Privacy Notice

 

Brain in Hand Limited is committed to protecting and respecting your privacy. Please read the following notice carefully so that you understand your rights in relation to this information, including how your information will be collected and processed.

 

Last updated: 20th March 2024

Who are we?

We are a limited company registered in England and Wales with a registered office at Broadwalk House, Southernhay West, Exeter EX1 1TS, contactable at dpo@braininhand.co.uk.

For the purpose of the UK General Data Protection Regulation (‘UK GDPR’), we are the data controller when you use Brain in Hand.

We may update this statement to reflect changes to our business, product, or service where relevant to the information we collect from you and how we use it.

In this notice, where we say ‘you’ or ‘your,’ this means either you or any authorised person acting on your behalf. Where we say ‘we,’ ‘us’ or ‘our,’ this means Brain in Hand Limited. We may also abbreviate Brain in Hand to ‘BiH.’

Brain in Hand Users

The following applies if you are a Brain in Hand User.

If you are just visiting our website, please click here

The types of personal data we use:

  • Personal data, including demographic data, will be provided either directly by you when enquiring about or signing up for our service, or, provided by someone who enquires on your behalf or refers you to BiH. We call this your Identity Information in this document;
  • Data will be created by your statistical interaction with the digital tools and human support, such as when you use BiH and how often; or through evaluation of your progress using BiH. We call this your Activity Information in this document;
  • Data will come from you entering information into the website and mobile application or supporting resources (e.g., diary entries, your personal workbook, personal challenges, and solutions). We call this your Private Information in this document; and/or
  • Data will come from you through communication with BiH on-demand Human Support representatives (e.g. the content of your coaching sessions and communication with the Response Service). We call this your Sensitive Information in this document.

These four are listed below in more detail. 

Identity Information

We may collect and use the following identity information about you via our enquiry, referral or registration forms, or through interactions with BiH representatives: name, email address, mobile number, demographic data, personal description of your needs, circumstances or preferences, postal addresses, emergency contact details, contact details for your nominated supporters, personal responders or support provider, details about your university and/or workplace.

We are the controller of this information, and our use of it is set out below. ('How we use your personal data'.)

Activity Information

This is information we collect from your use of our website and mobile application, such as the frequency at which you use different features or pages of the website or app. During each visit to our website or mobile application, we also automatically collect the following technical information:

  • the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform;
  • Information about your visit, including the full Uniform Resource Locators (URL), clickstream (including date and time), page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, mouse-overs, button presses, swipes, and methods used to browse away from the page); 
  • any phone number used to call BiH; 
  • a record of time spent with your coach.
  • Statistical interaction with the digital tools and human support, such as when you use BiH and how often; or through evaluation of your progress using BiH and your feedback on the service you have received.

We are the data controllers of this information and our use of it is set out below. ('How we use your personal data'.)

Private Information

We collect this when you input it into your account via our website (e.g. events, activities, mood tags, comments, problems, and solutions) or use and share supporting resources (such as your Personal Workbook).

This information is your private information, and we store and keep it safe under the terms of our contract with you. We are the data controller. If we want to use this information we will ask you by way of a formal consent document and you are free to refuse. If you want us to share your information with a 3rd party (e.g., a supporter) then we will ask for your consent to do so.

Sensitive Information

We collect this when we collaborate with you, such as, during:

  • contact with the on-demand Human Support e.g. call recordings or text/email transcripts, and summary notes left on your account;
  • contact with external safeguarding partners if required;
  • contact with a coach, e.g., your session notes, session recordings if made, or other records kept by the coach, such as Risk Assessments;
  • contact with a BiH representative, e.g., emails, text/chat transcripts or call recordings or notes.

We are the data controllers of this information and our use of it is set out below. However, we only use it to communicate and collaborate with you or your funder, or to quality assure or develop our service. If we want to use it for any other purpose, we will ask for your permission as we would for Private Information as stated above. 

How we use your personal data

Brain in Hand will process all personal data lawfully, fairly and in a transparent manner. Brain in Hand processes personal data for the following high-level purposes:

  • Providing you with the Brain in Hand service
  • Managing the relationship with your funder (if applicable)
  • Complying with legal obligations  
  • Communicating with you

Where Identity or Private information can be anonymised and aggregated (e.g. demographics / characteristics / categories) we may process this data to produce statistics and reports in our legitimate interest to evaluate, improve and promote the effectiveness of Brain in Hand.

We may also ask you to tell us more about your story and how Brain in Hand has supported you. In these cases, we will ask for your specific consent and what information you are happy to be shared as part of the case study. 

The specific purposes for processing are outlined below: 

  • in accordance with our contract with you to provide you with our application   
  • in accordance with our contract with your funder, we will use your information to: 
    • provide you with services. This includes delivery of coaching sessions, face to face meetings, video meetings which may be recorded (if you are under 18 years of age or where consent is gained for over 18s) and the delivery of on-demand Human Support; 
  • personalise the content you receive to support you when using the service; 
  • notify you about changes to our service; 
  • provide you with user support; 
  • enforce our terms, conditions and policies; 
  • communicate with you;  
  • report your activity, progress, and use of the services to your funder (this excludes all Information that is Private and Sensitive information unless provided through evaluation feedback); 
  • produce anonymous statistics and reports as to the usage of our digital and human support services. (This means you will not be identified from this information); 
  • improve the website and mobile application and to ensure our content is presented in the most effective manner for you and your device; 
  • administer the website and mobile application for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes; 
  • keep the website and mobile application safe and secure; and 
  • quality assure, evaluate service effectiveness, and improve our service and its delivery to you and your funder. 

Our lawful basis for processing your personal data to deliver the service is as follows:

Purpose: Providing the BiH service 
Article 6 Lawful Basis: Article 6(1)(b)
Article 9 Exemption: Article 9(2)(a) 

Purpose: Complying with legal obligations 
Article 6 Lawful Basis: Article 6(1)(c) 
Article 9 Exemption: Article 9(2)(g) 

Purpose: Managing the relationship with your funder (if applicable) 
Article 6 Lawful Basis: Article 6(1)(f)
Article 9 Exemption: N/A

Purpose: Communicating to you
Article 6 Lawful Basis: Article 6(1)(f)
Article 9 Exemption: N/A

Purpose: Case Studies 
Article 6 Lawful Basis: Article 6(1)(a)
Article 9 Exemption: Article 9(2)(a) 

Contacting You

Essential contact. We will contact you by email, phone call and/or text message to confirm important information that is necessary for fulfilling our contractual obligations to provide the Services to you; you cannot opt out of receiving these. This will include service messaging, responding to support requests, contacting you in relation to the booking and management of Human Support Services.

Marketing contact. We may occasionally reach out by email or text to share useful information that may help or inform you about our product and services. You may opt-out of receiving this communication by clicking ‘unsubscribe’ at any time.

Participation in service evaluation: We may occasionally reach out by email or text to gather feedback on your user experience. You may opt-out of receiving this communication by the method set out in the communication received or by contacting the DPO as outlined below. 

Participation in research. We may occasionally reach out by email or text inviting you to participate in research. You may opt-out of receiving this communication by the method set out in the communication received or by contacting the DPO as outlined below.  

Data retention

Any personal data that we collect from you (whether submitted directly or collected through your use of our system) will be reviewed on a regular basis to ensure that we only continue to store and process it under lawful grounds and for an appropriate period and only for as long as necessary. For more information, please contact us at the contact details within this statement.  

Your rights

You have a number of rights in relation to how Brain in Hand process your personal data. If you wish to exercise any of your rights, please contact dpo@braininhand.co.uk. 

Right of access

You have the right to access information that we hold about you. If you wish to receive a copy of the information that we hold, please contact dpo@braininhand.co.uk or write to us at the address above.

Right to rectification or erasure

You can ask us at any time to change, amend or delete the information that we hold about you or ask us not to contact you with any further marketing information. You can also ask us to restrict the information that we process about you.

You can request that we change, amend, delete your information, or restrict our processing by emailing us at dpo@braininhand.co.uk.

Right to object to automated decision making

You have a right to ask us to stop any automated decision making. We do not intentionally carry out such activities, but if you do have any questions or concerns, we would be happy to discuss them with you and you can contact us at dpo@braininhand.co.uk.

Right to withdraw consent

You have the right to withdraw your consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

Transferring Personal Information

You have the right to request that your personal information is transferred by us to another organisation (this is called 'data portability'). Please contact us at dpo@braininhand.co.uk with the details of what you would like us to do, and we will try our best to comply with your request. It may not be technically feasible, but we will collaborate with you to try and find a solution.

These rights are free to exercise and BiH will provide you with this information free of charge. The ICO does allow organisations like BiH to charge for information in very limited circumstances, for example if requests are “repetitive and excessive.” You can read more about the ICO’s guidance here. 

Sharing Data

We may share your personal information with third parties where required by law, where it is necessary to deliver our services to you or administer the working relationship with you, or where we have another legitimate interest in doing so. Personal Data will only be shared with third parties where it is strictly necessary to do so and in compliance with data protection laws. 

We require third parties to respect the security of your data and to treat it in accordance with the law. We will only share your Identity and Activity Information with:

  • third party service providers and partners with whom we work to deliver our service to you (for example, on demand human support; 
  • where required by our safeguarding policy; 
  • your funding or purchasing organisations, with whom we work to evaluate service delivery and to improve our service and its delivery to you; 
  • your support provider or place of use (delivery setting) where you have disclosed this to us, to improve our service and its delivery to you. 

We may share any type of information (limited to where strictly necessary with the following third parties) 

  • regulators, law enforcement bodies, government agencies, courts or other third parties where we think it is necessary to comply with applicable laws or regulations, or to exercise, establish or defend our legal rights. Where possible and appropriate, we will notify you of this type of disclosure; 
  • web hosting and cloud-based storage systems used to provide our service to you and administer our business activities. 

All our third-party service providers are required to take appropriate security measures to protect your personal information in line with our policies. We also require third parties to respect the security of your data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and in accordance with our instructions. 

Data Export 

We will not transfer Personal Data outside the EEA or to a third country in the absence of an adequacy decision by the European Commission made in accordance with UK GDPR Article 45 or without the appropriate additional contractual clauses or data addendums provided by UK and EU data regulators. 

If you have any questions about where data is stored, please contact us at dpo@braininhand.co.uk. 

Third-party calendar data 

This section of the Brain in Hand privacy statement specifically describes how Brain in Hand Ltd collects and uses the information you have in your third-party calendar accounts (e.g. Google/Outlook calendars) via the optional integration with the Brain in Hand app.  

Data collection 

It is your choice whether to connect your third-party calendar accounts to your account or not via the optional integration within the Brain in Hand app. 

If you choose to connect, we will store some information about your third-party calendar events in your Brain in Hand account so that you can see them in your Brain in Hand app. We will NOT transfer information from your Brain in Hand account to your third-party calendar accounts. If you would like more information about the data we store if connected and if you disconnect your third-party calendars, please see below. 

If you choose to connect it, we will store: 

The calendar details - your calendar ID and the username (email address). 

For each third-party calendar (e.g. Google/Outlook calendars) external event: 

  • ID number 
  • A URL for the source (only accessible to the user in a browser where the account is signed in) 
  • Source account ID (the same as calendar ID above) 
  • Event name/title 

For each third-party calendar (e.g. Google/Outlook calendar) external event to which you have added Brain in Hand Problems, Solutions or Reminders, we will also store: 

  • Start and end date and time 
  • Sequence ID and start/end dates (for recurring events) 
  • Time zone of the event 
  • Event description if there is one 
  • Event location if there is one 
  • Brain in Hand activity ID 
  • Colour assigned to the event 

We will NOT store: 

  • Any other information about your third-party calendar events 
  • Information about your contacts 

You can choose to disconnect your third-party calendar (e.g. Google/Outlook calendar) from your Brain in Hand account at any time through your Brain in Hand mobile app. 

Data use 

If you choose to connect your third-party calendar (e.g. Google/Outlook calendar) account to your Brain in Hand account, we will use this data to: 

  • show basic information about your third-party calendar events – name, date, time and location 
  • allow you to add BiH Activities, Problems, Solutions and/or Reminders, to third-party calendar events 
  • review Solutions (and the third-party calendar event associated with the Solution press) on your Brain in Hand Timeline. 

Disconnecting your third-party calendar (e.g. Google/Outlook calendar) account from your Brain in Hand account: 

  • for third-party calendar events which you HAVE NOT pressed a Solution for, or added a Reminder for, all information about that event will be deleted from your Brain in Hand account 
  • for third-party calendar events which you HAVE interacted with (e.g. by marking as Done, or pressing a Solution for, or adding a Reminder for) all information about that event will be deleted from your Brain in Hand Diary, but the third-party calendar event name will still be displayed on the relevant Timeline event to help your later reflection activities. 

Limited use disclosure for Google calendars 

Brain in Hand’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. 

Complaints

If you wish to make a complaint about how we process your personal data, please contact us in the first instance at dpo@braininhand.co.uk and we will endeavour to deal with your request as soon as possible. This is without prejudice to your right to launch a claim with the Information Commissioner’s Office, who can be contacted at casework@ico.org.uk. 

Contact

If you have any questions or comments about how we use your information, please email us at dpo@braininhand.co.uk. You can also write to Brain in Hand Ltd, Broadwalk House, Southernhay West, Exeter, EX1 1TS.

Website Users 

If you are a visitor to our website, we process only the following personal data: 

  • Strictly necessary cookies to ensure the site can function and is secure. This will not include your name or any directly identifying data. 
  • Cookie data (where you consent): if you consent to the placement of cookies for purposes outside those which are functional. 
  • Personal data provided to us directly via a form. Please see our privacy notice for users for how we use this personal data to contact you.