Effective as of February 19, 2019
1. Personal data and information we collect from you
Personal data you provide to us
When you sign up to use the App, we may collect Personal Data about you such as:
- Full name;
- Email address;
- Date of birth;
- Place of residence;
When you use the App, you may choose to provide personal information about your health such as:
- Body temperature;
- Menstrual cycle dates;
- Symptoms related to your menstrual cycle;
- Location information;
- Other information about your health and activities (collectively, “Personal data”).
You will also have an option to permit us to import into the App data from third-party services such as Apple HealthKit and Google Fit, among others. Such imported information may include: sports activities, weight, calories burnt, heartbeat rate, number of steps/distance travelled, and other information about your health.
Information we collect automatically
When you access or use the App, we may automatically collect the following information:
- Device Information: We collect information about the mobile device you use to access the App, including the hardware model, operating system and version, unique device identiﬁers and mobile network information.
- Location Information: We collect your IP address, time zone, and information about your mobile service provider, which allows us to infer your general location.
- Information Collected by Cookies and Other Tracking Technologies: We use various technologies to collect information about your use of the App, such as frequency of use, which areas and features of our App you visit and your use patterns generally, engagement tracking with particular features, etc. To collect this information, we may send cookies to your mobile device or computer. Cookies are small data ﬁles stored on your hard drive or in device memory.
YOUR CONSENT. By creating a proﬁle in the App, you explicitly consent that:
II. PERSONAL DATA YOU PROVIDE TO US THROUGH THE ACCOUNT CREATION PROCESS INCLUDES PERSONAL DATA YOU ENTER INTO THE APP, SUCH AS YOUR ACCOUNT DATA (E.G. YOUR NAME AND EMAIL ADDRESS), AND YOUR HEALTH DATA (E.G. BODY MEASUREMENTS, PHYSICAL ACTIVITY AND OTHERS). DEPENDING ON THE DATA YOU PROVIDE, IT MAY ALSO CONTAIN INFORMATION ABOUT YOUR GENERAL HEALTH (E.G. WEIGHT, BODY TEMPERATURE, AND OTHERS).
III. WE WILL NOT TRANSMIT ANY OF YOUR PERSONAL DATA TO THIRD PARTIES, EXCEPT IF IT IS REQUIRED TO PROVIDE THE SERVICE TO YOU (E.G. TECHNICAL SERVICE PROVIDERS), UNLESS WE HAVE ASKED FOR YOUR EXPLICIT CONSENT.
2. How we use your personal data and information
We may use your information, including your Personal Data, for the following purposes:
- to analyze, operate, maintain and improve the App, to add new features and services to the App;
- to customize content you see when you use the App;
- to provide and deliver the products and services you request, process transactions and send you related information, including conﬁrmations and reminders;
- to customize product and service offerings and recommendations to you, including third-party products and offerings (except data from Apple HealthKit and Google Fit);
- to verify your identity;
- to send you technical notices, updates, security alerts and support and administrative messages;
- for billing (invoicing), account management and other administrative purposes, if applies;
- to respond to your comments, questions and requests and provide customer service;
- to monitor and analyze trends, usage and activities in connection with our App;
- solely with respect to information that you mark for sharing, for Company promotional purposes (except data from Apple HealthKit and Google Fit);
- to link or combine with information we get from others or (and) from you to help understand your needs and provide you with better service (to use in training of neural networks, artiﬁcial intelligence, as well as for any other automated decision-making processing);
- for scientiﬁc and academic research purposes; and
3. Your rights
Modiﬁcation, correction and erasure
You are able to modify, correct, erase, and update your Personal Data by writing us at firstname.lastname@example.org.
You have a right to access your Personal Data you insert into the App and ask us about what kind of Personal Data we have about you. You can do this by using the app settings or by writing us at email@example.com.
Individuals residing in the countries of the European Union have certain statutory rights in relation to their personal data introduced by the General Data Protection Regulation (the “GDPR”). Subject to any exemptions provided by law, you may have the right to request access to Personal data (including in a structured and portable form), as well as to seek to update, delete or correct Personal data:
- Access to your Personal Data and Data Portability. The App gives you the ability to access and update Personal Data within the App and your account settings. You shall have the right to request information about whether we have any Personal Data about you, to access your Personal data (including in a structured and portable form) by simply writing us at firstname.lastname@example.org.
- Erasure of your Personal Data. If you believe that your Personal Data is no longer necessary in relation to the purposes for which it was collected or otherwise processed, or in cases where you have withdrawn your consent or object to the processing of your Personal Data, or in cases where the processing of your Personal Data does not otherwise comply with the GDPR, you have right to contact us and ask us to erase such Personal Data as described above. You can simply write us at email@example.com. Please be aware that erasing some Personal Data inserted by you may affect your possibility to utilize the App and its features. Erasure of some Personal Data may also take some time due to technical reasons.
- Right to object processing of your Personal Data. You can object processing your Personal Data and stop us from processing your Personal data, simply write us at firstname.lastname@example.org. Please be aware that erasing some Personal Data inserted by you may affect your possibility to use the App and its features.
- Notice about automated decision-making. We use automated decision-making tools (e.g. neural networks) that process your Personal Data in order to provide you proper Services (for example, predictions of your cycle). Normally, such automated decision-making works more precisely, if you insert more Personal Data about your cycle, symptoms, physical activities that our neural networks can work with. Our neural networks process this information in order to track particular dependencies and correlations in your cycles and symptoms and provide you more personalized information about your cycle and its predictions.
- Notiﬁcation requirements. We commit to notify you within reasonable period of time and your data protection authority within the timeframe speciﬁed in applicable law (72 hours) about any personal data breaches in the App.
- Data Protection Authorities. Subject to GDPR, you also have the right to (i) restrict our use of Personal Data and (ii) lodge a complaint with your local data protection authority about any of our activities that you deem are not compliant with GDPR.
Please keep in mind that in case of a vague access, erasure, objection request or any other request in exercise of the mentioned rights we may engage the individual in a dialogue so as to better understand the motivation for the request and to locate responsive information. In case this is impossible, we reserve the right to refuse granting your request.
Following the provisions of GDPR we might also require you to prove your identity (for example, by requesting an ID or any other proof of identity) in order for you to invoke the mentioned rights, speciﬁcally if you exercise them in respect to special categories of Personal Data like data about health. This is made to ensure that no rights of third parties are violated by your request, and the rights described in this section are exercised by an actual Personal Data subject or an authorized person.
Please note that we will grant your request within 30 days after receiving it, but it may take us up to 90 days in some cases, for example for full erasure of your Personal Data stored in our backup systems - this is due to the size and complexity of the systems we use to store data.
4. Sharing you personal data and information
Among others we may share your Personal Data with the following third-party services:
- Fabric. We use Fabric, an analytics company and a Google subsidiary, to better understand your use of the App. For example, Fabric may use device identiﬁers that are stored on your mobile device and allow us to analyze your use of the App in order to improve our app feature. Read more about Fabric. Read about Fabric privacy approach here.
- Facebook Analytics. We use Facebook Analytics tools to track installs of our App. Normally, Facebook collects only non-personally identiﬁable information, though some Personal Data like device identiﬁers (IDFA or Android advertising ID) may be transferred to Facebook. Read more about analytical services provided by Facebook here. You can ﬁnd its data practices in ‘Privacy’ sections.
- Google Analytics and Google Analytics for Firebase. We utilize Google Analytics and Google Analytics for Firebase to track installs of our App. Normally, Firebase and Google collect only non-personally identiﬁable information, though some Personal Data like device identiﬁers may be transferred to Google Analytics for Firebase and Google Analytics. Read more about analytical services provided by Google here and Firebase here. You can ﬁnd their data practices in ‘Privacy’ sections.
- Facebook Lookalike Audiences. For the data received from all users from non-EU countries we utilize Facebook advertising service called “lookalike audiences” to identify potential new Flo users on Facebook based on the information from the existing Flo users. We use the service to identify people on Facebook who might like Flo in the same way as our current users do. For this purpose, we share the following information with Facebook: your IDFA or Android advertising ID, number of payments made in the App, data on passing the onboarding screen, completing registration in the App, subscribing, starting a trial period, information on whether the user got acquainted with the paywall screen.
- Pinterest. Pinterest is a popular social network. We utilize its targeting features for all our nonEU users. Our goal is to reach more people on Pinterest like our users interested in our App. We may send to Pinterest the following data: your email address, IDFA or Android advertising ID, number of payments made in the App. Read more about Pinterest targeting services here and about its privacy approach here.
- Google ads. We utilize Google ads in order to place advertisement and attract new users. For this purpose, we share only the following data from our non-EU users with Google: your IDFA or Android advertising ID, number of payments made in the App. Find more about Google ads here and privacy in Google ads here.
- Searchadshq. Searchadshq helps us to optimize our marketing campaigns and make them more effective. For this purpose, we share only the following data from our non-EU users with Searchadshq: your IDFA or Android advertising ID, number of payments made in the App. Learn more about Searchadshq here and its privacy practices here.
- Mytarget. Mytarget is an advertising platform provided by Mail.Ru Group. It helps us to reach broader audience. For this purpose, we share only the following data from our non-EU users with Matarget: your IDFA or Android advertising ID, number of payments made in the App. Please ﬁnd more about Mytarget here and its privacy approach here.
- Flurry. Flurry is a Yahoo! Subsidiary and analytical platform we use in order to analyze different use trends in our App. We may share certain non-identiﬁable information about you and some Personal Data (but never any data related to health) with Flurry. See more about Flurry.
2. Aggregated Information. We may also share aggregated, anonymized or de-identiﬁed information, which cannot reasonably be used to identify you. For example, we may share, including, without limitation, in articles, blog posts and scientiﬁc publications, general age demographic information and aggregate statistics about certain activities or symptoms from data collected to help identify patterns across users.
4. Information Posted by User. The App features several community areas and other public forums where users with similar interests or medical conditions can share information and support one another or where users can post questions for experts to answer. We also offer online discussions which may be moderated by healthcare experts. Our communities are open to [the public/the App community] and should not be considered private.
Any information (including Personal Data) you share in any online community area or online discussion is by design open to the public and is not private. You should think carefully before posting any Personal Data in any public forum. What you post can be seen, disclosed to, or collected by third parties and may be used by others in ways we cannot control or predict, including to contact you for unauthorized purposes. As with any public forum on any site, the information you post may also show up in third-party search engines.
If you mistakenly post Personal Data in our community areas and would like it removed, you can send us an email as listed below to request that we remove it. In some cases, we may not be able to remove your Personal Data, e.g. for technical reasons.
If we receive Personal Data subject to our certiﬁcation under the Privacy Shield and then transfer it to a third-party service provider acting as an agent on our behalf, we have certain liability under the Privacy Shield if both (i) the agent processes the Personal Data in a manner inconsistent with the Privacy Shield and (ii) we are responsible for the event giving rise to the damage.
5. Retention of your personal data
You should be aware that we may retain certain Personal Data and other information after your account has been terminated in an aggregated, anonymized form. Any posts or comments you submit may remain visible if and after you delete your account. We are not obligated to remove your posts or comments. We reserve the right to use your information in any aggregated data collection after you have terminated your account, however we will ensure that the use of such information will not identify you personally. We will also retain your Personal Data as necessary to comply with legal obligations, resolve disputes and enforce our agreements.
If you remove data from your account, you will no longer see it in the App, but some backups of the data may remain in our archive servers for a reasonable period of time due to technical solutions we use. However, we undertake to delete any such backups within a reasonable period of time.
If you choose to delete the App, deactivate your account, we retain your Personal data for as long as your account is active and a reasonable period thereafter in case you decide to re-activate the Services. We also retain some of your information as necessary to comply with our legal obligations, to resolve disputes, to enforce our agreements, to support business operations, and to continue to develop and improve our Services. Where we retain information for Service improvement and development, we take steps to eliminate information that directly identiﬁes you, and we only use the information to uncover collective insights about the use of our Services, not to speciﬁcally analyze personal characteristics about you.
6. Personal data you elect to share with third parties
We take reasonable steps in order to ensure compliance of such third parties with any applicable laws that might govern processing of your Personal Data. For example, for the EU residents’ Personal Data we make reasonable efforts to ensure that such third parties are GDPR compliant and have GDPR compliant privacy policies in place.
We take all reasonable and appropriate measures to protect all collected Personal Data from loss, theft, misuse and unauthorized access, disclosure, alteration and destruction, taking into account the nature of the Personal Data that we process and risks associated with special categories of Personal Data we collect (information about health). Among others, we utilize the following information security measures to protect your Personal Data:
- Pseudominization and tokenization of certain categories of your Personal Data;
- Encryption of your Personal Data in transit and in rest;
- Systematic vulnerability scanning and penetration testing;
- Protection of data integrity;
- Organizational and legal measures. For example, our employees have different levels of access to your Personal Data and only those in charge of data management get access to your Personal Data and only for limited purposes required for the operation of the App. We impose strict liability on our employees for any disclosures, unauthorized accesses, alterations, destructions, misuses of your Personal Data.
- Conducting periodical data protection impact assessments in order to ensure that the App fully adheres to the principles of ‘privacy by design’, ‘privacy by default’ and others. We also commit to undertake privacy audit in case of Company’s merger or takeover.
We process information in a way that is compatible with and relevant for the purpose for which it was collected. To the extent necessary for those purposes, we take reasonable and appropriate steps to ensure that any information in our care is accurate, complete, current and reliable for its intended use.
8. Children’s privacy
General age limitation. We are committed to protecting the privacy of children. The App is not intended for children and we do not intentionally collect information about children under 13 years old. The App does not collect Personal Data from any person the Company actually knows is under the age of 13. If you are aware of anyone under 13 using the App, please contact us at email@example.com and we will take required steps to delete such information and (or) delete her account.
Age limitation for EU residents. Due to requirements of the GDPR you shall be at least 16 years old in order to use the App. To the extent prohibited by applicable law, we do not allow use of the App by the EU residents younger than 16 years old. If you are aware of anyone younger than 16 using the App, please contact us at firstname.lastname@example.org and we will take steps to delete such information and (or) delete her account.
9. Third party links
10. Email Communications
We may contact you from time to time via email to communicate with you about products, services, offers, promotions, rewards, and events offered by us and others, and provide news and information that we think will be of interest to you. You can always opt out of receiving emails by unsubscribing via the “Unsubscribe” link contained in the email. Opting-out of these emails will not end transmission of important service-related emails that are necessary to your use of the App. If applicable laws prescribe so, certain exclusions may apply to the residents of some countries regarding an active opt-in for any email communications from us. We may ask such users at the registration screen to provide their consents for any such communications.
11. International personal data transfers. Privacy shield notice
General. The Company is based the United States and the information we collect is governed by U.S. law. Please be advised that U.S. law and laws of other countries may not offer the same protections as the law of your jurisdiction.
In addition, you agree that information collected through the App may be stored and processed in Canada, where the Company rents servers, or in any other country in which the Company or its afﬁliates, subsidiaries or agents maintain facilities, and by using the App, you consent to any such transfer of information outside of your country.
EU and Swiss residents. Please bear in mind that we may transfer your Personal Data to the United States which data protection is not deemed adequate under applicable data protection law.
1. Complaints and Dispute Resolution. In compliance with the Privacy Shield Principles, we commit to resolve complaints about our collection or use of your personal information. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should ﬁrst contact us at dpo@ﬂo.health or mailing address:
Flo Health Inc. 1013 Centre Road, Suite 403‑B Wilmington, DE 19805
We have further committed to refer unresolved Privacy Shield complaints to JAMS, an alternative dispute resolution provider located in the United States. If you do not receive timely acknowledgment of your complaint from us, or if we have not addressed your complaint to your satisfaction, please contact or visit the following link for more information or to ﬁle a complaint. The services of JAMS are provided at no cost to you.
2. Arbitration. You may also be able to invoke binding arbitration for unresolved complaints but prior to initiating such arbitration, a resident of a European country participating in the Privacy Shield must ﬁrst: (1) contact us and afford us the opportunity to resolve the issue; (2) seek assistance from JAMS; and (3) contact the U.S. Department of Commerce (either directly or through a European Data Protection Authority) and afford the Department of Commerce time to attempt to resolve the issue. If such a resident invokes binding arbitration, each party shall be responsible for its own attorney’s fees. Please be advised that, pursuant to the Privacy Shield, the arbitrator(s) may only impose individualspeciﬁc, non-monetary, equitable relief necessary to remedy any violation of the Privacy Shield Principles with respect to the resident. The arbitration option may not be invoked if the individual’s same claimed violation of the Principles (1) has previously been subject to binding arbitration; (2) was the subject of a ﬁnal judgment entered in a court action to which the individual was a party; or (3) was previously settled by the parties.
3. U.S. Federal Trade Commission Enforcement. Our Privacy Shield compliance is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC).
12. Data protection ofﬁcer
To communicate with our Data Protection Ofﬁcer, please email at dpo@ﬂo.health.
13. Contact us
Flo Health Inc.
1013 Centre Road, Suite 403‑B Wilmington, DE 19805
Our EU representative:
Ofﬁce 902, Oval, Krinou 3, Ayios Athanasios, 4103, Limassol, Cyprus