Privacy Policy
PRIVACY NOTICE
We are Reverse Rett (a private limited company registered with company number: 07278507) (Reverse Rett, we, us, our). Our registered office is located at Suite 1F, Statham Link, Lancastrian Office Centre, Talbot Road, Manchester, M32 0FP. We are committed to protecting the privacy and security of the personal data of users of our App (Users) when they create an account (User Personal Data), and the personal data of the person who has been diagnosed with Rett Syndrome in respect of whom the User has parental responsibility (the Patient) (Patient Personal Data).
This Privacy Notice describes how we collect, use and look after the User Personal Data and Patient Personal Data and sets out both the User’s, the Patient’s and a Guardian’s rights.
1 Important information
1.1 This Privacy Notice supplements the other notices and terms published on our App (including our App terms and conditions (the Terms)) and is not intended to override them.
1.2 Reverse Rett is the controller of, and responsible for, the User Personal Data and Patient Personal Data.
1.3 For further assistance in understanding this Privacy Notice, we have set out in the Schedule a glossary of terms used in this Privacy Notice, examples of types of personal data we collect, how we use it, the lawful basis for processing such data and further details of the User’s, the Patient’s and a Guardian’s rights.
1.4 [NAME OF DPO] is our data protection officer (DPO), who shall be able to answer any questions regarding this Privacy Notice or how to exercise the User’s, the Patient’s or a Guardian’s legal rights. Please contact our DPO in writing, at:
Email: [ ]
1.5 Both the User, the Patient and a Guardian have the right to make a complaint at any time to the ICO (www.ico.org.uk). We would, however, appreciate the chance to deal with any concerns before they are referred to the ICO, so please contact our DPO in the first instance.
1.6 Our App is not intended for use by children, however, when the User creates an Account within our App and submits the required information and data in relation to the Patient, we will need to process the Patient Personal Data (which may include sensitive personal data) to provide the services and facilities available via our App (the Reverse Rett Services).
1.7 It is important that the data we hold about both the User and the Patient is accurate and current, therefore please keep us informed of any changes to either the User Personal Data or Patient Personal Data.
2 The data we collect about the User and the Patient
2.1 We may collect, use, store and transfer the types of personal data about the User and the Patient listed in Part 1 of Schedule 1.
2.2 We also collect, use and share aggregated data. However, if we combine aggregated data with the User Personal Data or Patient Personal Data so that it can directly or indirectly identify the User or the Patient (as applicable), we treat this as the User’s personal data or Patient’s personal data (as applicable).
2.3 We collect special categories of personal data. Due to the nature of the Reverse Rett Services, we collect sensitive personal data of the Patient, including their medical history, and current medical conditions. The exemptions we rely upon to process such special categories of personal data are set out in Part 2 of Schedule 1.
3 How personal data is collected
We collect personal data in the following ways:
Direct interactions The User provides the User Personal Data by registering for an Account on our App, responding to us in respect of a survey, creating or responding to a blog or post accessible via the forum functions provided by our App, or by otherwise corresponding with us (by message on our App, post, phone or email).
The User provides the Patient Personal Data by registering for an Account on our App, providing the Patient Personal Data as part of the Patient Record, or by providing us with further Patient Personal Data from time to time in relation to any clinical trial they are eligible in respect of.
Automated technology We automatically collect personal data (technical and usage) when you browse or interact with our App, by using cookies, server logs and other similar technologies. Please see our Cookies Policy for further details.
Third parties We may receive personal data from analytics providers and our suppliers such as App support and maintenance providers.
4 How we use the User Personal Data and Patient Personal Data
4.1 We will only use the User Personal Data and the Patient Personal Data when the law allows us to. Most commonly, we will the User Personal Data and the Patient Personal Data:
• to perform the contract we are to enter into or have entered into with the User in order to provide the use of our App;
• to conduct the Trial Matching Service and identify clinical trials that the Patient may be eligible to take part in where the User has provided their explicit consent in respect of the same;
• to comply with a legal obligation; and
• where it is necessary to carry out our legitimate interests (or those of a third party) and the User’s/Patient’s fundamental rights do not override those interests.
4.2 Part 2 of Schedule 1 sets out the lawful basis we will rely on to process the User Personal Data and Patient Personal Data.
4.3 Please note that we may process the User Personal Data and Patient Personal Data for more than one lawful ground depending on the specific purpose for which we are using such data.
4.4 As part of the Reverse Rett Services, we provide the ability to submit information in relation to the Patient in an easily accessible form (the Patient Record). The following information in relation to the Patient contained within the Patient Record is stored within our App, however, is for the User’s information purposes only and is not visible to any members of Reverse Rett or any third party:
4.4.1 current health conditions contained in the Rett syndrome health checklist and other symptoms;
4.4.2 current medications and treatment;
4.4.3 medical history including previous surgeries and hospital admissions; and
4.4.4 preferred or current equipment or facilities to aid their treatment and care.
4.5 When reviewing the Patient Personal Data in order to identify a potential match with a clinical trial, we process the following personal data in respect of the Patient:
4.5.1 MECP3 test information (if any);
4.5.2 preferred method of being administered food or drink;
4.5.3 weight;
4.5.4 medication;
4.5.5 details of any long QT syndrome; or
4.5.6 other information which we require to provide the Reverse Rett Services.
4.6 Marketing
4.6.1 Generally, the User will only receive marketing communications from us if they have provided their consent to receive marketing communications and have not opted out of receiving marketing communications, unsubscribed from our mailing list or withdrawn their consent.
4.6.2 We will not share the User Personal Data or Patient Personal Data with third parties for their marketing purposes.
4.6.3 How to opt out – The User can opt out of email marketing by clicking the unsubscribe button within the particular marketing email. Consent to receiving marketing communications can also be withdrawn by asking us to be removed from our mailing list at any time by contacting us.
4.6.4 Should the User opt out of receiving marketing communications, we may still use the User Personal Data or Patient Personal Data for other purposes provided we have a lawful basis to do so.
4.7 Change of purpose
4.7.1 We will only use the User Personal Data and Patient Personal Data for the purpose that we originally collected it for, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
4.7.2 If we need to use the User Personal Data and Patient Personal Data for an unrelated purpose, we will notify the User and we will explain the legal basis which allows us to use the User Personal Data and Patient Personal Data in this manner.
4.7.3 We may process the User Personal Data and Patient Personal Data (without the User and/or Patient’s knowledge or consent) where this is required or permitted by law.
5 Disclosure of the User Personal Data and Patient Personal Data
5.1 Where a match with a clinical trial is made:
5.1.1 we will share the User Personal Data with the relevant third party when the User has provided their explicit consent for us to do so; and
5.1.2 once the User has confirmed that they wish for the Patient to take part in such clinical trial, we will share the Patient Personal Data with the relevant third-party clinical trial provider where the User has provided their explicit consent for us to do so.
5.2 Such third-party clinical trial provider will use the User Personal Data and Patient Personal Data in accordance with their own privacy policy, and we have no control over such use.
6 International transfers
6.1 We do not transfer any User Personal Data or Patient Personal Data outside of the UK.
7 Data security
7.1 We have put in place appropriate security measures to prevent the User Personal Data and the Patient Personal Data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We limit access to the User Personal Data and the Patient Personal Data to those employees, agents, contractors and other third parties who have a business need to know and they can only process the User Personal Data and the Patient Personal Data on our instructions and are to be subject to a duty of confidentiality.
7.2 We have procedures in place to deal with any suspected personal data breach and will notify the User and any applicable regulator of a breach where we are legally required to do so.
8 Data retention
8.1 We will only retain the User Personal Data and the Patient Personal Data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
8.2 We may update our data retention practices from to time and the User or Patient can request details by contacting us. However, we are legally required to keep basic information about our users (including contact, identity, financial and transaction data) for six years after the end of the tax year in which they cease being users, for tax purposes.
8.3 We may also anonymise the User Personal Data and the Patient Personal Data (so that it can no longer be associated with the User or Patient (as applicable)) for research or statistical purposes. Anonymised data may be used indefinitely without further notice to the User or the Patient (as applicable).
9 The User, the Patient’s and a Guardian’s legal rights
9.1 The User and the Patient have rights in certain circumstances under data protection law. Additionally, we acknowledge that where the Patient is unable to exercise these rights for him or herself, a Guardian is permitted to exercise these rights on the Patient’s behalf where to do so is in the best interests of the Patient.
9.2 The rights of the User, the Patient and a Guardian are set out in full in Part 3 of Schedule 1. The User, the Patient or a Guardian can contact us should they wish to exercise such rights.
9.3 Neither the User, the Patient nor a Guardian will be required to pay a fee to exercise any of their rights. However, if a request is clearly unfounded, repetitive or excessive, we may charge a reasonable fee for this information or refuse to comply with such request. We may also refuse to comply with a request from a Guardian where we have evidence that to comply with such request would not be in the best interests of the Patient.
9.4 We may request specific information from the User, the Patient or a Guardian to help us confirm the User’s, Patient’s, or a Guardian’s (as applicable) identity. This is a security measure to ensure that personal data is not disclosed to any person who does not have the right to receive it.
9.5 We try to respond to all legitimate requests within one month. Occasionally, it may take us longer than a month if a request is particularly complex or the User, Patient or Guardian has made a number of requests. In this case, we will notify the User, Patient or Guardian (as applicable) and keep them updated.
10 Updates
10.1 We may change this Privacy Notice from time to time by updating this page. Please check it regularly to ensure you are aware of any changes.
This Privacy Notice was last updated in November 2021.
Schedule 1
Part 1 Types of personal data
Contact data Email address, telephone number.
Identity data The User’s first name, last name, [ethnicity] and relationship to your dependant.
The Patient’s first name, last name, ethnicity, and age.
Sensitive Personal Data The Patient’s medical history, current medication, MECP3 test information (including whether the Patient has been tested, their result and specific genetic mutation), and current health conditions.
Marketing and communication data The User’s preferences in receiving marketing from us.
Profile data The User’s [username] , email address, password, feedback and survey responses.
Technical data Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices the User uses to access our App.
Part 2 Lawful basis for processing and processing activities
The lawful basis upon which we may rely on to process the User Personal Data and the Patient Personal Data are:
Consent The User has given their express consent for us to process the User Personal Data and the Patient Personal Data for a specific purpose.
Contract The processing is necessary for us to perform our contractual obligations with the User under our contract, or because the User has asked us to take specific steps before entering into a contract with them.
Legal obligation The processing is necessary for us to comply with legal or regulatory obligation.
Legitimate interests The processing is necessary for our legitimate interest e.g. in order for us to provide the best service via our App we are required to process the User Personal Data.
The processing is necessary for a third party’s legitimate interest, e.g. the User’s legitimate interest as an individual with parental control of the Patient, in accessing potential treatment and medicine for the Patient in respect of Rett Syndrome.
Before we process the User Personal Data or the Patient Personal Data on this basis we make sure we consider and balance any potential impact on the User or the Patient (as applicable), and we will not use the User Personal Data or Patient Personal Data on this basis where such impact outweighs our interest.
The exemptions we rely upon to process special categories of the User Personal Data and the Patient Personal Data are:
Processing is necessary for the purposes of preventative medicine, provision of health care or treatment The processing of the Patient Personal Data is necessary for the purpose of the potentially preventative medicine and/or provision of health care or treatment available via the clinical trials.
We rely upon this exemption (available under Article 9(2)(h) of the UK GDPR) in accordance with the further requirements of Article 9(3) of the UK GDPR: the Patient Personal Data is processed by or under the responsibility of a professional who is subject to the obligation of professional secrecy and confidentiality. Such professionals in this instance are health professionals who are subject to professional obligations of patient confidentiality.
Set out below are specific details of the processing activities we undertake with the User Personal Data and the Patient Personal Data and the lawful basis for doing this.
Purpose/Activity Type of data Lawful basis for processing
To register the User’s account within our App Identity, contact, profile and contact (i) to perform our contract with the User.
To provide our App and the Reverse Rett Services to the User Identity, contact, profile and marketing and communications (i) to perform our contract with the User.
To provide the Trial Matching Service Identity, contact, sensitive personal data, (i) to perform our contract with the User;
(ii) as necessary to process the Patient Personal Data in order to identify a clinical trial the Patient is eligible for, and where the User has provided their consent on the Patient’s behalf to take part in such clinical trial.
To manage our relationship with the User, notify the User about changes to our Terms or Privacy Notice and ask the User to leave a review or take a survey. Identity, contact, profile and marketing and communications (i) to perform our contract with the User;
(ii) as necessary to comply with a legal obligation;
(iii) as necessary for our legitimate interests in keeping our records updated and analysing how users use our App and the Reverse Rett Services.
To administer and protect our business and our App (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). Identity, contact and technical (i) as necessary for our legitimate interests in running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise;
(ii) as necessary to comply with any legal obligations.
To deliver relevant App content to the User and measure or understand the effectiveness of the Reverse Rett Services and/or our App Identity, contact, profile, marketing and communications and technical (i) as necessary for our legitimate interests in studying how users use, and how to develop, the Reverse Rett Services and our App.
To use data analytics to improve our App, Reverse Rett Services, user relationships and experiences. Technical (i) as necessary for our legitimate interests to define the types of users for the Reverse Rett Services, and to keep our App updated and relevant.
Part 3 The User’s, Patient’s and Guardian’s rights
• The User has certain legal rights in respect of the User Personal Data;
• The Patient has certain legal rights in respect of the Patient Personal Data; and
• Both the User and a Guardian has certain legal rights in respect of the Patient Personal Data.
A summary of the above rights are set out in the below table (in respect of either the User Personal Data or Patient Personal Data as applicable):
Access your data The User, the Patient or a Guardian can ask for access to and a copy of the User Personal Data or Patient Personal Data (as applicable) and can check we are lawfully processing it.
Correction The User, the Patient or a Guardian can ask us to correct any incomplete or inaccurate personal data we hold about the User or the Patient (as applicable).
Erasure The User, the Patient or a Guardian can ask us to delete or remove the User Personal Data or Patient Personal Data (as applicable) where:
(a) there is no good reason for us continuing to process it;
(b) the User, Patient or Guardian (as applicable) has successfully exercised their right to object (see below);
(c) we may have processed the User Personal Data or Patient Personal Data unlawfully; or
(d) we are required to erase the User Personal Data or Patient Personal Data to comply with local law.
We may not always be able to comply with a request for specific legal reasons, which will be notified to the User, Patient or Guardian (as applicable) at the time of their request.
Object The User, the Patient or a Guardian can object to the processing of the User Personal Data or Patient Personal Data (as applicable) where:
(a) we are relying on our legitimate interest (or those of a third party) as the basis for processing the User Personal Data or Patient Personal Data, if the User, Patient or Guardian feel it impacts on the User’s or Patient’s (as applicable) fundamental rights and freedoms;
(b) we are processing the User Personal Data or Patient Personal Data for direct marketing purposes.
In some cases, we may demonstrate that we have compelling legitimate grounds to process the User Personal Data or Patient Personal Data which overrides the User’s or Patient’s (as applicable) rights and freedoms and in such circumstances, we can continue to process the User Personal Data or Patient Personal Data for such purposes.
Restrict processing The User, the Patient or a Guardian can ask us to suspend or restrict the processing of the User Personal Data or Patient Personal Data, if:
(a) the User, the Patient or a Guardian wants us to establish the accuracy of the User Personal Data or Patient Personal Data (as applicable);
(b) our use of the User Personal Data or Patient Personal Data is unlawful, but the User, the Patient or a Guardian does not want us to erase it;
(c) the User, the Patient or a Guardian needs us to hold the User Personal Data or Patient Personal Data (as applicable and where we no longer require it) as the User, the Patient or a Guardian needs it to establish, exercise or defend legal claims; or
(d) the User, the Patient or a Guardian has objected to our use of the User Personal Data or Patient Personal Data (as applicable) but we need to verify whether we have overriding legitimate grounds to use it.
Request a transfer The User, the Patient or a Guardian can request a transfer the User Personal Data or Patient Personal Data (as applicable) which is held in an automated manner and which the User, the Patient or a Guardian (as applicable) provided their consent for us to process such personal data or which we need to process to perform our contract with the User or a third party. We will provide the User Personal Data or Patient Personal Data in a structured, commonly used, machine-readable format.
Withdraw your consent The User can withdraw their consent for the processing of the User Personal Data and consent for the processing of the Patient Personal Data at any time (where we are relying on consent to process the User Personal Data or Patient Personal Data). This does not affect the lawfulness of any processing carried out before the User withdrew their consent.
Part 4 Third Parties
Service providers Acting as processors who provide IT and system administration services.
Clinical Trial providers Acting as controllers of personal data who provide the clinical trials.
Professional advisors Acting as processors or controllers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
Other third parties Such third parties whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use the User Personal Data or Patient Personal Data in the same way as set out in this Privacy Notice.
Part 5 Glossary
Aggregated data Information such as statistical or demographic data which may be derived from personal data but which cannot by itself identify a data subject.
Controller A body that determines the purposes and means of processing personal data.
Data subject An individual living person identified by personal data (which will generally be you or your dependant).
Guardian An individual with parental responsibility for the Patient.
ICO Information Commissioner’s Office, the UK supervisory authority for data protection issues.
Personal data Information identifying a data subject from that data alone or with other data we may hold but it does not include anonymised or aggregated data.
Processor A body that is responsible for processing personal data on behalf of a controller.
Special categories of personal data Information about race, ethnicity, political opinions, religious or philosophical beliefs, trade union membership, health, genetic, biometric data, sex life and sexual orientation.
.