1. Purpose of this Policy
Body Made Simple provides you (the “User”) with access to the online and mobile services associated with BodyGuide, including but not limited to, bodyguide.com.au and all associated subdomains (the “Website”), and the BodyGuide mobile application (the “App”), collectively the “System”.
2. Processing your data
What is the purpose of our processing?
We process your data in order to provide a program of personalised tools for anatomical education, self-managing known conditions, and relevant exercise tutorials (and to support the delivery of that program).
What is our legal basis for processing?
We require consent from all users before processing their data. This consent can be withdrawn at any time.
What data do we collect?
Personal Information or personal data or personal identifiable information (PII) means information relating to an identified or identifiable natural person who can be directly or indirectly identified by reference to an identifier.
We collect and use information like your name, email address, gender, country, city, state and age bracket to personalise the course and communicate with you. You're able to opt out of any external communications (i.e., email and push notifications) at any time.
We collect information about your health (including, but not limited to, self-reported symptoms, past and present in order to personalise your program).
We may also collect general information about your mental and physical wellbeing in order to evaluate progress against your self-defined goals.
We may collect information about the devices you use to access the System, including (but not limited to) IP address, mobile device UDID and IMEI numbers, operating system, browser type, and screen size. This information is used to provide you with customer support, for system administration, to tailor your experience of the System, to report aggregate information internally, and to assist communication (e.g., push notifications).
We may store cookies (small text files managed by your web browser) on your computer in order to improve your experience with the System. Example uses of these cookies include: recognising you when you return to the System, maintaining data you've entered across multiple sessions, and storing information about your personal preferences.
Non-Personal Information means any information that does not reveal your specific identity either directly or indirectly.
We may include your data in aggregated data sets shared with our research partners. In these sets, your data is not personally identifiable, and would be used for supporting generalised statements (e.g., "women aged 30-40 working improved their self reported pain levels by x% more than men"). If you'd like to opt out, please email firstname.lastname@example.org
Information collected automatically through Body Made Simple (or third-party services employed in Body Made Simple), which can include: behavioural data (e.g. number of sessions you complete, what techniques you practice or how many times you practice the techniques), the IP addresses or domain names of the computers utilised by the Users who use Body Made Simple, the URI addresses (Uniform Resource Identifier), the time of the request, the method utilised to submit the request to the server, the size of the file received in response, the numerical code indicating the status of the server's answer (successful outcome, error, etc.), the country of origin, the features of the browser and the operating system utilised by the User, the various time details per visit (e.g., the time spent on each page within the Application) and the details about the path followed within the Application with special reference to the sequence of pages visited, and other parameters about the device operating system and/or the User's IT environment.
These Services do not address anyone under the age of 13. We do not knowingly collect personally identifiable information from children under 13. In the case we discover that a child under 13 has provided us with personal information, we immediately delete this from our servers. If you are a parent or guardian and you are aware that your child has provided us with personal information, please contact us so that we will be able to do necessary actions.
3. Who has access to that data?
Body Made Simple understands that your identifiable health information is private and personal and is dedicated to maintaining its confidentiality and integrity. As such, we will never sell or rent it, and we have policies, procedures, and other safeguards to help protect it from improper use and disclosure.
The following categories describe the ways in which we use your identifiable health information and the rare instances that require us to disclose it to persons and entities outside of Body Made Simple. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorisation.
Body Made Simple does not disclose Personal Information to third parties for any purpose materially different from the purpose(s) for which it was originally collected.
Disclosure at your request
We may disclose information relating to your use of the System when requested by you. This disclosure at your request may require written authorisation by you.
We do not store credit card or customer details with any 3rd parties except trusted suppliers who help us deliver the services associated with the System and we are committed to ensuring that all suppliers meet our security and data protection standards.
Services and Operations
We may use and disclose your identifiable health information in connection with providing services, for our internal operations, which include administration, eligibility, planning, analytics and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, satisfaction surveys, de-identifying health information, customer services and internal training. To the extent you receive access to our Website and App through your employer or your health plan, our services may include supporting, and sharing information with, your employer’s wellness program, your health plan or third-party administrator or other similar programs. Possible information to be shared may include participation data (i.e. the fact that you used BodyGuide), milestone data (e.g. number of sessions you complete or how many times you practice the techniques) to allow you to earn incentives and rewards (if those are offered as part of your wellness program), as well as data from your self-reported pain or injury symptoms.
We may receive a confirmation when you open an email from us, or click on a link in an email, if your computer supports this type of program. We use this confirmation to help us make emails more interesting and helpful. When you receive an email from us, you can opt out of receiving further emails by following the included instructions to unsubscribe. However, by opting out of further email communications after you sign up, you may limit program reminders and other valuable program content and components.
Reminders and notifications
We may use and disclose your identifiable health information to contact you as a reminder to interact with, or complete tasks relating to your use of the System. You may make changes to the format and frequency of these reminders, or cancel these reminders and/or notifications by logging into your BodyGuide account in the App, and/or by accessing the native notification settings on your mobile device when using the App.
Third party service providers
There are some services provided in our organisation through third party services providers. Examples of third party services providers include accounting services, server hosting and email delivery providers, business associates, vendors and other business partners and reputable companies in the industry who subcontract to us or to those of your employer as our corporate customers, where permitted by law. We may disclose your identifiable health information to our third party services providers so that they can perform the job that is required of them. To protect your identifiable health information, we require appropriate contracts or written agreements be in place that safeguard your identifiable health information.
Links to Other Sites
Third party medical professionals
With your explicit permission, we may share your identifiable health information with third party medical professionals nominated by you.
Threat to health or safety
We may use and disclose your identifiable health information when necessary to prevent a serious threat to your health and safety or the health and safety of the public or another person. Any disclosure, however, would only be to someone able to help prevent the threat.
As required by law
Certain laws permit or require certain uses and disclosures of identifiable health information for example, for public health activities, health oversight activities and law enforcement. In these instances, Body Made Simple will only use or disclose your identifiable health information to the extent the law requires.
For research and publicity purposes
We may use de-identifying health information for internal and external research and publicity purposes. This may include publishing aggregate information about our users (e.g., "women aged 30-40 working improved their self reported pain levels by x% more than men") in the context of providing public health information and conducting academic research. In certain instances, we may only provide such information with special waivers and permissions from you.
Some of the third-party services that we use to monitor and analyse web traffic and Application use to keep track of user behaviour include:
Transfer of business assets
In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets. If Body Made Simple or substantially all of its assets are acquired by a third party, personal data held by it about its customers will be one of the transferred assets. Body Made Simple will ensure that information transferred to third parties will only be used in a way that is compliant with our privacy principles, and will remain liable in cases of onward transfers to third parties.
4. How do we store your data?
We store all your personal information on secure servers. In some cases, to ensure a fast user experience, we may store some data on your device.
Where you have chosen a password that enables you to access certain parts of our App, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.
We do not store any credit or debit card information. Payments are processed via a third party payment provider that is fully compliant with Level 1 Payment Card Industry (PCI) data security standards. Any payment transactions are encrypted using SSL technology.
We may process some of your data with third parties to use their software platforms who have servers outside AUS, US, UK or EEA to send communication emails to our users, but always in accordance with data protection law and subject to strict safeguards.
5. Your rights
Users of the System have certain specific rights with regard to their information.
Right to access
A user of the System has the right to view all personal information that Body Made Simple has collected about them, as well as the disclosure of this data. In order to receive this data, please contact the Security, Privacy, and Compliance Officer. The first copy of this information is provided free of charge, and in a portable / common electronic form (e.g. CSV file).
Right to accuracy
A user of the System has the right to ensure that the data we have stored is accurate. In most cases, the system allows you to directly modify your own information. However, if there is incorrect data within our system that you are not able to change, please contact the Security, Privacy, and Compliance Officer and we will work directly with you to update this information.
Right to deletion
Subject to any exemptions provided by law, a user of the System has the right to request deletion of all data within the system. To request your data be deleted, please contact the Security, Privacy, and Compliance Officer. In most cases, this request will be completed within 30 days. If circumstances require a delay to this deletion, Body Made Simple will notify you directly explaining the reason for the delay. Note also that in some cases, there may be a legal requirement to hold on to your data. Again, Body Made Simple will notify you directly if this is the case. Please note that without your data, we will be unable to deliver the BodyGuide program.
Right to withdraw consent
A user of the System has the right to withdraw their consent at any time by contacting the Security, Privacy, and Compliance Officer. Please note that without consent to process your data, we will be unable to deliver the BodyGuide program.
Right to notification of disclosure
In addition to the right to request disclosures of your data specified in the "right to access" above, we will notify you as required by law if there has been a breach of the security of your identifiable health information.
Concerns or complaints
If you believe that any of your rights with respect to your or others’ identifiable health information have been violated by us, our employees or agents, please communicate with the Body Made Simple Security, Privacy, and Compliance Officer.
6. Amending this Policy
Questions relating to revisions to this Policy may be addressed to the Security, Privacy, and Compliance Officer.
7. Who can you contact?
Security, Privacy, and Compliance Officer
Body Made Simple's Security, Privacy, and Compliance Officer (and Data Controller) can be reached at:
81 Raglan Street, Port Melbourne, VIC, 3207
If we are subject to the Health Insurance Portability and Accountability Act (“HIPAA”), you may also contact the Secretary of the U.S. Department of Health and Human Services. Under no circumstances will we take any retaliation against you for filing a complaint.
8. Effective Date
This Policy is effective as of September 1, 2020.