getUbetter privacy policy
Updated March 2023

PLEASE READ THIS POLICY CAREFULLY BEFORE USING getUBetter SERVICES

You must be 18 years or older to use our Services.

Protecting your data, privacy and personal information is very important to getUBetter (“us”, “our”, “we” or “getUBetter”). It is vitally important to us that our customers feel secure when using our “Services”, as further described in this policy.

Summary

This privacy policy, collectively with our terms and conditions in the provision of our Services (as defined below), sets out our responsibility and commitment to protecting the privacy and confidentiality of your personal data. In particular, this policy details the basis on which any personal data we collect from you, or that you provide to us, will be processed by getUBetter when you: 

• visit our getUBetter website at getUBetter.com (our “Website”);
• use of our application “getUBetter” and the services available on our application (our “Apps”);
• use our “WebApp”, available through our Website;

(together, the “Services”); 

• use our clinical portal (you will have access to this if you are an employee or consultant of one of our third-party partners or your company has an agreement in place with our of our third party partners); or
• sign-up or register for an app and services provided by one of our third-party partners. Please see the How is your personal data collected? section below for further information on our third-party partners and their apps and services.

Please read this privacy policy carefully to understand the types of information we collect from you, how we use that information, the circumstances under which we will share it with third parties, and your rights in relation to the personal data you provide to us. It is important that you read this privacy policy together with any other privacy policy or fair processing policy we may provide on specific occasions when we are collecting or processing personal data about you so that you are fully aware of how and why we are using your data. This privacy policy supplements other notices and privacy policies and is not intended to override them.

This privacy policy is provided in a layered format so you can click through to the specific areas below:

About Us

The data we collect about you

Processing of sensitive personal data

How is your personal data collected?

How we use your information and justification of use

Marketing

Where we store your personal information

Disclosure of your information

How long we retain your personal data

Your rights

Change to our privacy policy

Cookies

Contact

About Us

We're Get U Better Limited, a company registered in England and Wales (company number 08330528). Our office is The Old Dairy, Ashton Hill Farm Weston Road, Failand, Bristol, England, BS8 3US , UK. Our VAT number is 191176892. We are responsible for operating this Website and our associated Services, including the processing of your personal data. 

When contacting us we strongly recommend you don't email us confidential or personal information (unless otherwise requested by us, for example, where you’re exercising one of your data subject rights and we need to verify your identity). 

What we do

Our Website, Apps, WebApp and the Services available through these methods are provided by us, and we partner with NHS Trusts and other healthcare providers to provide you with access to other services in your area. To inform you about the services in your area, our Services also contain information provided by third parties. For example, through our Services, you will be able to request treatments with NHS service providers or other local service providers, and we will refer your details to that service provider in accordance with, and as described in, this privacy policy. 

You can choose for us to introduce you to any of these services, or there may be links to such third-party websites, application or plug-ins through our Services. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. Please note that these third parties have their own privacy policies and that we do not accept any responsibility or liability for their policies or processing of your personal information. When you leave our Website, WebApp or our App, we encourage you to read the privacy policy of every other website you visit.

We also partner with other third-party partners (as further described in the ‘How is your personal data collected?’ section).  In this case, the third party will be responsible for providing you with their services.  We just provide the technology and infrastructure behind the services to enable that third party to provide their own services to you. Your third party will have their own privacy policies which will explain how they use your data. We do not accept any responsibility or liability for their policies or the processing of your information. We are the processor of the personal data we require from you to create you an account to access the third party’s services, as further described below. 

The data we collect about you 

Personal data, or personal information, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed. 

We explain the different types of personal data we collect, use, store and transfer about you which we have grouped together as follows:

• Identity Data: your name, email address and date of birth.
• Registration Data: your Identity Data, phone number, contact data, postcode, gender and your GP details (optional).
• Recovery Data: the nature of your injury, your recovery progress and yes/no responses to clinically based safety netting questions, and your rating of your recovery from your injury.
• NHS Number: the unique number assigned to you by the NHS, which allows healthcare providers to link you to your medical record, make referrals and to identify you in the healthcare system.
• Clinical Portal Log-In Data: unique user name and password we assign to you for accessing our clinical portal (where applicable).
• Technical Data: technical information about the device you use (e.g. your internet protocol (IP) address, device type, network, operating system and mobile browser); and how you use and interact with the App (e.g. page views, journeys through it etc.), specific information, such as your hardware model, operating system version, unique device identifiers, and mobile network information; we do this to ensure, for example, we identify devices not compatible with our app as well as enabling an easier start to use the app; and
• Usage Data: information about how you use our Website, Apps and WebApp. 

Processing of sensitive personal data

The nature of the App means that, where necessary to act in your best interests, we need to be able to process certain sensitive data about your symptoms and health concerns. Due to its sensitivity, health data has the protected status of “special category data” under data protection law and we are subject to additional compliance obligations to ensure such data is adequately protected. Some of the data you provide to us (including details of your symptoms) will constitute special category data. We explain how we use this data in the below table.

We also collect anonymised aggregated data about how you use our Services. This data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, when lawfully permitted to do so we may aggregate technical data collected from you to calculate the percentage of users accessing a specific feature on our App, or we may create anonymous, aggregated reports such as statistics, ratings, analysis, and reviews that we may provide for research purpose.  Your feedback and use of our Services helps improve recovery for you, others and future generations.

How is your personal data collected?

We collect and process the following data about you:

• Information that you provide to us.

You will be asked to provide us with your information when you:

• email us or otherwise get in touch with us;
• register to use our Services;
• use the Services or log-into your account for the App or WebApp;
• report a problem with our Services; 
• fill out forms;
• complete any questions in the App or WebApp relating to your recovery (although you do not have to complete these if you do not want to); or
• complete any other questionnaires relating to our Services.
• Information provided by the NHS. Dependent upon your local service, and whether or not your local clinicians instruct getUBetter to do so, we may collect your NHS Number from the centralised IM1 (NHS) web database. Collection and processing of your NHS Number ensures that any Recovery Data you provide on our App or WebApp links to and updates your individual NHS medical record.  This enables you easier access to associated NHS services and offers the NHS your most up to date medical and health information.
• Information we collect about you with regard to each of your visits to our Apps or WebApp. 

We automatically collect technical data about your equipment, browsing actions and patterns and usage data about how you use our Apps or WebApp, as further described in the How we use your information and justification of use section below. 

• Third Parties. We partner with trusted third parties (each a Partner) that offer services and apps that have similar functionality to our App. In this case, our Partner will be responsible for providing you with their services. However, in order to register you with that Partner, we will receive certain personal data about you from our Partner so that we can create you an account to access their services and app. 

Please see the How we use your information and justification of use section below for further information.

Please note that our Partner(s) will have their own privacy policies which explain how they collect, use, store and process your personal data on their app and through their services. We are not responsible for their privacy statements and we encourage you to read their privacy policies.  

Our Partners will change from time to time. However, as at the date of this privacy policy (set out above), our Partners are: 

• Bio-Rhythm Ltd, a community interest company incorporated in England and Wales whose registered number is 09459197 and whose registered office is at 29 Rownham Road, Bristol BS8 4YB.
• LEVA Pain Management Programme, a registered company incorporated in England and Wales whose registered number is 11692304 and whose registered office is IASO Ltd Cannon Place, 78 Cannon Street, London, England EC4N 6AF.
• Orthopaedic Research UK (operating the ‘ESCAPE-pain group rehabilitation’), a registered charity with registered charity number 1111657 and whose registered address is Furlong House, 10A Chandos Street, London, W1G 9DQ.

Other than Partners identified above, we do not receive information from other sources.

How we use your information and justification of use.

We have data protection compliance procedures in place to oversee the effective and secure processing of your processing and we will only use your personal data where the law allows us to. Use of personal information under applicable data protection laws must be justified under one of a number of legal “grounds” and we are required to set out the ground in respect of each use of your personal data in this policy. These are the principal grounds that justify our use of your information, and most commonly, we will use your personal data in the following circumstances:

• Consent: where you have consented to our use of your information (you are providing specific, informed, freely given consent, in relation to any such use and may withdraw your consent in the circumstance detailed below by notifying us);
• Contract performance: by contract we mean the implied duties and responsibilities we have to the individual service user, so our use of your information is necessary for us to perform our contract/implied duties with you;
• Legal obligation: there may be circumstances, in carrying out our Services, where we are obliged by law to use your information in order to ensure our compliance with legal obligations; and
• Legitimate interests: where the processing is necessary for the purposes of legitimate interests pursued by us or a by a third party and our reasons for using it outweigh any prejudice to your rights.

We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground, we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose / activity	Type of Personal Data	Lawful basis for processing
WebApp / App
To provide you with access to our App or WebApp to use our Services and create an account for you	Registration Data	Necessary for our legitimate interests (so we can identify you when you access our Services)
To provide you with our Services on the App and WebApp	Identity Data Registration Data Recovery Data	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
As part of our Services, to obtain your NHS Number and link your Recovery Data to your NHS Number so that your medical records are updated to inform your clinician if you have registered to use the App.	Identity Data Registration Data NHS Number	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
To support your recovery by sending emails with updates	Identity Data Registration Data	Necessary for our legitimate interests (so we can ensure you are making the most of the Services and using them in a way that provides you with support)
To connect and refer you to your healthcare providers (including doctors, GP surgeries, hospitals, healthcare providers) (our clients) and local services of your choice on the App or WebApp	Identity Data Registration Data Recovery Data	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
To contact you where they have difficulty using the App or WebApp	Email address Recovery Data	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
To notify you about changes to our Services	Identity Data Registration Data	Performance of a contract with you
Create electronic versions of documents for you to provide to your practitioner	Identity Data Registration Data Recovery Data	Performance of a contract with you We also rely on your explicit consent to process your health data for this purpose
To remember you so that you don’t have to re-enter your details each time you log in	Identity Data Registration Data	Necessary for our legitimate interests (to ensure we provide you easy access and a great level of service)
For our internal operations, including, data analysis and data statistics	Identity Data Registration Data Technical Data Usage Data	Necessary for our legitimate interests (to administer and improve our Services)
For evaluation of our Services we share with our NHS partners (NECS) identifiable data that they then anonymise to enable aggregated data to track and improve our Services	Identity Data Registration Data Recovery Data Usage Data	Necessary for our legitimate interests (to administer and improve our Services)
Clinical portal
To enable you to access our clinical portal.	Unique username and password	Necessary for our legitimate interests (to ensure we can monitor who is accessing our clinical portal for security and business management purposes)
Our Partners Apps
To register you as a user of our Partner’s app and services and create you an account to access such services	Email address (provided to us by our Partner) Registration Data (provided to us by you when we create an account for you to access the Partner’s services)	Necessary for our legitimate interests (to perform our obligations under our contract with the relevant Partner and to ensure you are able to access and benefit from the use of their app and services)
Website, App and our WebApp
To use data analytics to improve, test and update our Services, Website, App and WebApp, marketing, customer relationships and to monitor its performance and effectiveness	Technical Data Usage Data	Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy)
To administer and protect our business, Website, App and WebApp (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)	Identity Data Registration Technical Data	Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise) Necessary to comply with a legal obligation
Develop and test new products, services and features	Technical Data Usage Data	Necessary for our legitimate interests (to improve our Services)
For you to participate in clinical research	Identity Data Registration Data Recovery Data	Consent We also rely on your explicit consent to process your health data for this purpose
Improve user experience and the quality of the content available.	Technical Data	Necessary for our legitimate interests (to define types of customers for our Services, keep our Website, App and Webapp relevant, to develop our business and inform our marketing strategy)
To make suggestions and recommendations to you about services that may be of interest to you	Usage Data Technical Data	Necessary for our legitimate interests (to develop our Services and grow our business)
To help us identify and fix defects or errors in our systems	Usage Data Technical Data	Necessary for our legitimate interests (to ensure our Services and systems are running as they should)
To give you reminders, emails or alerts	Identity Data Registration Data	Consent

We will not sell your personal data (or any other data you provide us with) to third parties, however, we reserve the right to share any data, which has been anonymised and/or aggregated. You acknowledge and accept that we own all right, title and interest in and to any derived data or aggregated and/or anonymised data collected or created by us.

Marketing

We may use information for marketing products and services to you in the following ways:

Types of marketing activity:

• Newsletters and marketing emails relating to our own similar services and products, only where you have not opted-out of receiving that marketing. 
• Newsletters and marketing emails where you have requested this information from us, or we have obtained your consent to send you marketing. 

We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us at any time using the details set out at the end of this privacy policy.

Where we store your personal information

The personal data that we collect from you (including email addresses that form part of our prospective marketing database) are processed only in the UK and stored at a UK data centre. Sensitive information between our “Apps” or “Webapp” and our server is transferred in encrypted form using Secure Socket Layer (“SSL”). In the unlikely event where we need to send your data outside the UK, we will ensure that any such transfers are only undertaken following an assessment of the level of protection afforded in the receiving country or jurisdiction, and will put in place the international data transfer agreement (“IDTA”) and UK addendum to the new EU Standard Contractual Clauses (“UK Addendum”) to ensure that your data is protected with the appropriate technical and organisational controls.

Your passwords and data for our Apps, WebApp, Website and our Partners’ apps are stored on getUBetter servers in encrypted form. We do not disclose your account details to any third party. It is your responsibility to keep your password secure. When transmitting sensitive information, you should always make sure that your browser can validate the getUBetter certificate. Unfortunately, the transmission of information via the internet is not completely secure. Although getUBetter will do its best to protect your personal data, we cannot guarantee the security of your data transmitted to our Website, any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent any unauthorised access.

Disclosure of your information

We may also disclose your personal information to the following third parties for the purposes specified in the above table:

• Our service providers and healthcare partners: including doctors, GP surgeries, hospitals, healthcare providers. 
• Analytics providers, such as Health Care Providers analytics teams (to assist us in the evaluation, improvement and optimisation of the App and Website).
• If we sell or buy any business or assets, we may disclose your personal information to the prospective seller or buyer of such business or assets. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
• If getUBetter is acquired by a third party, personal information about our customers will be one of the transferred assets. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.
• If we are under a duty to disclose or share your personal data in order to comply with any legal obligation or to protect the rights, property, or safety of getUBetter, our customers, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.
• We may disclose certain data to organisations involved in clinical trials and other types of research where you have authorised us to do so.
• We may disclose your personal information to third parties, the court service and/or regulators or law enforcement agencies in connection with proceedings or investigations anywhere in the world where compelled to do so. Where permitted, we will direct any such request to you or notify you before responding unless not permitted to do so by applicable law.

How long we retain your personal data

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, what we may have agreed with our partners, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.

Please get in touch using the details set out below if you require further information about our retention periods.

We restrict access to your personal information to those persons who need to use it for the relevant purpose(s). Our retention periods reflect the NHS Records Management Code of Practice for Health and Social Care 2016 and also based on business needs and your information that is no longer needed is either irreversibly anonymized (and the anonymized information may be retained) or securely destroyed.

Your rights

Under data protection legislation, you have various rights in relation to your personal data. All of these rights can be exercised by contacting us at contact@getUBetter.com.

You have the following rights in relation to your personal data:

• Right to request access to your personal data
  • This is commonly known as a “data subject access request”. This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
• Right to Rectification
  • This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
• Right to erasure / ‘Right to be forgotten’
  • This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. This means we extract all identifiable information from all datasets, so anonymise your record and hold in-app usage on a secure cloud-based data server for potential use for aggregate data analysis. Where you request getUBetter to rectify or erase your personal data or restrict any processing of such personal data, getUBetter may notify third parties to whom such personal data has been disclosed of such request.  We will endeavour to complete the full request within 10 working days of your request. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. For example, the NHS may ask us to retain some data for legal purposes.
• Right to restriction of processing
  • You have the right to ask us to suspend the processing of your personal data at any time in the following scenarios:
    • If you want us to establish the data's accuracy.
    • Where our use of the data is unlawful but you do not want us to erase it.
    • Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
    • You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it
• Right to data portability
  • You have the right to request that getUBetter provides you with a copy of your personal data and to transmit your personal data to another data controller in a structured, commonly used and machine-readable format, where it is technically feasible for us to do so. Note this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
• Withdraw consent at any time where we are relying on consent to process your personal data. 
  • However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you of this is the case at the time you withdraw your consent.
• Right to object to processing
  • You have the right to object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
• Right to complain
  • You have the right to lodge a complaint to a supervisory authority such as the Information Commissioner’s Office in the UK. Although we encourage our customers to engage with us in the event they have any concerns or complaints.

getUBetter will not ordinarily charge you in respect of any requests we receive to exercise any of your rights detailed above; however, if you make excessive, repetitive or clearly unfounded requests, we may charge you an administration fee in order to process such requests or refuse to act on such requests. Where we are required to provide a copy of the personal data undergoing processing this will be free of charge; however, any further copies requested may be subject to reasonable fees based on administrative costs.

Asking us to stop processing your personal data mean we will notify your Health Care Provider of your request.  Your Health Care Provider Organisation has the legal responsibility to maintain a record of care provided so, ultimately, has the authority to respond to your request.  On receipt of your request getUbetter will acknowledge the request and keep you informed of the Health Care Provider instruction.  With authority to stop processing your data, getUBetter anonymise all identifiable data whilst retain storage of the anonymised data on a secure cloud-based data servers and use for aggregate data analysis. Asking us to stop processing your personal data or deleting your personal data will likely mean that you are no longer able to use getUBetter Services, or at least those aspects of the Services which require the processing of the types of personal data you have asked us to delete, which may result in you no longer being able to use the Services. We will notify you if this is the case at the time.  

Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you (for example, to provide you with the Services). In this case, we may have to cancel the Services you have with us but we will notify you if this is the case at the time.

Where you request getUBetter to rectify or erase your personal data or restrict any processing of such personal data, getUBetter may notify third parties to whom such personal data has been disclosed of such request. However, such third party may have the right to retain and continue to process such personal data in its own right, for example doctors, GP Surgeries, Healthcare professionals, local health related services or Hospitals. 

Automated decision-making 

Automated decision-making takes place when an electronic system uses your personal information to make a decision without human intervention. 

If we make an automated decision on you (and using your health data), we will obtain your explicit written consent and we will put measures in place to safeguard your rights. Automated decision-making is used on our App and WebApp to ensure we generate appropriate responses to any Recovery Data you submit (for example, if it appears that your symptoms have got worse, we may recommend that you contact your GP). 

Changes to our privacy policy

Any changes we make to our privacy policy in the future will be posted on this page, and where appropriate, notified to you by email or notifications via the App or our Partner’s app (as applicable). We therefore encourage you to review it from time to time to stay informed of how we are processing your information.

Cookies

A cookie is a small file of letters and numbers that we or third parties may store on your browser or device. We use them to identify and distinguish you from other users of our services, which helps to provide you with a better experience.

You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see www.getUBetter.com

 Contact

We are committed to continually developing and promoting our compliance with the UK GDPR and data protection standards. You are welcome to contact us at contact@getUBetter.com if you have any questions, comments and requests regarding this privacy policy. For the purpose of the relevant data protection legislation, our data protection officer is Carey McClellan.