Consent (i.e., you agree for us to share your details with our clinical providers to assess whether you would be suitable for coaching).
• Contract (i.e., this information is necessary to enter into or fulfil a contract with you).
• Legitimate Interests (i.e., it’s necessary for our legitimate interests in recovering payments due).
• Legal obligation (i.e., it’s necessary for us to comply with legal obligations, such as those related to financial, tax, and legal affairs).

Please note that where we rely on Consent as the legal grounds for Processing your Personal Data, we do not rely on any other legal grounds in that situation. 

13. How do we ensure that your Personal Data is protected? 

We’ve implemented suitable technical and organisational security measures, including encryption, to safeguard your Personal Data against accidental loss, falsification, unauthorised access, alteration, or disclosure. Additionally, we restrict access to your Personal Data to authorised personnel, including employees, contractors, and relevant third parties, who require access for business purposes. Furthermore, we have established policies, plans, and procedures to address any suspected or actual breaches of personal data, although we aim to avoid such situations altogether.

14. Who do we share your personal data with?

We will only share your Personal Data when necessary and have outlined the categories of third parties with whom we share your Personal Data with below.  

• Technology companies that provide us with support and software products (such as Semble and Figma) – for us to conduct our business operations. 
• Coaches that deliver the behavioural coaching services through our infrastructure (including our website and Semble) – in order for us to provide our clients with services.
• Professional advisers such as law firms, banks, payment providers and accountancy firms (such as Aria Grace Law CICI and Revolut Ltd) – which we engage with for the purposes of our business and may need to provide data. 
• Regulators and other governmental authorities (e.g., Companies House and HMRC, Home Office) – which we need to engage with for the purposes of our business and may need to provide data.
• Third parties to whom we may in the future be in contact with to sell, transfer or merge parts of our business or assets, or to attempt to acquire or merge with other companies.

15. Do we use artificial intelligence? 

We leverage artificial intelligence (such as Fireflies.AI) to enhance and refine features in order to deliver services and elevate service quality. Our data Processing involves a combination of automated and manual methods. Automated Processing is primarily geared towards enhancing efficiency in handling manual, repetitive tasks (such as manual notetaking). These enhancements are aimed at ultimately enhancing the services and experiences for both clients and coaches. To uphold fairness, accuracy, and the privacy of our clients and coaches, we conduct thorough assessments and reviews of all artificial intelligence models utilised and ensure to obtain Consent before any models are deployed. 

16. What do we require of our third parties?

We require all third parties to respect the security of your Personal Data and to treat it in accordance with Data Protection Laws. We enter into contractual agreements with all of our third parties (with the exception of regulators and governmental authorities) which include the appropriate data protection clauses. We ensure that all third parties (with the exception of regulators and governmental authorities) put in place appropriate security measures to ensure that the Personal Data that is shared is protected from unauthorised access or misuse. 

17. How do we protect Personal Data when it is being transferred across borders? 

We ensure that Personal Data is transferred safely and securely at all times. Whenever your Personal Data travels outside of the UK and/or the EEA, we ensure that it’s protected by putting in one of the following safeguards:  

• We will only transfer your Personal Data where we have entered into specific contracts with an organisation outside of the UK and/or the EEA which states that they will ensure that your Personal Data has the same level of protection as if it were in the UK and/or the EEA.
• We will only transfer your Personal Data to countries that have been deemed to provide an adequate level of protection for Personal Data as endorsed by the ICO and identified and determined by the European Commission.

18. How long do we keep your Personal Data for?

We will retain your Personal Data only for as long as necessary to fulfil the purposes for which it was collected, including meeting any legal, regulatory, tax, accounting, or reporting obligations. 

In determining the appropriate retention period for Personal Data, we take into account factors such as the amount, nature, and sensitivity of the Personal Data, the potential risks associated with unauthorised use or disclosure, the purposes for which the data is Processed, the feasibility of achieving those purposes through alternative means, and relevant legal, regulatory, tax, accounting, or other requirements.

In certain circumstances, we may retain Personal Data for a longer period, such as in the case of a complaint or if there is a reasonable belief of potential litigation related to our relationship with you (although we aim to avoid such situations whenever possible).

Please note that in some cases, we may anonymise your Personal Data for research or statistical purposes, making it impossible to associate with you, and may use this information without further notice.

19. What rights do you have in respect of your Personal Data?

In certain situations, you have specific entitlements concerning the Personal Data that we handle about you. These rights are outlined below. 

• The right to access information and obtain copies of the Personal Data we hold related to you.
• The right to rectify any inaccuracies or incompleteness in your Personal Data.
• The right to request the deletion of your Personal Data, although this is applicable only under certain circumstances. For instance, when the data is no longer necessary for its original purpose or Processing. However, complete deletion may not always be feasible, particularly if there’s an ongoing contractual relationship.
• The right to restrict Processing under particular conditions. For example, during a review of data accuracy or when assessing the validity of a deletion request.
• The right to object to Processing, particularly in instances where Processing is based on our Legitimate Interests or for direct marketing (including profiling).
• The right to data portability, enabling you to receive, transfer, or copy your Personal Data to another Data Controller. This right applies when we process your Personal Data based on Consent or a contract, and the Processing is automated. 

If you’re dissatisfied with our approach or have concerns about our data privacy practices, you have the right to lodge a complaint with the ICO via www.ico.org.uk. We strive to adhere to evolving Data Protection Laws and maintain best practices. Nevertheless, if you feel unsatisfied with how we handle your Personal Data or wish to discuss our processes, we encourage you to contact us initially to address your concerns.

20. How can you exercise your rights under Data Protection Law?

If you wish to exercise any of the rights set out above, please contact us on: info@synapsehealth.co.uk 

No fee is required for accessing your Personal Data or exercising any other rights. However, if your request is deemed clearly unfounded, repetitive, or excessive, we reserve the right to charge a reasonable fee or refuse to comply.

For security purposes and to safeguard your interests, we may need to verify your identity by requesting specific information. Additionally, we might contact you for further details to expedite our response.

We endeavour to address all legitimate requests within one month. However, if your request is intricate or multiple, it may take longer. In such cases, we’ll keep you informed of any delays.

21. What other links and features are on our website?

Our website may contain links to third-party websites and applications. Clicking on these links or enabling such connections may enable third parties to gather or share Personal Data about you. We do not oversee these third-party websites and are not accountable for their privacy statements and notices. As you navigate away from our website, we recommend reviewing the privacy documentation of the website you visit.

22. How do we use your Personal Data in our marketing practices?

We aim to offer you choices regarding the use of certain Personal Data, particularly concerning marketing and advertising. By utilising your Identity Data, Contact Data, Technical & Usage Data and Profile Data, we form an understanding of what you might desire or find interesting.

You will receive marketing communications from us if you have requested information from us or purchased services from us, and you have not opted out of receiving such marketing. Before sharing your Personal Data with any third party for marketing purposes, we will obtain your explicit opt-in Consent. You can request us or third parties to cease sending you marketing messages at any time by contacting us and withdrawing your Consent. However, opting out of these marketing messages will not affect messages necessary to fulfil a contract we have with you (e.g., contacting you to fulfil contractual obligations).

23. How did we make our Privacy Notice easier to understand?  

Recognising the complexity of legal terminology, and aiming for maximum clarity in our Privacy Notice, we’ve included a concise glossary below. This glossary clarifies essential data protection terms, including those indicated by capitalizing the first letter in specific words throughout this Privacy Notice.

• Consent refers to when an individual gives agreement which is freely given, specific, informed and is an unambiguous indication of their wishes. It is done by a statement or by a clear positive action in respect of the Processing of any Personal Data relating to them.
• Criminal Convictions Data refers to Personal Data relating to criminal convictions and offences and includes Personal Data relating to criminal allegations and proceedings.
• Data Controller refers to an organisation that determines when, why and how to Process Personal Data. It is responsible for establishing policies and procedures in line with Data Protection Laws. 
• Data Processor refers to an organisation that Processes Personal Data on behalf of a Data Controller. It is responsible for establishing policies and procedures in line with Data Protection Laws and also its contractual obligations with Data Controllers. 
• Data Protection Laws refers to the UK GDPR, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and any other applicable European Union legislation (such as the General Data Protection Regulation 2016/679) relating to personal data. The “UK GDPR” is the retained version of the General Data Protection Regulation 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419). It sits alongside the Data Protection Act 2018.
• Data Subjects refers to a living, identified or identifiable individuals about whom we hold Personal Data. Data Subjects may be nationals or residents of any country and may have legal rights regarding their Personal Data.
• European Economic Area (“EEA”) refers to the 27 countries in the European Union, Iceland, Liechtenstein and Norway.
• Legitimate Interest refers to when an organisation’s interests are legitimate (as they need to do something to operate) and these interests do not override an individual’s interests or fundamental rights and freedoms.
• Personal Data refers to any information identifying an individual or information relating to an individual that an organisation can identify (directly or indirectly) from that data alone or in combination with other identifiers that it Processes. Personal Data includes Special Category Data, Criminal Convictions Data and pseudonymised Personal Data. Further examples of Personal Data are included in section 5 of this Privacy Notice. Personal Data excludes anonymous data or data that has had the identity of an individual permanently removed.
• Process or Processing refers to any activity that involves the use of Personal Data. It includes obtaining, recording or holding the data, or carrying out any operation or set of operations on the data including organising, amending, retrieving, using, disclosing, erasing or destroying it. Processing also includes transmitting or transferring Personal Data to third parties.
• Special Category Data refers to information revealing racial or ethnic origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health conditions, sexual life, sexual orientation, biometric or genetic data of an individual.

24. Want to get in touch with us?

We truly prioritise the importance of following legal and compliance standards, and we believe that our dedication to data privacy, as outlined in this Privacy Notice, demonstrates this commitment. If you wish to learn more about our approach to data privacy, please don’t hesitate to contact our legal & compliance team on info@synapsehealth.co.uk.  We welcome the chance to provide you with additional insights into our practices.

Last Updated: 1 May 2024