Privacy Policy

Last updated: 25 September 2024

Neu Health

Neuhealth Digital Ltd is registered as a limited company in the United Kingdom (no.14492037) and our registered address is 10 Fitzroy Square, London, W1T 5HP (referred to as “Neuhealth”, “we”, “us” or “our” in this notice).

We have appointed a Data Protection officer who is responsible for overseeing questions relating to this notice as well as our general data protection practices.  To contact, please use privacy@neu.health 

If you have any questions about this Privacy Policy, general data protection inquiries or any complaints. You can contact us:

  • Using the details above (including ‘data protection’ in the email subject line); or

  • By visiting the contact us page on our website, selecting ‘data protection’ as the subject, and submitting a form: Contact us 

Key Definitions

An overview of key terms used to describe personal data and how it can be used. 

What is Personal Data?

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data). 

What is Data Processing?

In relation to personal data, processing, means any operation or set of operations which is performed on personal data or on sets of personal data (whether or not by automated means, such as collection, recording, organisation, structuring, storage, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure or destruction).

Further Information

The Information Commissioner’s Office (ICO) is the UK Data Protection Regulator. For further detail on definitions relating to personal data, used throughout this policy, please visit the ICO website.

Neu Health’s Interactions with Personal Data 

Neu Health may handle your personal information as a data controller or a data processor. This privacy notice tells you what to expect us to do with your personal information when you make contact with us, use our website or platform or register for and use our services through the Neu Platform application(s). 

In circumstances where we are the data controller, we determine what data is collected, how this data is going to be used and how this data is protected. We are registered as a data controller with the Information Commissioner's Office (ICO) with registration no.ZB541090. 

We also act on behalf of other organisations as a data processor under contract. Where this is the case we do not determine what personal data is collected or how it is going to be used. The organisation we work on behalf of will make these decisions as the data controller for your personal information and you should refer to their privacy notice for these details.  This will typically involve health care sector organisations who have contracted with us for services provided through our platform.

Below we describe the different scenarios where we collect and/or handle personal information, along with controls in place to ensure this is done securely. For a detailed breakdown, please see the end of this policy.

Website Visitor 

We use Squarespace analytics to collect this standard internet log information and details of visitor behaviour patterns. We do this to understand things such as the number of visitors to the different areas of the website. This information is only processed in a way which does not identify anyone. We do not make, and do not allow Squarespace to make, any attempt to find out the identities of those visiting our website. Details of square space’s privacy policy can be found here: https://www.squarespace.com/privacy

If we do want to collect personally identifiable information through our website, we will make this clear at the point personal information is collected and will explain what we intend to do with it.

Use of cookies

Like many other websites and services, we use cookies. ‘Cookies’ are small pieces of information sent by a website/service to your device and stored to enable that website to recognise you when you visit in the future. They can also be used to collect statistical data about your browsing activity and patterns of behaviour but do not identify you as an individual. This helps us to understand how people who visit our website use it, enabling us to improve the layout and contents for visitors.

For more information about the cookies we use and your choices regarding cookies, please visit Squarespace cookie policy section.

It is possible to switch off cookies by setting your browser preferences and settings. Turning cookies off may result in a loss of functionality when using our website.

Neu Health App User ‘Patient’ 

Following prescription by a clinician, users will download the Neu Health application to their mobile phone and interact accordingly, as detailed in the application and/or accompanying guidance materials.  

Personal Data we collect: 

We collect the following types of personal data from you: 

  • Contact Information: Name, NHS number, email address, and phone number. 

  • Demographic Information: Date of birth, dominant hand.  

  • Condition & Application Activity Information: Diagnosis, results from the smartphone assessments, medication information, symptom information, questionnaire results 

This information will be collected via the Neu Health app. This information is used: 

  • To confirm identity and collect information related to the condition 

  • For the clinician’s reference and ensure only legitimate users' access and use the application accordingly 

  • For the provision of services by Neu Health to the as per contractual agreements with the data controller 

  • Review activity and perform the calculations necessary to provide the clinicians/data controller with necessary clinical information 

  • By Neu Heath to contact patients to perform operational, engagement and service delivery activities such as onboarding and follow-up calls on as per contractual agreements with the data controller (i.e., NHS) 

  • By Neu Health to provide support to users where required as per contractual agreements with the data controller 

Non-Personal Data we collect: 

Application activity information: app performance information, app feedback 

Anonymised information will be used internally by Neu Health for service and technology evaluation and improvements.  

Any additional information collection and/or handling is managed by the data controller.  

 

Clinical Dashboard User ‘Clinician’ 

Clinicians/the data controller will have access to Neu Platform – providing a dashboard to review results collected via patients using the Neu Health app. 

Personal Data we collect:

We collect the following types of personal data from the data controller:

  • Registration Information: Name, email address and place of work.

This information will be collected via the Neu Platform registration process to confirm identity and ensure only legitimate users access and use the dashboard functionality accordingly.

Non-Personal Data we collect:

Application activity information: Dashboard interaction information. 

This allows Neu Health to review activity and perform fixes on behalf of clinicians/the data controller using necessary performance information. Anonymised information will be used internally by Neu Health for service and technology evaluation, improvements and longitudinal research purposes.

Any additional information collection and/or handling is managed by the data controller.

 

Neu Health Research App Participant

We collect the following types of personal data from you:

  • Contact Information: Name, identification number, email address, and phone number.

  • Demographic Information: Date of birth, dominant hand. 

  • Condition Information: Diagnosis

This information will be collected via the Neu Health app registration process to confirm identity. This will be used for the clinician’s reference and ensure only legitimate users' access and use the application accordingly. 

Non-Personal Data we collect:

Application activity information: Results from our smartphone assessments, medication information, and symptom information.

This allows us to review activity and perform calculations to provide clinicians/the data controller with necessary performance information. Anonymised information will be used internally by Neu Health for service and technology evaluation and improvements.

 

Neu Health Research App Researcher

Researchers/the data controller will have access to Neu Platform – providing a dashboard to review results collected via patients using the Neu Health app. 

Personal Data we collect:

We collect the following types of personal data from the data controller:

  • Registration Information: Name, email address and place of work.

This information will be collected via the Neu Platform registration process to confirm identity and ensure only legitimate users access and use the dashboard functionality accordingly. 

Non-Personal Data we collect:

Application activity information: Dashboard interaction information. 

This allows Neu Health to review activity and perform fixes on behalf of clinicians/the data controller using necessary performance information. Anonymised information will be used internally by Neu Health for service and technology evaluation, improvements and longitudinal research purposes.

 

Focus Group Members / Other Test Users

We conduct focus groups with users (patients and clinicians) to develop and evaluate our products. The exact nature of activities relevant to each focus group activity will be detailed per project and provided to participants via specific accompanying materials.

The basis for personal information collection is consent. Consent forms will be provided to each individual prior to commencement of the project. Consent can be withdrawn at any time. 

Where applicable, information such as, but not limited to, video/audio recordings, transcripts, test performance information will be recorded and used internally by Neu Health for service and technology evaluation and improvements.

Children’s Data 
We do not know knowingly collect personal information about children under 13 years old.  Our website, platform and app are not designed for use by children. 

General Communications

Direct Marketing

We may use your personal data provided to form a view on whether additional services we provide are of interest to you.  We will send you limited marketing communications from us unless you have specifically opted out from such marketing when you register for our platform and/or app. 

You are able to ask us to stop sending you marketing messages by contacting us at any time. Where you opt out of receiving these marketing messages, this opt-out will not apply to personal data provided to us as a result of your use of service or our platform or app.

We will not sell or otherwise share your personal data with any third parties for marketing purposes (except in respect of Clinical Trials, and only to the extent set out below).

Clinical Trials

We want to give you choices regarding personal data uses, particularly relating to potential clinical trials.  Where we have identified potential trials that may be relevant to you, we will contact you to provide initial information.  We will not share any personal data unless you provide us with explicit consent to do so (at which point we will share your details with the entity running the trial to contact you directly). 

Additional Handling Requirements

Data Accuracy

It is important that the personal data we hold about you is accurate and current.  Please keep us informed if your information changes during your relationship with us.

Third Party Processing

We use data processors who are third parties who provide elements of services for us, including cloud-based storage providers. We have contracts in place with our data processors. This means that they cannot do anything with your personal information such as share it with other organisations unless we have instructed them to do it. They will hold your personal data/information securely and only retain it for the period we instruct. When it is necessary for us to transfer your personal information outside of the UK this will only be done in accordance with the UK GDPR and the Data Protection Act 2018 (DPA 2018).

International Transfers

We use some data processors that are based outside of the UK.  Where this is the case, we ensure that there is an adequacy decision in place which confirms that there is an adequate level of protection for personal data.

We may also use data processors based in locations which are not yet subject to an adequacy decision, however where this is the case, we ensure that appropriate safeguards are in place so that enforceable data subject rights and effective legal remedies for data subjects are available.  This will usually be achieved through the careful selection of data processors which offer high levels of security for personal data and the use of Standard Contractual Clauses (SCCs) which place binding legal obligations on the recipient to ensure the protection of personal data.

If you have any questions about Data Processors we use or International Transfers, please contact us and we will be happy to provide you with additional information (including a list of any processors used and where data is shared).

Data Sharing

We may also share your personal data where we are required by law or under any legal order, or with any third parties that we might choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

Data Security

We have put in place reasonable and appropriate security measures to prevent your personal data from being accidently lost, used or accessed in an unauthorised way, altered or disclosed.  We will limit access to your personal data to those individuals who have a business need to know.  Any individual who is permitted access to your personal data will also be subject to a duty of confidentiality.

Your Data Protection Rights

Under data protection law, you have rights we need to make you aware of.  The rights available to you depend on our reason for processing your information.

Your right of access

You have the right to ask us for copies of your personal information. This right always applies. There are some exemptions, which means you may not always receive all the information we process. You can read more about this right here.

Your right to rectification

You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies. You can read more about this right here.

Your right to erasure

You have the right to ask us to erase your personal information in certain circumstances. You can read more about this right here.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your information in certain circumstances. You can read more about this right here.

Your right to object to processing

You have the right to object to processing if we are able to process your information because the process forms part of our public tasks or is in our legitimate interests. You can read more about this right here.

Your right to data portability

This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another or give it to you. The right only applies if we are processing information based on your consent or under, or in talks about entering a contract and the processing is automated. You can read more about this right here.

Your rights in relation to automated decision making or profiling

This applies where personal information provided is used to inform automated decision or profiling activities. You have the right not to be subject to a decision when: it is based on automated processing; and it produces an adverse legal effect or significantly affects you. You can read more about this right here.

How to Make a Complaint

We strive to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we may receive about this very seriously. We encourage people to inform us if they think that any collection or use of information by us is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. You can do this by contacting us here: Contact us 

If you remain dissatisfied, you have the right to make a complaint to the Information Commissioner’s Office (ICO). Please see the ICO’s website for more information:

www.ico.org.uk 

Accessibility Statement

Our Accessibility statement can be found here.

Detailed Breakdown

  • We collect and use the following categories of personal data in our role as controller.  This will typically be provided by patients or clinicians or by entities who employ or engage the clinician.

  • Description: Name, Email, Mobile Number

    Source: Entered by individual

    Purpose(s): To register as a new user and provide services, to manage our relationship with you, to protect our business and platform/app

    Lawful Basis: Performance of contract, necessary for legitimate interests (manage client relationships and protect our business assets)

    Retention Period: Duration of contract and a period of 8 years after termination for any potential legal claims.

  • Description: Job title, Company Name, Telephone Number

    Source: Provided by health sector entity

    Purpose(s): To deliver services and maintain a business relationship

    Lawful Basis: Contract, legitimate Interests (manage client relationships)

    Retention Period: Duration of contract and a period of 8 years after termination for any potential legal claims.

  • Description: Date of birth, sex at birth, left or right handed, ethnicity (optional)

    Source: Entered by individual

    Purpose(s): To deliver services, for future development of products and services

    Lawful Basis: Contract

    Retention Period: Consent statement from patient on the app when they register

     

  • Description: Bank account details

    Source: Entered by contracting individual or entity

    Purpose(s): To enable invoicing for services, for accounting and taxation purposes

    Lawful Basis: Contract, Legal Obligation

    Retention Period: 8 years from collection for financial records.

  • Description: IP address, Browser type & version, Operating system and other technology information on the devices you use to access our platform or app & frequency of access

    Source: Automatically generated through the app

    Purpose(s): To deliver relevant content via the platform/app, Protection of our website and infrastructure from cyber-attack and to investigate and report any illegal activities.

    Lawful Basis: Legitimate Interests (for running our business, provision of software services, and protect our assets, to detect illegal activities), Legal obligation

    Retention Period: Duration of contract and a period of 8 years after termination for any potential legal claims.

  • Description: Name, email address, telephone number, questionnaire responses

    Source: Answered by individual in-app

    Purpose(s): To understand user experiences and identify issues with our platform or app

    Lawful Basis: Legitimate Interests (to use answers to develop our services and grow our business, to inform our marketing strategy)

    Retention Period: Anonymised on receipt to limit personal data held, results held but out with data protection rules

  • Description: Usage information on frequency of use of the app and certain areas and features accessed, other key metrics quantifying engagement with platform and app

    Source: Automatically generated through the app

    Purpose(s): To use data to improve our services and app

    Lawful Basis: Legitimate Interests (to study how users engage with our services and app, to develop them and to inform our marketing strategy)

    Retention Period: Anonymised on receipt to limit personal data held, results held but out with data protection rules

  • Description: Questionnaire responses

    Source: Answered by individual in questionnaire

    Purpose(s): To understand user experiences and identify issues with our platform or app, To develop our services

    Lawful Basis: No basis identified as not anticipated to contain any personal data. Experience questionnaires designed to develop our services and grow our business, to inform our marketing strategy.

    Retention Period: Not anticipated to contain personal data so out with data protection rules

  • Description: Questionnaire responses on key metrics identifying clinicians' engagement with the platform and/or app

    Source: Answered by individual in questionnaire

    Purpose(s): To use data to improve our services and app

    Lawful Basis: No basis identified as not anticipated to contain any personal data.  Experience questionnaires designed to develop our services and grow our business, to inform our marketing strategy.

    Retention Period: Not anticipated to contain personal data so out with data protection rules

  • Description: Questionnaires capturing key patient outcomes and clinical efficiency improvements by using the platformer apps

    Source: Combination of in-app questionnaire and data extraction by trust.

    Purpose(s): To use data to improve our services and app

    Lawful Basis: Legitimate Interests (to study how users engage with our services and app, to develop them and to inform our marketing strategy)

    Retention Period: Anonymised or aggregated on receipt to limit personal data held, results held but out with data protection rules

  • Description: Name, email, telephone number

    Source: Individual input on preferences to be contacted for marketing or relevant clinical trials

    Purpose(s): To contact about relevant matters

    Lawful Basis: Legitimate Interests (to grow our business and develop new products and services)

    Retention Period: For duration of being a user, deleted on termination of account with Neuhealth Digital

  • We collect and use the following categories of personal data in our role as processor on behalf of the relevant health sector entity as data controller.  This will always be processed in accordance with the instructions given by the relevant data controller.  It is anticipated that this data will be anonymised individual level data so would fall out with the data protection rules, but we have set out how we collect and use this data for fullness.

  • Description:  Special category health data including: Movement and voice exercise activity data, self-reported symptoms, cognitive tests, composite scores

    Source: Entered by patient/participant directly into the App, calculated by use of the algorithms

    Purpose: To fulfil provision of services to data controller

    Lawful Basis: Contractual – please see Data Controller information for further details. Consent – demonstrated via patient/participant opt-in usage of the app. 

    Retention Period: Records kept in accordance with agreement with relevant data controller

  • Description: Health data including: type of medication, timing of medication, reminder acknowledgement

    Source: Entered by patient directly into the App, calculated by use of the algorithms

    Purpose: To fulfil provision of services to data controller

    Lawful Basis: Contractual – please see Data Controller information for further details.

    Retention Period: Records kept in accordance with agreement with relevant data controller