Effective Date: 18 September 2023
- about people who use our services (each a “User”, “you” or “your”), and
- about people on whose behalf certain Users provide information (“Dependant”, “you” or “your”).
Our services (“Services”) are available to Users who visit our website at www.human.health (the “Website”) or use our mobile app (the “App”). We collect different types of data from you via the Website, compared to the App, as set out in section 4 below.
Some more terms that we use:
“Personal Data” is any data that identifies or relates to you as a particular individual, including information referred to as “personally identifiable information” or “personal information” under applicable data privacy laws, rules, or regulations.
“Anonymized Data” is data where personally identifiable information has been removed, rendering the data anonymous by stripping out information that would allow an individual’s identity to be determined from the remaining data. Data is “anonymized” to protect the privacy and identity of individuals associated with the data. Anonymized Data is no longer Personal Data.
“Aggregated Data” is data that has undergone a process whereby raw data is gathered and expressed in a summary form for statistical analysis. Raw data can be aggregated over a given time period, across individuals, or both, to provide statistics such as average, minimum, maximum, sum, and count. After the data is aggregated, analysis can be performed to gain insights about particular data sets. When data is aggregated across a number of individuals, the resulting aggregation is considered anonymized such that it is no longer Personal Data.
2. DATA PROTECTION OFFICER
Human has appointed an internal data protection officer for you to contact if you have any questions or concerns about Human’s personal data policies or practices. If you would like to exercise your privacy rights, please direct your query to Human’s data protection officer. Human’s data protection officer’s name and contact information are as follows:
Human Operations Pty Ltd
3/91 Reservoir Street, Surry Hills, Sydney, NSW, 2010, Australia
Human Operations Pty Ltd, headquartered in Sydney, Australia, will be the controller of your Personal Data processed in connection with the Services.
3. ACCOUNTS, PROFILES AND ROLES
We have different names for types of accounts, profiles and roles that you may adopt when using the App:
- Accounts: A User who registers an account on our App by providing an email address and password, becomes an “Account holder”. There are two types of Accounts:
- Practitioner Account: If an Account holder is a health practitioner, it can create a “Practitioner Account” for itself.
- Personal Account: If an Account holder is an individual seeking information about its own health condition or that of another person, it can create a “Personal Account” for itself.
- Profiles: Each Account holder, whether a health practitioner or other individual, creates a profile for itself containing its personal information. A Personal Account holder may also create a profile for any dependent person for whom that Personal Account holder is a legally authorised representative, and who is not already an Account holder (a “Dependent”). A Personal Account holder may include medical information, such as clinical history, treatment plans and medical records, in its own profile or that of a Dependent.
- Owner: A Personal Account holder is the “Owner” of its own profile and of any Dependent profile it has created. The Personal Account holder may transfer ownership of the Dependent’s profile to another Personal Account holder, such that it becomes the new Owner.
- Carer: A Personal Account holder can grant another Personal Account holder (a “Carer”) access to its own profile or a Dependent’s profile.
- Practitioner: A Personal Account holder can grant a Practitioner Account holder (a “Practitioner”) access to its own profile or a Dependent’s profile.
- Any Personal Account holder who provides Personal Data to Human on behalf of a Dependent, or who grants any Carer or Practitioner access to the Dependent’s Personal Data, warrants that it has the authority to do so. Human is entitled to request proof of authority and/or identity, before providing any access to Personal Data.
We may collect Personal Data about you from:
- Yourself, when you provide such information directly to us, such as when completing your profile on the App; and
- Third parties, from time to time, including:
- Owners, when the Owner of your profile (if you are not a Personal Account holder yourself) provides such information directly to us, such as when completing your profile on the App;
- Practitioners, when you or the Owner of your profile gives consent for a Practitioner to provide your health information directly to us, such as providing your treatment plan to Human;
- Carers, when you or the Owner of your profile gives consent for a Carer to provide your health information directly to us, such as logging symptoms on your profile;
- Automatic data collection such as local storage objects, web beacons, and other similar technologies in connection with your use of the Services; and
- Social media, other third-party platforms, and linked accounts, devices, or features, if you sign into the App through a third-party site or service, or otherwise link accounts, devices, or features to your Human account.
5. WHAT PERSONAL DATA WE COLLECT
We may collect the following types of Personal Data:
- Contact details, such as your first and last name, and email address;
- Account data, such as username and password that you may establish to create a Human account;
- Profile data, such as your date of birth, gender identity and ethnic group;
- “Health Data”, which is information about your health and treatment which you or the Owner of your profile provides, or which is provided with your consent by a Practitioner or Carer;
- Biometric Data, such as your photograph. When Practitioners create an Account, we may request that they provide proof of identity.
- Communications that we exchange with you, including when you contact us via email or the Services with questions, feedback, or reviews;
- Marketing data, such as your preferences for receiving our marketing communications, and details about your engagement with them (e.g., the marketing emails that you open and the links within them that you click);
- Device and geolocation data, such as your computer or mobile device operating system type, IP Address, and general location information such as city, state, or geographic area. An “IP Address” is a unique address that identifies a device on the internet or a local network. It allows a system to be recognized by other systems connected via the internet protocol; and
- Online activity data, such as pages or screens you view, how long you spent on a page or screen, the website you visited before visiting our website, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access.
We collect different types of data from you via the Website, compared to the App. As such, when you are using the App and are logged into your Account, we may collect Account data, Profile data, detailed Health data, and Payment and transactional data. When you are using the Website, we may only collect Contact details (with your consent).
We process Personal Data to operate, improve, understand, and personalize our Services. We use Personal Data for the following purposes:
Service delivery, including to:
- Provide, operate, improve, develop, understand, and personalize the Services and our business, including testing, research, analysis and product development. In particular, we use device and geolocation data to help us design our site to better suit our Users’ needs. We may also use your IP address to help diagnose problems with our server and to administer our website, analyze trends, track visitor movements, and gather broad demographic information that assists us in identifying visitor preferences;
- Satisfy the reason you provided the information to us, including responding to and fulfilling requests;
- In the case of Practitioners, advise you via email when a Personal Account User wants to connect a profile with you on Human;
- Communicate with you about the Services, including Service announcements, updates, or offers;
- Provide support and assistance for the Services;
- Create and manage your account or other user profiles; and
- Customize content and communications based on your preferences.
General research and development. We may create and use Aggregated Data, Anonymized Data or other anonymous data from Personal Data we collect, including Health Data on the App, for our business purposes, including to analyze the effectiveness of the Services, to improve and add features to the Services, and to analyze the general behavior and characteristics of Users of the Services. We also use Anonymized Data or Aggregated Data from Health Data on the App for research purposes to help us and our research partners answer important questions about human health and create an even better experience for our Users by identifying cutting-edge insights and providing new content and product features.
Research studies. We may use your Personal Data on the App to do a preliminary assessment of your eligibility for our research studies. However, only where specific and informed consent has been given by you may we use your Personal Data including Health Data, in our research studies, for example to analyze your response to certain treatments. The specific purpose for which we use your Personal Data in the context of our research studies will be set out in the informed consent form relating to a particular study.
Marketing and advertising. We do not use personally identifiable Health Data for marketing or advertising purposes. We may use other Personal Data to send you marketing messages as permitted by law or to measure and improve our advertising.
Compliance and protection, including to:
- Protect against or deter fraudulent, illegal, or harmful actions and maintain the safety, security, and integrity of our Services;
- Audit our internal processes for compliance with legal and contractual requirements and internal policies;
- Protect our, your, or others’ rights, privacy, safety, or property (including by making and defending legal claims); and
- Respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
Consequences of not collecting Personal Data: You are not obliged to provide any Personal Data. However, if we do not collect any of your Personal Data, we will not be able to perform the above functions, or provide you with the Services.
We may share your Personal Data on the App with the below third parties, but note that sometimes Health Data is treated differently to other Personal Data (as it is a special category of information):
- where you are a Personal Account holder, we may share your Personal Data and/or the Personal Data of your Dependents, as applicable, on the App with:
- Carers, subject to your consent,
- Practitioners, subject to your consent. For example, when you ask us to connect one of your profiles to a Practitioner, you acknowledge that the Practitioner will receive an email containing the full name of the User associated with that profile. Once connected, the Practitioner will be able to view all of the Health data associated with that profile,
- Payment and security providers, such as payment processors, security and fraud prevention consultants. We will never share your Health Data with payment and security providers;
- Hosting and other technology and communications providers. The Personal Data that Human collects from you is stored in, processed in or transferred to one or more databases hosted by third parties located in the United States. These third parties do not use or have access to your Personal Data for any purpose other than cloud storage, retrieval and data processing. This is discussed in more detail in section 8 below;
- Advertising services. We may share the basic fact of your use of the App with Google Ads via an individual identifier (without sharing any further details of that usage, or any health data). However, we only share that for the purpose of advertising measurement and improvement; not for subsequent personalized advertising.
- Government authorities, where the information is provided to comply with the law (for example, compelled by law enforcement to comply with a search warrant, subpoena, or court order), enforce an agreement we have with you, or to protect our rights, property or safety, or the rights, property or safety of our employees or others;
- Third parties, only to address disputes, claims, or to persons demonstrating legal authority to act on your behalf; and
- Business transferees in business transactions (or negotiations for such transactions) involving a sale of all or any portion of the business or assets of, or equity interests in, Human or our affiliates.
We use Google Cloud Platform (“GCP”) to host and process data. A list of GCP sub processors can be found here: https://cloud.google.com/terms/subprocessors
We will never sell your Personal Data to anyone. We may gather Aggregated Data or Anonymized Data about our Services or Users, and disclose the results of such aggregated or anonymized data to our partners, service providers, advertisers, and/or other third parties. Such information is no longer Personal Data and can no longer be used to identify you.
How you may share Personal Data through the App: Depending on your use of the App, you may share your Personal Data with any other Account holder, subject to your consent or the consent of the Owner of your profile (in the case of a Dependent). Where you have provided consent for Human to share your Personal Data with another User, Human is not responsible for what those Users do with your Personal Data.
Human has its headquarters in Sydney, Australia, but information we collect about you via the App will be hosted and processed in the United States. By using the App, you acknowledge that your Personal Data will be hosted and processed in the United States.
The United States has not sought nor received a finding of “adequacy” from the European Union under Article 45 of the European General Data Protection Regulation (“GDPR”). Pursuant to Article 46 of the GDPR, Human is providing appropriate safeguards by ensuring that binding, standard data protection clauses are in place with its hosting and processing service providers, which are enforceable by data subjects in the EU and the UK. These clauses have been enhanced based on the guidance of the European Data Protection Board and will be updated when the new draft model clauses are approved.
Where we employ data processors such as Google to process Personal Data on our behalf, we only do so on the basis that such data processors comply with the requirements under the GDPR and have adequate technical measures in place to protect personal information against unauthorised use, loss and theft. Human enters into data processing agreements and model clauses with such vendors whenever feasible and appropriate. Since it was founded, Human has received zero government requests for information.
For more information or if you have any questions about data processing in the U.S., please contact us at email@example.com.
You have certain rights with respect to your Personal Data, including:
- Access: If you wish to confirm that Human is processing your Personal Data, or to have access to the Personal Data Human may have about you, please contact us. When technically feasible, Human will - at your request - provide a copy of your Personal Data to you. You can also access certain of your Personal Data by logging into your account on the App. Reasonable access to your Personal Data will be provided at no cost. If access cannot be provided within a reasonable time frame, Human will provide you with a date when the information will be provided. If for some reason access is denied, Human will provide an explanation as to why access has been denied. You may also request information about: the purpose of the processing; the categories of Personal Data concerned; who else outside Human might have received the data from Human; what the source of the information was (if you didn’t provide it directly to Human); and how long it will be stored.
- Rectification:You have a right to correct (rectify) the record of your Personal Data maintained by Human if it is inaccurate. You can do so by logging into your account on the App. Where this is not possible, you can request that we correct your Personal Data. However, when you update information, we may maintain a copy of the unrevised information in our records.
- Erasure: You can request that we erase some or all of your Personal Data from our systems. You may be asked to complete a verification form in connection with such deletion request in order to ensure that you have the authority to delete your account, and we may retain the relevant Personal Data for a period of up to 30 days, in case your request was submitted in error. Certain Personal Data is necessary to enable you to utilize some or all of our Services, so if you request us to erase such data, we may no longer be able to provide you with the Services. We may retain certain Aggregated Data or Anonymized Data derived from or incorporating your Personal Data that does not identify you, after you update or delete your Personal Data. Where you have provided consent for Human to share your Personal Data with another User, Human cannot ensure that such Users delete your Personal Data, if you later request its deletion.
- Portability: You can ask for a copy of your Personal Data in a machine-readable format. You can also request that we transmit the data to another organization, or directly to you, under certain conditions.
- Objection: You can contact us to let us know that you object to the further use or disclosure of your Personal Data for certain purposes. You may request that Human cease using your Personal Data for direct marketing purposes.
- Restriction of processing: You can ask us to restrict further processing of your Personal Data in certain unique situations.
- Auto Decision Making and Profiling: You have the right not to be subject to certain decisions based solely on automated processing, including profiling, which produces legal effects concerning you or which significantly affects you.
- Withdrawal of consent: If we are processing your Personal Data based on your consent (as indicated at the time of collection of such data), you have the right to withdraw your consent at any time. Please note however, that if you exercise this right, you may be unable to utilize some or all of our Services.
- Complaint: You have the right to lodge a complaint about our practices with respect to your Personal Data with the supervisory authority of your country or, in the case of residents of the EU, your European Economic Area Member State.
- Appeal when a request is denied: You have the right to appeal our decision to not take action on a request. For example, if Human denies your request to delete or erase your information, you may appeal this decision by contacting the local government body that has jurisdiction where you live.
- Not identify or use a pseudonym in certain circumstances: You have the right not to identify yourself (be anonymous) or to use a pseudonym, save where impracticable for Human to provide Services to you in this way.
- Complaints: In many countries, you have a right to lodge a complaint with the appropriate data protection authority if you have concerns about how Human processes your Personal Data. Please see section 15 for more information about complaints.
Unless specified otherwise, you can exercise these rights by logging into your account on the App, or by emailing firstname.lastname@example.org. Please note that in some circumstances, we may not be able to fully comply with your request, such as if it is frivolous or extremely impractical, if it jeopardizes the rights of others, or if it is not required by law, but in those circumstances, we will still respond to notify you of such a decision. In some cases, we may also need you to provide us with additional information, which may include Personal Data, if necessary to verify your identity and the nature of your request. Human will not discriminate against you for exercising your rights.
10. HOW WE STORE PERSONAL DATA, AND FOR HOW LONG
Storage: In relation to the App, Human securely stores your data using cloud-based Google infrastructure on data servers in the United States. In relation to the Website, Human stores any Personal Data obtained from you on a Webflow database in the United States. We, Google and Webflow employ a number of physical, technical, organizational, and administrative security measures designed to protect your Personal Data.
To determine the appropriate retention period for your Personal Data, we consider the amount, nature, and sensitivity of the information, the potential risk of harm from unauthorized use or disclosure of your Personal Data, the purposes for which we process your Personal Data and whether we can achieve those purposes through other means, and the applicable legal requirements.
All Personal Data that Human controls may be deleted upon verified request from a User or its authorized agent. For more information on where and how long your Personal Data is stored, and for more information on your rights of erasure and portability, please contact us at email@example.com.
We do not currently collect or use any cookies on the App.
On the Website, we collect and use analytics tracking cookies from two third parties (namely PostHog and Google Analytics). This is to allow us to understand how users use our Website, by collecting information on how often a user engages with a particular feature of the Services on the Website. We use these aggregated statistics internally to improve the Services.
We also collect and use marketing cookies on the Website. We use Google Analytics for measuring the effectiveness of marketing. This helps us to improve our campaigns and the Services’ content for those who engage with our marketing.
We do not knowingly attempt to solicit or receive information from children.
If you are under 18 or such greater age of majority as may apply where you live (the “Age of Majority”), please do not attempt to register for the Services or send any Personal Data about yourself to us. If we learn that we have collected Personal Data from a child under the Age of Majority, we will delete that information as quickly as possible. If you believe that a child under the Age of Majority may have provided us with Personal Data, please contact us at firstname.lastname@example.org.
Section 5 above (How We Use Personal Data) explains how we use your Personal Data. We will only process your Personal Data if we have a lawful basis for doing so. Lawful bases for processing include consent, contractual necessity and our “legitimate interests” or the legitimate interest of others, but will depend on the type of Personal Data and the specific context in which we process it. However, the legal bases we typically rely on for each category of processing activity are set out below:
- Service delivery: Processing is necessary to perform our contract, or to take steps that you request prior to engaging our Services. Where we cannot process your Personal Data as required to operate the Services on the grounds of contractual necessity, we process your personal information for this purpose based on our legitimate interest in providing you with the products or Services you access and request. Human also has a legitimate interest in understanding how Users and potential Users use its Services. This assists Human with providing more relevant services, with communicating value to our investors, and with providing appropriate staffing to meet User needs.
- General research and development: These activities constitute our legitimate interests.
- Research studies: Processing of your Personal Data is based on your consent.
- Marketing and advertising: Processing is based on your consent where that consent is required by applicable law. Where such consent is not required by applicable law, we process your personal information for these purposes based on our legitimate interests in promoting our business.
- Compliance and protection: From time to time we may also need to process Personal Data to comply with a legal obligation, if it is necessary to protect the vital interests of you or other data subjects, or if it is necessary for a task carried out in the public interest.
The Services may contain links to websites and other online services operated by third parties, such as Facebook, LinkedIn and Twitter. In addition, our content may be integrated into web pages or other online services that are not associated with us. These links and integrations are not in themselves an endorsement of, nor a representation that we are affiliated with, any such third party.
We do not control websites or online services operated by third parties, and we are not responsible for their actions. You can learn about and control how these third parties use and share Personal Data about you, including with Human, by reviewing their privacy notices and exercising the privacy choices that the third party may offer.
We may review this policy from time to time. We recommend that you regularly check for changes and review this policy whenever you visit our website.
We will notify you of any minor changes by posting an updated version on our website or app, with an update to the “Effective Date” at the start of the policy. Where we intend to change our information handling practices (for example we intend to collect a new type of data or use data for a new purpose), we will also notify you via email of those changes.
If you have questions, concerns, complaints, or would like to exercise any of your data protection rights, please contact us at:
Human Operations Pty Ltd
Attn: Legal Department
3/91 Reservoir Street
Surry Hills, NSW
If you have any complaints concerning the processing of your Personal Data, you can email us at email@example.com. Alternatively, you may contact the relevant data protection body in your jurisdiction:
If you are in the UK, contact the Information Commissioner’s Office, via email at firstname.lastname@example.org.
If you are in the EU, you can contact the European Data Protection Supervisor online here or your nation’s data protection authority.
If you are in the US, contact your local state regulatory body.
If you are in Australia, contact the Office of the Australian Information Commissioner online here.