Data Privacy Policy
This privacy policy (the “Policy”) is designed to give you information about how your personal data is collected and used in connection with your use of the Your Resilience Platform (“Your Resilience” or “Happence” or Helix Resilience”).
The Policy has been prepared to tell you about how your personal data is protected and about your privacy rights.
This Policy covers the following areas:
1. Who we are, and our data promise to you
2. Our responsibility for the handling of your personal data
3. The information we collect about you
4. How we collect your personal data
5. Use of your personal data
6. Who we share your personal information with
7. How we keep your personal data secure
8. How long we keep your personal data for
9. Sending your personal data outside the UK and EEA
10. Your rights
11. Our contact details
12. Changes to this Policy
It is important that you read this Policy with any other notice or privacy information presented to you on Your Resilience, or that we may provide to you when we collect or process your personal data during your use of Your Resilience. This Policy supplements such other notices and does not replace them.
1. Who we are, and our data promise to you.
Your information will be held by Cocoon Wellbeing Limited (trading as Happence) (” “Happence”, “Your Resilience”, “we”, “us”, “our”). We are an established team including therapists, psychiatrists, psychologists and technologists with a proud heritage of helping patients resolve common issues in their daily lives such as stress, depression, anxiety and sleep disorders.
Our services are being made available by your employer for use by employees (“Your Employer”).
We have developed Your Resilience, to provide an inclusive and interactive service where you can learn about yourself, and have access to learning materials, tools and professional services to help you build your resilience. We collect your personal information because it helps us to understand your needs and guides the way in which we interact and communicate with you.
We have strict policies and procedures in place to protect your data when we process it in order to make Your Resilience available to you. We are committed to respecting your privacy and protecting your personal data whilst it is in our care.
2. Our responsibility for the handling of your personal data.
As the data controller, we are the party responsible for any personal data you provide to Your Resilience, which will be processed in accordance with this Policy. Even though Your Employer has made Your Resilience available to you, the only information they will receive relating to your use of Your Resilience will be to validate your eligibility (this uses your work email address) or if Your Employer manages Happence membership themselves, they will be able to see that you have been allocated a Your Resilience licence. Aside from these limited processes, they will not be provided with any of the personal data we collect.
We do provide Your Employer with aggregated anonymised reports, but we do not share individualised answers with them. Further detail relating to the information provided to Your Employer is included in Section 6 below.
3. The information we collect about you
When we talk about “personal data” we mean any information, or a combination of pieces of information, that identify you or allow you to be identified.
When you register for and start using Your Resilience, the personal data we collect about you will depend on which parts of Your Resilience you use.
For example, learning pathways on Your Resilience often collect assessment data at the beginning, middle and end of your journey so that you can see your progress. Data. The personal data we collect will therefore be influenced by the way you use Your Resilience.
You are not required to provide your personal data to us, however, we will need certain information in order to register you on to Your Resilience. If you choose not to provide us with certain personal data, it may affect the accuracy of assessment results and the way Your Resilience responds to you. You can choose to participate in some or all parts of any Your Resilience, so you can choose what types of personal data we collect about you.
Throughout Your Resilience we may collect, use, store or generate the following types of personal data about you. We have grouped together the categories of personal data we collect as follows:
a) Information necessary to register you in Your Resilience.
Personal data you provide to us when registering in Your Resilience:
i) Your name; and
ii) Your personal and work email addresses;
b) Your Resilience unique user ID and accompanying account data.
c) Information relating to your employment.
High level information, designed to assist with the preparation of aggregated insights for Your Employer and to assess your eligibility to use this service, including your:
i) Division;
ii) Country;
d) Other personal information. Which may also be relevant to your wellbeing and levels of resilience, including:
i) Your age category;
ii) Gender;
iii) Marital status;
iv) Number of children and their age ranges;
v) Long term conditions;
e) Your responses to surveys and assessments that we carry out as part of Your Resilience.
Your Resilience contains optional assessments designed to assess and improve your wellbeing. These include:
i) assessments on Psychological, Social and Physical Wellbeing; and
a daily resilience or mood tracker;
ii) polling surveys;
iii) feedback surveys on App content, performance and your suggestions.
By way of example, these may include questions about your lifestyle, performance at work, your personality, and your physical and mental health (see Sensitive personal data below);
f) Your posts and engagement on the communities section of the Your Resilience.
Your Resilience Communities allow users to form supportive discussion groups on topics raised in Your Resilience. Experts may support these discussions from time to time. Although we request that users do not identify themselves in these discussions, to the extent you choose to identify yourself, or provide personal information in your free form responses this will necessitate our processing of that data.
g) Our correspondence.
If you contact us, we will typically keep a record of that correspondence;
h) Information about how you use Your Resilience.
Such as information about the amount of time you use our services or assessments for. This may include the pages and screens you visit, and any options you select. We collect this information in order to provide feedback about the performance of Your Resilience and the website more generally;
i) Website usage and device information.
We will typically collect certain technical data including your internet protocol (IP) address, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other details about the devices you use to access this website. We collect this data primarily for security purposes. We also capture this information and anonymise it, before completing site activity analytics. There is no advertising on our portal and we do not share this information with any marketing agencies.
Special Category data
As part of the Your Resilience journey you will be asked some personal questions. If you choose to answer these questions, you may be providing special category personal data, including personal data relating to your physical and mental health.
Special category data is personal data of a more sensitive nature. It is up to you whether you provide this sensitive personal data when completing the assessments and when using the communities section.
To get the best out of Your Resilience, it is recommended that you answer the questions honestly, however if you feel uncomfortable, you may choose not to provide information. If you do choose not to answer questions it may affect the accuracy of your results and Your Resilience recommendations.
Aggregated data
We may collect, use and share aggregated data, such as statistical or thematic reports, to support the development and improvement of Happence products and to deliver insights to Your Employer about trends present in their employee base. By way of example, these Insights might include, “30% of your employees feel stressed at work”, “60% of users feel they work well in a team”. These insights will only ever include anonymised reports, we do not share individualised answers with Your Employer. For more information see (Who we share your personal information with) below.
4. How we collect your personal data
We use different methods to collect data from and about you including through:
a) Direct interactions.
When you register in Your Resilience, we will ask you to complete your name and email address(es). We may also collect your personal data from your participation in Your Resilience assessments, your activity in the community discussions and any direct communication you have with us,
b) Automated technologies or interactions.
As you interact with Your Resilience, we will automatically collect technical data about your device, browsing actions and patterns. We collect this personal data directly from your mobile app, or if you access Happence via a browser, by using cookies. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of Your Resilience may become inaccessible or not function properly. When you engage with the Your Resilience ChatBot your answers also fall under our automated data collection activities.
c) Where we use Cookies, we do so for the following purposes:
i) on logging in, the system creates a cookie with a key that keeps your current data, so that you can be identified and are not required to log in every single time you open Happence
ii) to determine on every click if this is still the same participant
iii) for success & error messages (for example, ‘Session successful message’)
iv) for security measures – the session is tracked and after 2 hours of non-activity you are logged out automatically.
d) Analytics providers.
We use Google Analytics, & Hotjar, who provide us with information relating to Your Resilience traffic and how users interact with Your Resilience. This involves the transfer of anonymised platform traffic data. All information is automatically anonymised a second time on upload to analytics platforms.
5. Use of your personal data
We set out below the purposes for which we use the personal data that we collect about you, with the legal basis that we rely upon for its use. The “legal bases” are set out in data protection laws: they allow companies to process personal data only when the processing is permitted by the specific “legal basis” set out in law. These grounds include:
a) Legitimate interests – where we use your information to achieve a legitimate interest and our reasons for using it outweigh any prejudice to your data protection rights
b) Consent – where you have consented to our use of your information.
c) Legal obligation – where we need to use your information to comply with our legal obligations.
d) Legal claims – where your information is necessary for us to defend, prosecute or make a claim against you, us or a third party.
e) Performance of a contract – where your information is necessary especially in relation to the setup of an account and the provision of services to you as the data subject.
In summary, we generally rely on the performance of a contract grounds for processing, and our legitimate interests as a provider of wellbeing and resilience services, to provide you with Happence services which has been made available to you at the request of Your Employer, and to which you have registered. We rely on your explicit consent for the processing of any special category health data which you may provide when completing assessments, or otherwise engaging with Happence services.
To the extent that we rely upon your consent as the legal basis under which we process your personal data, you are entitled to withdraw your consent, at any time. Please contact us if you want to do so using our details at the bottom of this notice.
We will process your personal data only for the purposes set out in this section. If we are required to process your personal data for any purpose other than those included in this section, we will notify you of this before doing so.
In more detail, we use your personal data for the following purposes on the following legal bases:
Purpose/Activity: To setup your account
Type of data: Identity Contact data
Lawful basis for processing including basis of legitimate interest: Our legitimate business interests as a provider of wellbeing and resilience services, to provide you with the resilience and wellbeing service which has been made available to you at the request of Your Employer, and to which you have registered.
Purpose/Activity: To provide our services to you, which may include assessing your state of health, wellbeing, identifying risks and making recommendations
Type of data: Identity, Account, Health and lifestyle data, Assessment responses
Lawful basis for processing including basis of legitimate interest: Our legitimate interests to deliver educational, and evaluative wellbeing and resilience content. Performance of the contract with you. In relation to assessments which may include answers relating to your health and lifestyle data, your explicit consent.
Purpose/Activity: To conduct data analysis, including profiling, in order to make assessments about your lifestyle, personality and physical and mental health. This information is used to tailor your experience on Happence services;
Type of data: Identity, Account, Health and lifestyle data, Assessment responses, Technical, Usage
Lawful basis for processing including basis of legitimate interest: Our legitimate interests to deliver educational, and evaluative wellbeing and resilience content. In relation to assessments which may include answers relating to your health and lifestyle data, your explicit consent.
Purpose/Activity: To use data analytics to improve Happence, relations with users and user experiences
Type of data: Identity, Account, Technical, Usage
Lawful basis for processing including basis of legitimate interest: Necessary for our legitimate interests (to keep Happence services updated and relevant, to develop our service and to inform our future services)
Purpose/Activity: To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy; (b) Asking you to leave a review or take a survey; (c) To respond to your queries or feedback.
Type of data: Identity, Contact Profile, Communications
Lawful basis for processing including basis of legitimate interest: Necessary to comply with a legal obligation; Necessary for our legitimate interests to keep our records updated and to study how users interact with Happence services.
Purpose/Activity: To prepare anonymised aggregated and thematic reports for the benefit of your employer, including monitoring employee uptake, and developing insights about the workplace. This anonymised aggregated and thematic information may also be used to form the basis for external publications.
Type of data: Anonymised Account, Assessment responses, Health, Lifestyle, Technical and Usage data
Lawful basis for processing including basis of legitimate interest: Our legitimate interests to deliver reporting to your employer about how participants interact with the programme on an aggregated basis, including value for money statements. Our legitimate interests in publishing materials externally regarding the programme and its impacts.
Purpose/Activity: To prepare anonymised aggregated and thematic research for the benefit of you (for example; research resulting in improvements to the programme); Your Employer (for example, resulting updates to the programme designed to help further improve your performance) and the wider community (for example, providing academic level empirical evidence to support or disprove treatment programmes that might form part of future accepted treatment protocols available to both you and the wider (external) community); and developing insights about the workplace (for example, overall trends amongst the organisation’s employees pointing to improving or decreasing levels of stress). This anonymised information may also be used to form the basis for external publications.
Type of data: Anonymised Account, Assessment responses, Health, Lifestyle, Technical and Usage Data
Lawful basis for processing including basis of legitimate interest: Our legitimate interests: to deliver reporting to your employer about how participants interact with the programme on an aggregated basis, including insights and value for money statements; in supporting academic research programmes with the purpose of improving the programme for participants and treatment protocols for the wider (external) community; in publishing materials externally regarding the programme and its impacts.
Purpose/Activity: To administer and protect our business and Your Resilience (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data and to comply with laws and regulations, codes of practice and industry standards)
Type of data: Identity, Account, Contact, Assessment Responses, Technical, Usage
Lawful basis for processing including basis of legitimate interest: Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, and in the context of a business reorganisation or group restructuring exercise); Necessary to comply with a legal obligation.
Purpose/Activity: To exercise or defend our rights
Type of data: Identity, Contact, Technical, Account
Lawful basis for processing including basis of legitimate interest: As necessary to exercise or defend our rights.
6. Who we share your personal information with
We may share your personal data in the following circumstances:
a) with our employees, contractors, and experts – where necessary for the provision of Happence services and support. For example, this could include review of your survey responses, or response to your posts on the Communities page.
b) with our service providers including our platform developer, analytics and cloud hosting providers, and such other service providers performing IT services and other business operations for us from time to time. This allows us to provide appropriate operational supports and to make enhancements to the service.
c) with our partners as you make use of certain third-party functionalities built into Happence services. For example, you may choose to use our Fatigue analysis feature powered by Thymia Ltd, which tracks voice patterns to detect signs of fatigue. You will be asked for your consent as you begin any such activities.
d) with our professional advisers, including lawyers, accountants, auditors, bankers, insurers, who provide legal, accountancy, audit, banking, insurance or consultancy, or other services to us. We may share information to assist us in activities including enhancing the performance and content of the service, emergency cyber recovery and forensics services, proof of business operations and to help prepare documents such as this policy.
e) with HM Revenue & Customs, regulators and other authorities who may require us to report on processing activities in certain circumstances.
Subject to (a) the condition that your Employer has agreed in writing in advance (b) the terms of the contract between us and your Employer and (c) our having provided you with an updated version of this Policy to explain the change, we may share your data with a third party which takes over the control of our business, by acquiring control of our companies or assets, including our database and in such circumstances that company will assume the rights and obligations formerly attributable to us and will use the data in the same ways and for the same purposes under which you submitted it or as described in this Policy.
Sharing of data that does not say who you are:
• we will not sell your personal data to 3rd parties
• with your Employer –we use and share aggregated data such as statistical or thematic reports to deliver insights to Your Employer about trends present in their employee base. These insights will only ever include anonymised reports, we do not share individualised answers with your employer.
• with external parties in an anonymised aggregate form, for the purposes of providing evidence supporting the efficacy and value for money of the programme. This information will only ever include anonymised data.
• with external parties in an anonymised form, for the purposes of providing evidence supporting academic research.. For example, research themes include improving your Cognitive Retention and Reserve; , enhancing the quality of sleep and general wellbeing; and the importance of Nutrition and the Gut Biome in reducing stress and anxiety levels and improving performance. This data will only ever be shared in an anonymised form.
Where we are able to do so, we require all third parties to respect the security of your personal data and to treat it in accordance with the law. We only disclose the personal data each third party needs in order to provide the specified purposes, and we do not allow any of our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
7. How do we keep your personal data secure?
We deploy administrative, technical, and physical safeguards designed to safeguard the information that we collect. We evaluate these safeguards on an ongoing basis to help minimize risks from new security threats as they become known. Our servers are protected using HTTPS and TLS technology. Our employees are trained in data security, and our policies and procedures help our employees to understand what is required of them under their obligations to us and their responsibilities under applicable data protection legislation.
Your data will be held in our secure online portal which is only viewable by you and Happence. We employ approved industry standard security protocols to keep your data safe. Despite these measures, we cannot guarantee the absolute security of your information. For example, we cannot be responsible for the security of information you transmit to us over networks that we do not control, including unsecured internet and wireless networks.
8. How long we keep your personal data for
We generally only keep personal data for as long as is reasonably required for the reasons explained in this Policy. We will keep your personal data for 7 years. When deciding how long to keep your personal data after our relationship with you has ended, we take into account our legal obligations and regulators’ expectations. We may also retain records to investigate or defend potential legal claims.
9. Sending your personal data outside the UK and the EEA
When we send your personal data outside of your country we have in place adequate safeguards to do so. This includes UK and/or EU standard contract clauses approved by the UK and/or the European Commission or other suitable safeguard to permit personal information transfers from the UK or European Economic Area (“EEA”) to other countries.
In particular:
• our data and back up services are primarily hosted within the British Isles;
• we or our service providers may transfer personal data out of the UK and EEA in connection with the analytics services in Section 4b;
Please get in touch with us if you would like more information about these safeguards.
10. Your rights
Depending on the laws applicable in your country you may have certain data privacy rights available to you in law.
For example our UK and EEA users have rights under GDPR (with some exceptions and restrictions) to:
· object to our processing of your personal data, including profiling, and automated decision making. You can object, on grounds relating to your particular situation, at any time. In which case, we shall stop processing the data that your objection relates to, unless we can show compelling legitimate grounds to continue that processing;
· access your personal data. If you make this kind of request and we hold personal data about you, we are required to provide you with information on it, including a description and copy of the personal data and why we are processing it;
· request that we provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format;
· request erasure of your personal data in certain circumstances;
· request correction or updating of the personal data that we hold about you and that is inaccurate;
· request the restriction of our processing of your personal data in some situations. If you request this, we can continue to store your personal data but are restricted from processing it while the restriction is in place;
· complain to your local data protection authority about our collection or use of your personal data. For example, in the UK, the local data protection authority is the UK Information Commissioner’s Office. All relevant authorities are listed in Section 11 of this notice.
If you choose to exercise the rights described above, we may ask you to provide additional information so that we can satisfy ourselves as to your identity before we take further action.
If you would like to exercise any of these rights in relation to any information that we hold about you, please contact us. Our contact details can be found in below. We will consider and respond to your request in accordance with the relevant law.
11. Our contact details
If you have any questions about this Policy or would like to exercise any of the rights mentioned in this Policy, you can contact us in any of the following ways:
By post: The Data Protection Officer, Happence, 7th Floor, 10 Lower Thames Street, London EC3R 6HD, United Kingdom
By email: support@happence.com
If you are not satisfied with the response you receive, you have the right to make a complaint to your local data protection authority, as below:
Information Commissioner: https://ico.org.uk
12. Changes to this Policy
This version was last updated on the 6 December 2021. The Policy may be amended from time-to-time if we make any important changes in the way that we collect, store and use personal data. We may notify you by sending an email to your last known email address to direct you to the Policy if the changes are material. Any changes will be effective immediately.