CYCLISTS OPEN BAND STUDY PRIVACY POLICY

Last Updated: Jan 18, 2022

This Privacy Policy (“Policy”) describes how 4YouandMe (“4YouandMe”, “we”, “our” or “us”) and our Cyclist’s Open band Study mobile application (“COB-APP” or the “App”) use and collect Personal Information from individuals (“you”, “your”). The App is only intended for use in connection with your participation in the research study, “Cyclists Open Band Study” (the “Study”).

For the purpose of this Policy, “Personal Information” means any information relating to an identified or identifiable individual, including information you provide or generated when you use our App or when you participate in the Study. This Policy, which is incorporated into and is subject to the 4YouandMe Terms of Service describes the Personal Information that we collect from you or from other sources, how we use and disclose such Personal Information, the legal basis we rely on to process such Personal Information, and the steps we take to protect such Personal Information. Additional information about how we use and collect data is described in the Consent Form (the “ICF”) provided to you in connection with the Study, which is hereby incorporated by reference and made a part of this Policy. If you have not signed an ICF, or otherwise completed the e-consent process, or do not agree with this Policy, then you may not use the App.

Personal Information We Collect

Personal Information Collected from You

  • Account Information. When you register an account to use the App, we request you to provide Personal Information to us, such as your name, phone number, email address, age

  • Communication Information. If you contact us directly, we receive additional Personal Information about you such as your name, email address, phone number, the contents of a message or attachments that you may send to us, and other Personal Information that you choose to provide.

  • Activities related information. When you use the App, we collect information that you provide about the number of activities you completed (cycling, walking, sleeping, sitting at rest).

Information Collected from Other Sources

  • Personal Information from devices and wearables. When you connect our App with the wearable wristband (the “CRI Open Band”) and the wearable chest strap sensor (the “Polar H10 Chest Strap”), we will receive the following health and lifestyle data from the third-party providers of those services:

    • The CRI Open Band collects heart rate, resting heart rate, heart rate variability, respiration rate, breathing variance, sleep-related behaviors, and activity data (sense of step count and cycling activity).

    • The Polar H10 Chest Strap collects heart rate, resting heart rate, heart rate variability, respiration rate, breathing variance, and activity data (sense of step count and cycling activity).

How We Use the Information We Collect

We use Information we collect on the App to provide the App and conduct the Study, including the following:

  • To onboard you, set up and maintain your account: we use user-provided Personal Information such as your name, phone number, email address and age to onboard you as a participant to the Study, to set up an account on the App or to help you recover your account. We do so in accordance with our contractual and precontractual obligations to you.

  • To operate and deliver the features of our App to carry out the Study: we use user-provided Personal Information (such as your responses on the App to which activities you are completing), and Personal Information collected by the CRI Open Band and the Polar H10 Chest Strap in order to deliver the functionalities of our App in accordance with the Study and the ICF. We do so in accordance with our contractual obligations to you, and where we process your health information, we do so on the basis of your explicit consent which you provide through the ICF.

  • To communicate with you: we use user-provided Personal Information (such as your name and email address) and communication information (such as your phone number, message contents or other Personal Information you choose to provide to us) in order to provide you with updates, information relating to the App and the Study, provide information that you have requested, respond to your questions and otherwise support you. It is in our legitimate interests to communicate with you in order to manage our relationship with you.

  • Statistical and clinical research: we use your Personal Information from devices and wearables and Personal Information collected from you to conduct statistical and clinical research into health and for the purposes of the Study. Your information will be aggregated and/or coded to remove personally identifying details (“Coded Information”) before it is shared with our partners and internal researchers. We do so on the basis of our legitimate interests in conducting such scientific research and statistical endeavors for the purpose of improving 4youandme and furthering research into the accuracy of the CRI Open Band as a low cost and open-source wearable device.

Legal Grounds

If you are located in the European Economic Area (“EEA”) or in the United Kingdom (“UK”), we only process your Personal Information based on a valid legal ground, including:

  • Consent. You have consented to the use of your Personal Information by signing an ICF or by completing the e-consent process.

  • Legal obligation. We have a legal obligation to use your Personal Information, for example to comply with regulatory reporting, tax, and accounting obligations.

  • Legitimate interest. We or a third party have a legitimate interest in using your Personal information, in particular for statistical and clinical research purposes, as described above. We only rely on our or a third party’s legitimate interests to process your Personal Information when these interests are not overridden by your rights and interests.

Who We Disclose Personal Information To

Except as described in this Policy, including the ICF, we will not disclose Personal Information about you that we collect on the App to third parties without your consent. We disclose Personal Information to third parties if you consent to us doing so, as well as in the following circumstances:

  • To internal qualified researchers, Study Partners (as defined below), IT staff and Study organizers, in the course of the Study (additional information about what constitutes a qualified researcher is available in the ICF). “Study Partners” include the Department of Psychiatry at the University of Oxford, and Sage Bionetworks.

  • To other third-party service providers, such as website hosts, application developers, cloud hosting providers, long term storage solution providers and maintenance services providers (e.g., Amazon Web Services). Generally, we limit the Personal Information provided to these service providers to that which is reasonably necessary for them to perform their functions, and we require them to agree to maintain the confidentiality of such Personal Information.

  • We will disclose Personal Information if required to do so by law or in the good-faith belief that such action is necessary to comply with state and federal laws, in response to a court order, judicial or other government subpoena or warrant, or to otherwise cooperate with law enforcement or other governmental agencies.

  • We also reserve the right to disclose Personal Information about you that we believe, in good faith, is appropriate or necessary to: (i) take precautions against liability; (ii) protect ourselves or others from fraudulent, abusive, or unlawful uses or activity; (iii) investigate and defend ourselves against any third-party claims or allegations; (iv) protect the security or integrity of the App and any facilities or equipment used to make the App available; or (v) protect our property or other legal rights (including, but not limited to, enforcement of our agreements), or the rights, property, or safety of others.

  • Personal Information about our users may be disclosed and otherwise transferred to an acquirer, successor, or assignee as part of any merger, acquisition, debt financing, sale of assets, or similar transaction, or in the event of an insolvency, bankruptcy, or receivership in which Personal Information is transferred to one or more third parties as one of our business assets.

How Long We Store Your Personal Information For

4YouandMe stores all Personal Information for as long as necessary to fulfil the purposes set out in this Policy or in the ICF, or for as long as we are required to do so by law or in order to comply with a regulatory obligation. 4YouandMe only keeps Account Information for the duration of the Study. When deleting Personal Information, we will take measures to render such Personal Information irrecoverable or irreproducible, and the electronic files which contain Personal Information will be permanently deleted.

Your Rights

In certain circumstances you have the following rights in relation to your Personal Information that we hold.

  • Access. You have the right to access the Personal Information we hold about you, and to receive an explanation of how we use it and who we share it with.

  • Correction. You have the right to correct any Personal Information we hold about you that is inaccurate or incomplete.

  • Erasure. You have the right to request for your Personal Information to be erased or deleted.

  • Object to processing. You have the right to object to our processing of your Personal Information where we are relying on a legitimate interest.

  • Restrict processing. You have a right in certain circumstances to stop us processing your Personal Information other than for storage purposes.

  • Portability. You have the right to receive, in a structured, commonly used and machine-readable format, Personal Information that you have provided to us if we process it on the basis of our contract with you, or with your consent, or to request that we transfer such Personal Information to a third party.

  • Withdraw consent. You have the right to withdraw any consent you previously applied to us. We will apply your preferences going forward, and this will not affect the lawfulness of processing before your consent was given.

Please note that, prior to any response to the exercise of such rights, we will require you to verify your identity. In addition, we may require additional information (for example, why you believe the Personal Information we hold about you is inaccurate or incomplete) and may have valid legal reasons to refuse your request. If so, will inform you if that is the case. To access, correct or erase your account information and preferences, or to access or amend Personal Information we hold about you, or for more information on your rights, or to exercise your other rights, please email 4YouandMe info@4youandme.org.

Please note that while any changes you make will be reflected in active user databases within a reasonable period of time, we may retain all Personal Information you submit for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.

You may also, of course, decline to share certain Personal Information with us, in which case we may not be able to provide to you some of the features and functionality of the App. You can prevent your device from sharing precise location information at any time through your device’s operating system settings.

Third-Party Apps

The App may contain features or links to websites and services provided by third parties. Any Personal Information you provide on third-party sites or services is provided directly to the operators of such services and is subject to those operators’ policies, if any, governing privacy and security, even if accessed through the App. We are not responsible for the content or privacy and security practices and policies of third-party sites or services to which links or access are provided through the App. We encourage you to learn about third parties’ privacy and security policies before providing them with Personal Information.

Children’s Privacy

Our App is not directed to children under the age of 18, and we do not knowingly collect Personal Information from children under the age of 18. If you learn that a child has provided us with Personal Information in violation of this Policy, please contact your study coordinator.

Data Security

We use certain physical, managerial, and technical safeguards that are designed to improve the integrity and security of Personal Information that we collect and maintain. Please be aware that no security measures are perfect or impenetrable. We cannot and do not guarantee that Personal Information about you will not be accessed, viewed, disclosed, altered, or destroyed by breach of any of our physical, technical, or managerial safeguards.

Our App may contain features or links to websites and services provided by third parties. Any information you provide on third-party websites or services is provided directly to the operators of such websites or services and is subject to those operators’ policies governing privacy and security, even if accessed via our App. We are not responsible for the content or privacy and security practices and policies of third-parties to which links or access are provided through the App or otherwise as part of the Study. We encourage you to learn about third parties’ privacy and security policies before providing them with your Personal Information.

International Data Transfers

We may transfer your Personal Information outside of the EEA and/or the UK and, in particular, to the United States (“U.S.”), where the App is hosted and where level of protection of Personal Information may be different than in your country. If we do so, we will comply with applicable data protection laws, for instance by relying on an EU Commission adequacy decision, rely on contractual protections for the transfer of your Personal Information, or on Binding Corporate Rules. We may also transfer your Personal Information from the U.S. to the other countries or regions specified in this Policy in accordance with the purposes listed above. Further details regarding the relevant safeguards can be obtained from us on request.

Changes and Updates to this Policy

Please revisit this page periodically to stay aware of any changes to this Policy, which we will update from time to time as required. If we modify this Policy, we will make it available through the App, and indicate the date of the latest revision. In the event that the modifications materially alter your rights or obligations hereunder, we will make reasonable efforts to notify you of the change. For example, we may send a message to your email address, if we have one on file, or generate a pop-up or similar notification when you access the App for the first time after such material changes are made. Your continued use of the App after the revised Policy has become effective indicates that you have read, understood and agreed to the current version of this Policy.

Contacts and Complaints

If you have any further questions, comments or complaints about this Policy, Personal Information we have collected or otherwise obtained about you, our use and disclosure practices, or to exercise your rights, please contact your study coordinator or contact us through the methods below. This is without prejudice to your right to lodge a complaint with the data protection supervisory authority in the UK or EU country in which you live or work where you believe we have infringed data protection laws.

About Us

4youandme is a nonprofit corporation having its principal place of business at 2901 3rd Ave, Suite 330, Seattle, Washington 98121, and is the data controller under the applicable data protection laws. If you have any questions, comments or concerns about this Policy, you may contact us by email at info@4youandme.org or by mail to:

4youandme
2901 3rd Ave
Suite 330
Seattle
Washington 98121
United States