Credo Therapies Ltd Privacy Statement

INTRODUCTION

Credo Therapies Ltd (“Credo Therapies” or “We” “Us” or “Our”) is committed to protecting and respecting your privacy in line with current legislation. This privacy statement is relevant to anyone who is using the Credo Therapies application. It tells you what personal data is collected and what we do with that personal data.

The Credo Therapies application uses your Identity and Health data (a combination of Personal Data and Sensitive Personal Data) collected voluntarily from you in order to fulfill the Credo Therapies Digital CBTe service. A full description of the Credo Therapies service can be found in the Terms of Service on our website.

This solution is not intended for children and we do not knowingly collect data relating to children.

If you have any questions about this privacy statement, including any requests to exercise your legal rights, please contact us using the details below.

ABOUT CREDO THERAPIES

Credo Therapies Ltd is a registered company in the United Kingdom under Companies House number 14441022. Our registered office is at 8 King Edward Street, Oxford, United Kingdom, OX1 4HL.

Credo Therapies Ltd is registered with the ICO with registration number ZB494720.

DEFINITIONS

In the provision of the Credo Therapies service, both Personal Data and Sensitive Personal Data will be collected and used.

Personal Data means data which relates to a living individual who can be identified from the data or from the data and any other information which is in the possession of, or likely to come into the possession of, the data controller.

Sensitive Personal Data means personal data consisting of racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, biometric data, data concerning health or data concerning a natural person's sex life or sexual orientation.

We will also refer to the Data Protection Officer (DPO) and the Data Controller.

According to the GDPR legislation which came into effect in May 2018, Credo Therapies were required to appoint a DPO as our core activities involve processing special categories of personal data. The purpose of the DPO is to inform and advise Credo Therapies and our employees about obligations to comply with GDPR and other data protection laws; to monitor compliance with GDPR and data protection laws; and to be the first point of contact for supervisory authorities and for individuals whose data is processed.

The Data Controller is a person who determines the purposes for which and the manner in which any personal data are or are to be processed. Credo Therapies Limited is the Data Controller regarding any data that is processed or stored in Digital CBTe.

The Data Processor means any person who processes the data on behalf of the Data Controller.

WHAT INFORMATION DO WE COLLECT

We collect data you voluntarily share with us when you register and use our products and services. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

Identity Data

Purpose of Data: We collect Personal Data to identify you so that you can use the application and so we can communicate with you to provide a service.

Type of Data: Name, Email

Health Data

Purpose of Data: We collect health data, which is considered sensitive data, which includes details of your physical characteristics, impact of eating problems, general physical and mental status information.

Type of Data: Ethnicity; Physical/mental health information

Cookies

Purpose of Data: Cookies (small text files placed on your computer while using our site) used by Matomo is used to assist with improving your site experience and to safeguard your privacy whilst browsing our site. For more information visit www.allaboutcookies.org or For more information on Matomo cookies, see the official Matomo cookies FAQ.

Type of Data: Strictly necessary cookies

Internet Protocol (IP) Data

Purpose of Data: IP Data may be collected by some of our third party processors in order to provide analytics data

Type of Data: IP Data

HOW WE PROCESS YOUR DATA

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

● Where we need to perform the contract we are about to enter into or have entered into with you.

● Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.

● Where we need to comply with a legal obligation.

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data

so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

Purpose: To register you as a new user

Type of Data: (a) Identity, (f) Marketing and Communications

How we will collect this data: This data is provided to us by users at the time of registering for the platform.

Lawful basis for processing: (a) Performance of a service with you

 

Purpose: To verify the suitability of the application (eligibility)

Type of Data: (a) Health

How we will collect this data: This data is provided to us by the user at the time of registering and using the platform.

Lawful basis for processing: (a) performance of a service with you

 

Purpose: To process and deliver the program

Type of Data: (a) Identity (b) Health (c)Usage (d)Research (e) Technology, (f) Marketing and communications

How we will collect this data: This data is provided to us at the time of your registration on the platform and completion of your questionnaires. Without this information, we cannot provide the Credo Therapies service.

Lawful basis for processing: (a) Performance of a service with you

 

Purpose: To manage our relationship with users which will include: (a) Notifying you about changes to our terms or privacy policy (b) Asking you to provide feedback

Type of Data: (a) Identity (b) Contact (f) Marketing and Communications

How we will collect this data: We will collect this information from users at the time of registering for the platform.

Lawful basis for processing: (a) Performance of a service with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests (to keep our records updated and to study how customers use our services)

 

Purpose: To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

Type of Data: (a) Identity (b) Contact (e) Technical

How we will collect this data: This data is collected through users registering for the platform.

Lawful basis for processing: (a) Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation) (b) Necessary to comply with a legal obligation

 

Purpose: To use data analytics to improve our website, services, marketing, customer relationships and experiences

Type of Data: (a) Technical (c) Usage

How we will collect this data: This data is collected through cookies, when the user is using the platform.

Lawful basis for processing: (a) Necessary for our legitimate interests (to define types of customers for our services, to keep our website updated and relevant, to develop our business)

 

Purpose: To improve the Credo Therapies service

Type of Data: (a) Identity (b) Contact

How we will collect and use this data: Lawful basis for processing: (a) L Necessary for our legitimate interests, and (b) Fulfilling our contract with the user

 

Purpose: To conduct research and aggregated reports

Type of Data: (a) Pseudonymised personal data and sensitive personal data

How we will collect this data: This data is provided to us at the time of your registration on the Credo Therapies platform and completion of your questionnaire

Lawful basis for processing: (a) Necessary for our legitimate interests, (b) Scientific and statistical research purposes

 

Purpose: To process job applications and employment contracts

Type of Data: (a) Identity (b) Contact

How we will collect this data: This data is collected during the recruitment process and/or during commencement of employment with Credo Therapies

Lawful basis for processing: (a) Performance of a service with you (b) Necessary to comply with a legal obligation (c) Necessary for our legitimate interests

 

Purpose: To do what we are required to do by law

Type of Data: (a) Identity (b) Contact

How we will collect this data: This data is provided to us at the time of your registration on the platform and completion of your Health Profile; or at the time of commencing employment with us

Lawful basis for processing: (a) Necessary to comply with a legal obligation

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us using the contact details provided below.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

WHO WE SHARE YOUR DATA WITH AND WHY

The Digital CBTe application is run by us with our third party service providers to provide the overall service. These companies will, as necessary, process your data in order for us to fulfill the Credo Therapies service you purchase.

The following party is the Data Controller:

Credo Therapies Ltd

Provides the overall service; Coordinates with and provides policy to Third Party Suppliers to fulfill the service.

The following Third Party Suppliers are Data Processors and this list reflects their requirements to fulfill our service and the data we share with them in order to do so:

Referrer

Purpose: We may need to share your information with your Referring NHS Trust in order to provide the service to you, with your consent.

What data we share: Identity data, Health data

Third party links

This solution may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our solution, we encourage you to read the privacy policy of every website you visit.

Amazon Web Services

Purpose: Amazon Web Services provides cloud hosting for our platform. All data is encrypted and therefore not accessible. Servers are located in UK / EU.

What data we share: None.

Twilio

Purpose: Provide SMS text messages to remind you about using the service. To receive messages you must opt in. If you do opt in you can opt out at any time by emailing support@credotherapies.com

What data we share: Mobile phone number

Global Initiative

Purpose: Global Initiative provides the development of our platform and application and therefore have full access to all data provided on the platform.

What data we share: Identity data, Health data, analytics data, cookies data

INTERNATIONAL TRANSFERS

If we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

● We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission and according to UK GDPR transfer rules. For further details, see European Commission: Adequacy of the protection of personal data in non-EU countries and International transfers after the UK exit from the EU Implementation Period.

● Where we use certain service providers, we may use specific contracts approved by the European Commission, and information commissioner’s office, which give personal data the same protection it has in Europe. For further details, see European Commission: Model contracts for the transfer of personal data to third countries.

● Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data

shared between Europe and the US. For further details, see European Commission: EU-US Privacy Shield.

Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the EEA.

HOW LONG CAN WE KEEP YOUR PERSONAL DATA FOR

We may only keep your personal data for as long as it is required for one of the reasons detailed in the above section, however in some cases, such as legal requirements or anonymised reporting, we may be required to keep it longer.

We have policies about how we keep/store your personal data. The periods differ depending on the period and the purpose for which we are using your personal data and the nature of the personal data.

How long we keep the data is determined by the period we need to keep it for in line with fulfilling the service and our legal obligations.

When data is no longer required for its purpose, we ensure data is securely and irrevocably deleted from our system.

WHEN CAN YOU ASK US TO STOP USING YOUR DATA

We rely on consent to fulfill the products and services we offer and also so we can contact you directly about the status of your product/service.

You can ask us to stop using your Data at any time, however in doing so we will be unable to continue providing the service.

In order to request that we stop using your data, you can send us an email to compliance@credotherapies.com stating that you wish for us to stop using your data immediately. Please refer to our User Terms relating to Removal of User Information for further information.

WHAT HAPPENS IF YOU DON’T GIVE US SOME OF YOUR DATA

It is entirely optional to provide consent for us to collect and process your data, however where you do not provide the Data we need in order to provide the requested Credo Therapies service or to fulfill a legal requirement, we will not be able to fulfill the service requested.

HOW TO CONTACT US ABOUT THIS PRIVACY STATEMENT

You may contact us at any time via email or post to query anything that may have come up from reading this statement.

Address: Credo Therapies Ltd, Att: Head of Operations;

Email: compliance@credotherapies.com

YOUR RIGHTS

We can be contacted at the addresses above for one or more of the following reasons:

1. To ask Us to correct Personal Data about You that is wrong or incomplete, or delete Personal Data about You.

2. To tell Us that You no longer consent to Us using Personal Data about You and to ask Us to stop. This would not invalidate Our use of the Personal Data prior to the withdrawal of consent.

3. To tell Us to stop using Your Personal Data for direct marketing purposes.

4. To ask Us to send You the Personal Data We have about You. This is sometimes called a "subject access request".

5. To ask Us to provide You with the Personal Data You have provided to Us. We will provide the Personal Data in a CSV formatted document so that another organisation's software can understand that Personal Data. This is sometimes called a "data portability" right.

6. To ask Us not to use Personal Data about You in a way that allows Our computer systems to make decisions about You.

7. To request that We restrict use of Your Personal Data or to object to its use (including objecting to data used in Our "legitimate interests")

Sometimes We will not be able to stop using Your Personal Data when You ask Us to (e.g. where We need to use it because the law requires Us to do so).

COMPLAINTS

You have the right to complain about how We treat Your Personal Data to the Information Commissioner's Office (the "ICO"). The ICO can be contacted at:

● Address: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

● Telephone: 0303 123 1113 (local rate) or 01625 545 745

● Email: https://ico.org.uk/global/contact-us/email/

CHANGES TO THIS PRIVACY STATEMENT

We may update this Privacy Statement from time to time. We will notify You of the changes where required by law to do so.

Last modified on 4 September 2023