Zevo Health Privacy Policy

Effective Date: Aug 17, 2020

Your privacy is very important to us. Before we get to the details, check out our Privacy Label to see a summary of our privacy practices.

Privacy label

Collection and Sale of Data

Do we sell your personal information? No
Do we share your data with third party API partners? No
Do we share aggregate information with employers? Yes
Do we use sensitive categories of data, like health information? Yes, but only with your explicit consent
Do we use your contact list if you allow us access? No
Do we delete your data when you request account deletion? Yes
Do we retain your data for as long as we need it unless you request deletion? Yes

Privacy Tools and Controls

Can you control who sees your activity and content? Yes
Can you control who sees your location-based activity? Yes
Can you request download and deletion of your data? Yes

Tracking

Do we track your device location to provide Zevo Services to you? No
Do we track your device location while you are not using the app? No
Do we use cookies? Yes
Do we track your browsing activities on other sites? No
Do we listen to you using your device microphone? No

Communication

Do we give you advance notice when we make important changes to our Privacy Policy? Yes
Do we send you marketing communications with opt-out? Yes, once you have opted in
Do we use push notifications with opt-out? Yes

Privacy Policy

Introduction

Our privacy policy (the “Privacy Policy”) explains the information we collect, how we use and share it, how to manage your privacy controls and your rights in connection with our websites and the related mobile applications and services (collectively, the “Services”). Please also read our Terms of Service which sets out the terms governing the Services.

Zevo Health (Zevo) is headquartered in Dublin, Ireland and our Services are provided to you by The Healthiest workplace. In the case of our mobile or desktop application  (the “Applications”) users, Zevo and/or its subsidiary companies has entered into an agreement with your employer to provide services and/or grant you access to the application (the “Employer Agreement”), and your employer is the data controller of your personal data. We will process your personal data on behalf of your employer in accordance with its lawful instructions. The information you provide to us and/ or upload to the application (whether it constitutes personal data or not) will be governed by the Employer Agreement. References in this policy to “your employer” shall refer to the entity who has entered into the Employer Agreement with us, whether or not as a matter of law you are an employee, consultant or contractor of that entity, and such references are not intended to characterize or prejudice your status vis-à-vis that entity.

In the case of Marketing Contacts, we are the data controller in respect of your personal data. We are also the data controller in respect of contact information for each client contact which we hold for account and contract management purposes, including for contract queries and billing purposes.

This policy was written in English. To the extent a translated version conflicts with the English version, the English version should take prcedence. Unless indicated otherwise, this Privacy Policy does not apply to third-party products or services or the practices of companies that we do not own or control, including other companies you might interact with on or through the Services.

Questions or comments about this Privacy Policy may be submitted by mail to the address below or via email.

Zevo Health
Huckletree
42 Pearse Street
Dublin 2
dpo@zevohealth.com

 

Information Zevo Collects

Zevo collects information about you, including information that directly or indirectly identifies you, if you or your other users choose to share it with Zevo. We receive information in a few different ways through the use of our  Services. Zevo also collects information about how you use the Services. These are outlined below.

Account and Profile Information

We collect basic account information such as your name, email address, date of birth, gender, username and password that helps secure and provide you with access to our Services. Additional personal information is collected about you when you choose to upload a profile picture. We use profile contact information so we can respond to your support requests and comments.

Usage Information

When you use the Applications, we will keep a record of the details of that usage, including the date, time, location, frequency and duration of the usage. We gather information from the surveys, photos, posts, comments, likes, ratings, reviews and other content you share on the Services, including when you participate in groups or challenges. Other information about your use of the Applications, including the screens you have viewed, the duration spent on the Applications and data files you have uploaded to the Applications. We are not responsible for the information you choose to make public in any of the community networking features available on or through the Service.

We may also collect information about you from other members such as when they give you kudos or comment on your activities.

Connected Devices and 3rd parties

If you link your Zevo account to other ‘fitness trackers’ and share your activities, they will be viewable on such third-party platforms, including your location information. You should use caution when sharing information via third parties and you should carefully review the privacy practices of such third parties. We may receive or collect information about you from third parties and combine and store it on our servers with other information we may have already received or collected from you. These third-party ‘trackers’ include Garmin, Samsung, Apple, Strava, FitBit, and Google. This information will be used by Zevo solely for displaying your own personal dashboard and challenge leader board standings and is limited to steps, distance, and calories. Zevo will never share any data with one of these 3rd party processors.

3rd party trackers collect exercise information from devices and apps you connect to them. For example, you may connect your Garmin watch to Garmin Connect and information from these devices and apps will be passed along to Zevo. Zevo is not responsible for and will assume no liability, if a business partner or other entity collects, uses, or shares any information about you in violation of its own privacy policy or any applicable laws, rules, or regulations.

We will also store any exercises you manually record or challenges you take place in. However we will not at any time record location information with the exception of when you record an exercise session through the application.

From time to time we will  work with vetted 3rd party service providers. Please remember that your browsing and interaction on any third-party website, service or application, including those that have a link or advertisement on our dite, are subject to that third party’s own rules, policies, and practices, and not our privacy policy.

Training, Workshop or Counselling sessions will be conducted via the online platform Zoom. You will need to access Zoom facilities on your computer or phone which is free to download and set up a user name. Zoom conversations are encrypted. We will send you our Zoom contact details that we use for attendance. for specific questions about that platform you should refer to the Zoom Privacy Statement .

Health Information

Zevo may collect or infer health information. Certain health information may be inferred from sources such as calories burned or other measurements, including height, age, and weight or other indicators. Before you can upload health information to Zevo, you must give your explicit consent to the processing of that health information by Zevo by accepting our Privacy Policy. You can withdraw your consent to Zevo processing your health information at any time.

Payment Information

After you place an order on our website you will need to make payment for the Services you have ordered. In order to process your payment, we use Stripe, a third-party payment processor. Your payment will be processed by Stripe, who collect, use and process your information, including payment information, in accordance with their privacy policies. You can access their privacy policy via the following link: https://stripe.com/ie/privacy

Stripe’s services in Europe are provided by a Stripe affiliate—Stripe Payments Europe Limited (“Stripe Payments Europe”)—an entity located in Ireland. In providing Stripe Services, Stripe Payments Europe transfers personal data to Stripe, Inc. in the US. For further information about the safeguards used when your information is transferred outside the European Economic Area, see the section of this privacy policy below entitled Transfers of your information outside the European Economic Area.

Technical Information and Log Files

As is true of many internet-enabled services, Zevo may collect certain non-personally identifiable technical information using log files and servers. Web and application servers create log files automatically as part of their setup and configuration. Information in a log file may include IP address, browser type, Internet service provider, date/time stamps, MAC address, file requested, and other usage information and statistics.

We collect information from your browser, computer, or mobile device, which provides us with technical information when you access or use the Services. This technical information includes device and network information, cookies, log files and analytics information. The Services use log files. The information stored in those files includes IP addresses, browser type, internet service provider (ISP), referring/exit pages, platform type, date/time stamp, and the number of clicks. This information is used to analyze trends, administer, protect and secure the Services, track member movement in the aggregate, and gather broad demographic information for aggregate use. IP addresses may be linked to session IDs, client IDs, and device identifiers.

We work closely with third parties (including, for example, business partners, other companies within our group, subcontractors and analytics providers) and may receive information about you from them.  Details of third party providers are set out in the section below entitled “Disclosure Of Your Information”.

Employers

If you are a client user (using the Platform as a representative of your employer), we may obtain further information about you from your employer, for example, to verify your eligibility to access and use the Platform; Any comments, opinions and/or feedback you provide to us regarding the Platform. During any trial period that you may participate in or thereafter, your employer will be asked to show that consent has been given for the sharing of your information. This information may include your name, age, company email address, company telephone number, job title, level of seniority, department, work start date, salary and primary office location; otherwise in the course of your employer’s use of the Applications.

Marketing Contacts

For Marketing Contacts, we will collect and process personal data that you provide us when you complete an inquiry via a website or register for a trial or otherwise contact us to request information about our products and services.  We will typically obtain contact information such as your name, employer, email address and work telephone number.  We may also receive further personal data about you which is publicly available, such as your seniority, years of experience and employment history and similar work-related background, from third-party service providers who provide contact enrichment and lead generation services to us. We shall also store and process data relating to your communications with us and your responses to our marketing emails and attendance at our events.

Disclosure and additional uses of your information

Using the information, we collect, we can deliver the service to you and honour our terms of the contract with you or your employer. For example, we need to use your information to provide you with a dashboard for tracking your exercise, activity and other trends; to enable the community features of the services, and to give you customer support. other cases may include;

  • Contact you for your feedback on our Services and to help us evaluate and improve our Services, for example by acting on any information you have provided to us.
  • Notify you about changes to the Applications and any other services of ours that you use, including informing you about new versions of the Applications and about new features, functionality and service offerings.
  • Deal with any enquiries, correspondence, concerns or complaints you have raised, or that have been raised by or concerning third parties involving you and any issues caused by your use of the Applications. This includes 3rd party fitness trackers.

How Zevo Uses Your Information

Zevo uses the information we collect and receive to operate the Services and to customize them for you. We also use the information we collect to process payments, provide support related to the Services, protect members and enforce our Terms of Service, promote safety, and to communicate with you (including to send marketing and push communications) where you have not opted out of receiving such messages and notifications.

We also use the information we collect to analyze, develop and improve the Services. To do this, Zevo may use third-party analytics providers to gain insights into how our Services are used and to help us improve the Services.

In relation to the Applications, features & functionality Zevo decides the means and purposes of the processing. However, in terms of the interface with you as an employee, your employer may make decisions about data collection and processing depending on the terms of use agreed within the relevant contracts they have with both Zevo and yourself. In addition, other entities who purchase licenses for the application may also act as joint controllers vis-à-vis Zevo and your employer based on that contract.

Please note that Zevo will not undertake any analysis via the application by specific reference to any special categories of personal data (including racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health data, wellbeing data, sex life or sexual orientation) unless this has been expressly requested or configured by your employer. Where this is the case, it is your employer’s responsibility to ensure they have obtained your explicit consent to such processing.  However, you might provide personal data within one of the above categories where this has not been requested.  By providing this data to us, you will be deemed to have consented to our processing such data as part of the results and disclosing such data to your employer.

Aggregate Information

Please note that we will not reveal your identity to an employer other than in exceptional circumstances, as explained further below in the section entitled “Categories of Recipients of Personal Data”. Data collected from you and other employees may be used by us in an aggregated and anonymised form for statistical and benchmarking purposes including enabling comparisons to other organisations within the same industry. Uses include;

  • To facilitate the creation of and secure your account on the service.
  • To carry out our obligations arising from the Employer Agreement, Zevo may aggregate the information you and others make available in connection with the service and share it with your employer. To do this, we remove certain account information, such as your name, and combine the resulting information with similar information from other users. This includes providing your employer with reports and analysis summarising information’s provided during your use of the Application, including challenge results.
  • Use the information we collect to analyze, develop and improve the Services.
  • Use third-party analytics providers to gain insights into how our services are used and to help us improve the services.
  • Use during troubleshooting, data analysis, testing, research, statistical and survey purposes.
  • Use as part of our efforts to keep the Application safe and secure.

Third-Party Business via API or Other Integrations

Information we receive from other sources. We may combine information from other sources with the information you give to us or we collect about you and use this information as specified above. You can choose to sync your activity data with Zevo. If you choose to synch activity data (such as steps, distance etc.) from your device, you choose to participate in ‘Insights’ and you will be presented with an Insights section in your application in which you will be provided with recommendations and motivational messages, information and links to articles that may be of interest to you based upon your activity data, and a comparison of your activity data with aggregated activity data of others in the community. Should you choose to do this you the legal basis is your explicit consent, it can be removed at any time through your account.

We may engage third-party service providers to work with us to administer and provide the services. These third-party services providers have access to your personal information only for the purpose of performing services on our behalf. The types of service providers (processors) to whom we entrust personal information include service providers for (i) provision of IT and related services; (ii) provision of information and services you have requested; (iii) customer service activities; and (iv) in connection with the provision of the application. Zevo has executed appropriate contracts with the service providers that prohibit them from using or sharing Personal Information except as necessary to perform the contracted services on our behalf or to comply with applicable legal requirements.

  • Digital Ocean who provide cloud-hosted infrastructure and services used by us to operate the Application as a hosted solution;
  • Google, Zapier, Intercom, SendGrid, who provide product tools and functionality used by us in delivery of the Application and associated services.
  • Hubspot who provide marketing and CRM management and delivery services, Qualtrics who provide survey management tools.
  • Stripe who provide payment processing and invoicing.
  • Zoom who provide online zideo conferencing services.

We require all our third-party service providers and all other companies within our group to take appropriate and stringent security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes in accordance with our instructions.

Categories of Recipients of Personal Data

We do not share your personal information except in the limited circumstances described below.

Other Users

Your activities and activity data associated with your account are not disclosed by default. You may decide to allow others to view your summary activity data by joining an individual or team. When you interact with others in these ways, you will be displaying your data relating to the challenge or leader board (e.g., aggregate number of steps during the duration of a steps Leader board or Challenge). You can also join groups and make connections with other users. Other users will know that you are a member of that group and will see the information you share within the group.

Your Employer

If you are an Application user, please note that usage and activity logs provided by you during your use of the application are collated and conveyed to your employer in an aggregated or otherwise anonymised form.  As such, your anonymity as an application user is protected by default. Please also note that we merely report the usage and activity and do not undertake any investigation or assessment into their veracity or legality;

From time to time we may receive a request from your employer to disclose your identity or we may consider it appropriate to disclose your identity in the absence of such a request.  We will consider this in accordance with our internal policy on revealing anonymity.  Your identity will in general only be disclosed to your employer where it is necessary to do so for reasons of substantial public interest or risk to the individual.  This is only likely to occur in exceptional circumstances.

Except as explained above, we will not disclose your personal data to any third parties for any other purpose unless we have a legal right or obligation to do so.

Feedback and comments provided by you during surveys are collated and conveyed to your employer in an aggregated or otherwise anonymised form. As such, your anonymity as a Survey Recipient is protected by default. Please also note that we merely report the feedback and comments and do not undertake any investigation or assessment into their veracity or legality.

Legal

We cooperate with government and law enforcement officials and/or private parties to enforce and comply with the law. We may access, preserve, and disclose any information about you to the government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate:

  • To respond to claims or legal process and comply with law enforcement or security requests (including subpoenas, warrants or court orders);
  • To protect your, our, or other’s property, rights and safety and the rights, property and safety of a third party or the public in general;
  • To prevent or stop any activity we consider illegal, unethical or legally actionable activity;
  • When we believe disclosure is necessary or appropriate to prevent physical harm or financial loss or in connection with an investigation or prosecution of suspected or actual illegal activity;
  • If we, in good faith, believe that disclosure is otherwise necessary or advisable.

In addition, from time to time, server logs may be reviewed for security purposes – e.g., to detect unauthorised activity on the services. In such cases, server log data containing IP addresses may be shared with law enforcement bodies or accredited third-party security firms in order that they may identify users in connection with their investigation of the unauthorised activities.

Legal Basis

For personal data subject to the GDPR, we rely on several legal bases to process the data. These include when you have given your explicit consent, which you may withdraw at any time using your account settings and other tools; when the processing is necessary to perform a contract with you, like the Terms of Service; and our legitimate business interests, such as in improving, personalising, and developing the services, marketing new features that may be of interest, and promoting safety and security.

In relation to the above uses, we shall also process your personal data on the legal basis that it is necessary to enable us to perform our contractual obligations under the Employer Agreement, to improve or optimise our services, to maintain the security of our computer systems, to understand how the Applications or other services is used and to improve the user experience of the Application or other Services, to protect and defend our legal rights, for troubleshooting, and for data analysis, testing and research purposes.

International Data Transfers

We do not transfer any Personal Data outside of the EEA. However, certain third parties providing services to Zevo may transfer data outside of the EEA for example, for storage purposes. These third parties include, for example, Google, Stripe, Intercom and Qualtrics. If this changes at any point in the future, this Privacy Notice will be updated to take account of this change. We only engage reputable third parties that provide appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects are available.

If you require further information about these protective measures, please contact Zevo DPO  via email dpo@zevohealth.com

Security of Information

You will require a username or password to gain access to the Application. You must not share these details with anyone or store them in a way that may allow a third party to access them.

We use a combination of technical, administrative, and physical controls to maintain the security of your data. This includes using Transport Layer Security (“TLS”) to encrypt many of our Services. Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to the Application and you acknowledge that any transmission is at your own risk.

Once we have received your information, we will use strict procedures and security features which are appropriate to the type of personal data you have provided to try to prevent unauthorised access or inadvertent disclosure, which may include two-factor authentication and end-to-end encryption.

When you purchase a service from us we collect information that includes your payment information, such as your credit or debit card details and other account and authentication information. Any credit card information you provide is collected and processed directly by our payment processor, which is currently Stripe. We will never receive or store your credit card information on our servers. Stripe commits to complying with the Payment Card Industry Data Security Standard (PCI-DSS). You can view the Stripe Privacy Policy here https://stripe.com/us/checkout/legal.

Retention of Information

We retain information as long as it is necessary to provide the Services to you and others, subject to any legal obligations to further retain such information. Information associated with your account will generally be kept until it is no longer necessary to provide the Services or until your account is deleted. In addition, you can delete some items of information (e.g., profile information) and you can remove individual activities from view on the Services without deleting your account. For example, where you withdraw your consent to Zevo Health processing your health-related information, Zevo will delete all health-related information you uploaded. Following the deletion of your account, it may take up to 90 days to fully delete your personal information and system logs from our systems. Additionally, we may retain information where deletion requests are made to comply with the law, prevent fraud, collect fees, resolve disputes, troubleshoot problems, assist with investigations, enforce the Terms oF service and take other actions permitted by law. The information we retain will be handled in accordance with this Privacy Policy.

Information connected to you that is no longer necessary and relevant to provide our Services may be de-identified or aggregated with other non-personal data to provide insights which are valuable to Zeevo, such as statistics of the use of the Services. For example, we may retain depersonalized information to continue to improve the Services. This information will be de-associated with your name and other identifiers.

All counselling records will be maintained as required by the applicable legal and ethical standards according to the various counselling and psychotherapy professions licensing boards (e.g. The Irish Association of Counselling and Psychotherapy), of the country which the therapist resides in. All Zevo Health therapists are based in Ireland.  Recording of sessions is prohibited.  

Your Rights

You have the following rights with regard to your personal information:

  • Portability. You have the right to obtain copies of your personal data to enable you to reuse your personal data across different services and with different companies. You may also request that your personal data is transmitted directly to another organisation where this is technically feasible using our data processing systems. Please include your name, email and a clear description of your request.
  • Access. You have the right to access information about the personal data we hold about you. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is manifestly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
  • Right to object to processing.  You have the right to object to the processing of your personal data where that processing is being undertaken by us based on our (or a third party’s) legitimate interest. In such a case we are required to cease processing your data unless we can demonstrate compelling grounds which override your objection. As outlined, we do not use your data for direct marketing. You also have the right to object at any time to the processing by us of your personal data for direct marketing purposes.
  • Rectification. You have the right to request that we rectify any inaccurate personal data that we hold about you.
  • Erasure.  You have the right to request that we erase any personal data that we hold about you, based on one of a number of grounds, including the withdrawal of your consent (where our processing of that data is undertaken on the basis of your consent), or if your object to our continued processing (as mentioned above).  Please include your full name, the email address associated with your account, and a detailed description of your data request. Such requests will be processed in line with local laws.
  • Your erasure right does not extend to information which is not personal data. Please also note that it is likely to be necessary for us to retain your personal data for the purposes of assessing and verifying data that is submitted and/or held on the Application, and your rights under applicable law to request erasure may be limited accordingly. We also reserve the right to retain your personal data in an anonymised form for statistical and benchmarking purposes.
  • Request to restriction of the processing. This enables you to ask us to restrict the processing of your personal data in certain circumstances, for example, if you want us to establish its accuracy or the reason for processing it.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.

Your rights detailed above can be exercised free of charge in accordance with applicable data protection laws. Please contact your employer directly if you would like to exercise any of these rights. It is your employer’s obligation to inform Zevo via dpo@zevohealth.com.

Please note that if you exercise any of the above rights to require us to restrict or cease processing or to delete personal data, and this type of processing is required in order to facilitate your use of the Application or other service, you will no longer be able to use the Application or other service following the date on which we action your request.  Please allow at least 5 working days for your request to be actioned, once Zevo is informed by your employer of the request.

If for any reason you are not happy with the way that we have handled your personal data, you also have the right to make a complaint to the relevant supervisory authority in your country.  In Ireland, the relevant authority is the Data Protection Commission.

Privacy Policy Information

Zevo reserves the right to modify this Privacy Policy at any time. Please review it occasionally. If we makes changes to this Privacy Policy, the updated Privacy Policy will be posted in a timely manner and, if we make material changes, we will provide a prominent notice. If you object to any of the changes to this Privacy Policy, you should stop using the Services and delete your account.