Privacy Notice – Wellbeing Way – Mobile App
This is the privacy notice for the Wellbeing Way mobile app. If you are after general information on the app, please visit our ‘frequently asked questions’.
Who we are and how to contact us
This privacy notice is issued on behalf of Pulse Healthcare Limited who are also known as “Xyla Health & Wellbeing” (referred to as “H&W” in this privacy notice).
H&W will be your point of contact for any questions relating to the use of your personal data in the Wellbeing Way App (referred to in this privacy notice as “the App”). The App is provided as part of NHS or CCG commissioned services such as the Rewind Diabetes Programme which is commissioned by North West London NHS trust, The Low Calorie Diet Programme commissioned by NHS England and the National Diabetes Programme commissioned by NHS England, Newham Livewell Newham service commissioned by London Borough of Newham, NHS Digital Weight Management Innovation programme (Wellbeing Way Programme) commissioned by NHS England.
In all our programmes the App is a key part of the intervention. The App allows you to have full access to the services and education we are providing under the Health Education Programme. The App is designed to support your activity on the Programme, however, this is not mandatory to your participation in the Programme.
If you have any questions about this privacy notice or the personal data we use about you in connection with the relevant Health Education Programme:
- email: firstname.lastname@example.org; or
- writing: Data Protection Officer, Acacium Group, 9 Appold Street, London, EC2A 2AP
This privacy notice details what personal data is collected in the App, how this is used, stored and safeguarded. Please read this privacy notice carefully, if you have any concerns regarding this privacy notice please do not download the App.
We reserve the right to change this privacy notice and will alert you about any changes by updating the last updated date of this privacy notice. You are encouraged to review this privacy notice periodically in order to stay informed of any updates. This privacy notice does not apply to the third party online/mobile app store from which this application was installed.
We use some terms in this privacy notice which we have explained in a bit more detail below. If you need any help understanding these terms just let us know.
- “H&W coach(es) or Practitioner(s)” – these are our team members who will help support you with the your Health Education Programme
- “personal data” – this is any information that can identify you as an individual, for example, this could be as simple as your name or it can also be your username or your service user number.
What is the lawful basis for using your personal data?
We are required to tell you why we need to use your personal data under data protection laws and why this is permitted. We will only use your personal data when data protection law allows us to.
We will use your personal data for purposes below. Under data protection laws, these are called the “lawful basis” for processing.
Details of the lawful basis we rely on to process your personal data is set out in the table in section 3 below.
We will only use your personal data for the purposes for which we collected it, unless we consider that we need to use it for another reason and that reason is compatible with the original purpose set out in this privacy notice.
What personal data does the App collect?
Most of the personal data we collect in the App is provided by you. The App requires you to create an account once it has been downloaded. In order to do this you will need download the Wellbeing way app, then go to your email and click the unique link you have been sent. This will then open the app and prompt you to create a username and password. If you choose to participate in the community section of the App with others on the Health Education Programme, your username will be visible to other members on the Health Education Programme. With your consent your app can link with other apps on your phone such as native heath apps, steps and exercise tracking apps; by consenting to this the relevant data you enter into these apps can be added into your app where we will keep a central record of this.
Personal data, other than your username, should not be shared in the community section of the App.
The personal data used by the App is set out below.
|Personal data collected||Why this is collected and used in the App||Lawful basis|
|First and last name||This is used in email communications to contact you to send the activation link and for password resets. This is also used to identify you as a user.||The performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller|
|Username||This is used to log in to the App and is your name which is displayed on the community page and on your profile page.||The performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller|
|Email address||This is used to send all communications, including password resets and other communications relating to the operation of the App. This is not used for any marketing communications or purposes. It is also used to create an account on downloading the App.||The performance of a public task carried out in the public interest or in the exercise of official authority vested in the controller|
|Password||This is used to securely log in to the App.|
|Data of birth||This is used to uniquely identify you as an individual user in the coach/admin portal.|
|Service user number||This is displayed on your profile page and is used in the coach/admin app as an identifier.|
|Photo||This is used on in the community section of the App and on your profile page.|
|Comments and opinions||This is provided by the user in the community section of the App. This is used to help the user engage with the community.|
|Confirmation of completion rates for the e-learning packages||We collect completion rates and the status of your e-learning, for example, if the e-learning has been started or not started. This is used to help manage the progress of your e-learning within the App and to help your H&W coach to assist you with the Rewind Diabetes Programme.|
|Tracking and monitoring data from your native apps, health and activity tracking apps||Upon consent, we will pull data into your app and our central records from your native health apps, activity and monitoring apps. This is to allow you to centrally monitor your activity from various apps within your wellbeing way app.||Legitimate Interests|
|Lifestyle measures such as wellbeing, physical activity levels, general health, nutrition||To monitor results for lifestyle measures and improve our services in the future. |
To enable us to provide a service that meets individual’s needs and to address any concerns and improve our service.
|Health measurements, such as height, weight, waist circumference||To allow you to monitor your progress throughout the programme|
Other sources of personal data processed by the App
Most of the personal data processed in the App will be provided by you directly. However, as the App is linked to the Health Education Programme, we may be provided with personal data from your GP or the NHS as part of the Health Care Programme. This is needed to ensure that we have the correct medical and other information so that we may support your participation in the Health Education Programme.
With your consent, this programme can include access to the EXi app. By choosing to access Exi as part of this programme the data relating to activity minutes, heart rate and blood pressure entered into your EXi app can be pulled into your Wellbeing Way app where we will keep a central record of your data. Wellbeing Way app will share your email address and name with Exi if you choose to link Exi to Wellbeing Way.
Community & Coach Chat Retention
By registering on the App means that you accept Xyla Health & Wellbeing’s community rules, and we reserve the right to edit posts and/or, take other action in accordance with the purpose and principles of the Community Forum and Coach Chat. We have outlined a set of Community Guidelines to keep you and your data safe.
The retention period for community posts is 12 months. After which your post will be automatically deleted. Posts are removed or archived before 12 months if;
- A post violates our Community Guidelines.
- There has been no interaction on a post in 6 months.
- There has been no replies in a post in 6 months.
We send communication to you about your programme and reminders to complete essential tasks – with your consent. You can control your consent for communication through the App.
To do this on the App take the following steps:
- Go to “More” – Tap on “Account Settings” – “Communication Preferences” – from here you can tap the slider towards “yes” or “no” for each communication channel.
Changes to your preferences may take up to an hour.
Third-Party SMS platform
With your consent, your data may be processed with an approved third-party system as part of your programme. Your data is retained for up to 1 week, except for data related to your SMS communication preferences, which is retained for up to 12 weeks. The data set that is processed is:
- Your name
- Mobile Number / Telephone Number
- Date of last data entry
- Weight data
- Service User ID
Your data is used to send and retrieve information via SMS. Your consent to process weight data is received when you reply “Yes” to the Mobile number ending in “3312”.
If you choose to withdraw consent by replying “No” to the SMS, your preference will be recorded and retained for 12 weeks to ensure that you do not receive further SMS messages within this period.
Alternatively, if you would like to withdraw from the SMS communications entirely, log on to the App and take the following steps:
- Go to “More” – Tap on “Account Settings” – “Communication Preferences” – from here you can tap the slider towards “yes” or “no” for each communication channel.”
We conduct user research as part of our continuous improvement. Where consent has been given on the App to be contacted for User Research purposes; you’ll be sent an invitation to take part. If you wish to opt-in or opt-out of user research this can be updated from the App.
To do this on the App take the following steps:
- Go to “More” – Tap on “Account Settings” – Scroll down to “Help us improve” – Tap on the checkbox to tick for opt-in or untick for opt-out.
Changes to your preferences may take up to an hour.
Consent can be given in writing to email@example.com.
We will request to send you push notifications regarding your account (such as reminders to log your weight). If you wish to opt-out from receiving these types of communications, you may turn these off in your device settings or in the App.
To do this on an Apple device take the following steps:
- Go to Settings – Tap on “Notifications” – Choose the Wellbeing Way App – from here you can choose which notifications are set up for the App.
To do this on an android device take the following steps:
- Go to settings – Tap on “Notifications” – scroll down to ‘recently sent’ and tap ‘see all’ – choose the Wellbeing way App – from here you can choose which notifications are set up for the App
To do this in the App take the following steps:
- Go to “More” – Tap on “Account Settings” – scroll down to Push Notifications – from here you can tap the slider towards “yes” or “no” for each communication channel.
By choosing to delete your account in the App, you will be removed from the Wellbeing Way App and will not be able to login after 30 days from the request. You will no longer have access to linked accounts created with our third-party partners.
If you are registered on our Digital only programme(s) you will be removed from the programme within 30 days.
- Digital Adult Weight Management
- REWIND Digital
- LCD Digital
If you wish to be removed from the following programme, please contact us:
- LCD Non-Digital
- NHS Diabetes Prevention Programme (NDPP)
- Xyla Reset
You will receive an email confirming your request for account deletion. You will receive a second email after 30 days confirming your account deletion.
During the 30 days you may receive communication from us, if your communication and marketing preferences are opted in.
If your account deletion was done by mistake, please contact us within 30 days to cancel the delete request.
To do this in the App:
- Go to “More” – Tap on “Account Settings” – scroll down to Account Deletion – click “Delete Account”
- A pop-up titled “Are you sure?” will appear on the screen. Tap on “Delete Account”
Your account will be deleted after 30 days. The date will appear on the “Account Settings” page.
Who we share your personal data with
The personal data and the information that you input into the App will be shared with the commissioning body for example NHS England, as they fund the Health Education Programme. We will also share this information with your GP as and when required for the purposes of providing the Health Education Programme.
Any discussions that takes place in the community section of the App will not be transferred outside of the App and will not be placed on your Programme file.
|Type of Cookie||Definition||How we use that Cookie|
|Session Cookies||A Cookie that will only be stored on a device’s memory during the current session. It will store your user preferences in the App only. ||These Cookies will allow a more streamlined use of our App. |
|Site Analytical Cookies||A Cookie that will allow an anonymised analysis of how visitors navigate and use the App||We use Google Analytics to receive anonymised reports on how long visitors stay on our App and how they use it. This information allows us to improve user experience and make sure the content is relevant and interesting. |
How do we safeguard your personal data?
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, altered, disclosed, used or accessed in an unauthorized way.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
All data held on your device is encrypted at rest. So, in the event that your device is lost, no data can be recovered.
All data that is transmitted from your device to our API server is via HTTPS protocol with encryption and is therefore secure.
Data at rest in our database, is also encrypted and there is no access to the database from the outside world, only our application server, held on Microsoft Azure platforms in the UK, can access this.
More details of the physical security of the data servers can be found here https://docs.microsoft.com/en-us/azure/security/fundamentals/physical-security.
In addition, we limit access to your personal data to only those who have a business need to know and they will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
If you delete the App all of the data stored locally within the App will also be deleted.
Your data protection rights
Under data protection law, you have rights including:
- Your right of access – You have the right to ask us for copies of your personal data.
- Your right to rectification – You have the right to ask us to rectify personal data you think is inaccurate. You also have the right to ask us to complete personal data you think is incomplete.
- Your right to erasure – You have the right to ask us to erase your personal data in certain circumstances.
- Your right to restriction of processing – You have the right to ask us to restrict the processing of your personal data in certain circumstances.
- Your right to object to processing – You have the the right to object to the processing of your personal data in certain circumstances.
- Your right to data portability – You have the right to ask that we transfer the personal data you gave us to another organisation, or to you, in certain circumstances.
If you would like to exercise any of these rights, please email firstname.lastname@example.org.
In most cases we will deal with your request as soon as possible and at the latest within one calendar month of the request. If we need to extend the time period for responding to your request, we will let you know within the one-month period. We do not charge a fee for any such requests, unless there are exceptional circumstances.
How to make a complaint
If you have any concerns about the personal data we use about you, you have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection issues, by contacting them at www.ico.org.uk. We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please feel free to contact us in the first instance.