Insideout VR app privacy and cookie policy

Publication Date: 16^th July 2023

At InsideOut, we take the privacy and safety of our users very seriously. We have written this Privacy Policy to tell you about your rights in relation to the data you give to InsideOut when you use our VR App, App or Website (Platform).

Who are we? We are InsideOut25 Limited, a company registered in England. Our address is: 164 Walkden Road, Worsley, Manchester, M28 7DP. If you have any questions about your privacy, data or this policy, please contact us at: [email protected]

What Data Do We Collect?

When you register with InsideOut, you, or your employer (who offers InsideOut as an employee benefit to you) give(s) us some personal details. This is so we can provide you with the services that you need or ask for.

We will inform you about our data collection by referring to this Privacy Policy and we will ask you for your consent to share data where necessary. Please note that without your consent, we cannot provide all of our services, so if you do not want to consent (and that’s totally up to you), we are unable to offer you the full range of services.

In many cases, your mobile/VR device will provide tools to allow you to control when your device collects or shares personal data or tracking information.  For example, your mobile/VR device may offer tools to allow you to manage cookie usage or location sharing.  We encourage you to familiarise yourself with and use the tools available on your devices.

The personal details we collect include:

• Account Data: Login and account information, including screen name, password and unique user ID; and your use of the service.
• Contact Data: Contact details including but not excluded to your name, email and work email.
• Health Data: Data about your health, in particular your mental health, including details from mood trackers and safeguarding status
• Preferences Data: Personal preferences including your marketing and cookie preferences
• Technical Data: When interacting with our VR App, data is automatically collected and shared with the InsideOut25 technology platforms.  More information about these practices is included below.  This data includes:device IDs, call state, network access, storage information and battery information, cookies, IP addresses, referrer headers, data identifying your phone and version, and web beacons and tags

Why Do We Collect your Personal Details?

To provide the VR App to you	We use your personal information to provide the service you want and expect from us. The legal grounds for this is the performance of the arrangement we have with you to provide the services you’ve asked for.
To maintain and improve our services and run our business	We may use the data you provide to improve our service. For example, we evaluate Technical Data to make sure our service is working well or whether we need to make improvements to the video conferencing tech or the Platform design. We may also use Technical Data to understand more about how your use the Platform and your preferences. We may also need to share data with our professional advisors. For example, to get legal advice, enforce our VR App User Terms or to obtain insurance for our business. We also need to comply with any legal proceedings and applicable law. If you’ve expressly agreed, we’ll use your contact data to keep you updated about new events and services. This type of sharing is allowed because it is in our legitimate business interests. We will never share any medical information for this purpose.
Using your Health Data	Your Health Data is special category personal data. We treat it as such. We keep it secure and only use it to provide the VR App and the services to you. We will never pass this data on to anyone without your explicit consent, or as outlined above. When you first use the VR App and open an account, you are required to fill in a mood questionnaire, which asks for Health Data. By completing this mood questionnaire you consent to our collection and use of your Health Data information. You understand that we may share your Health Data with our counsellors and third party providers such as technical product development agencies to help to run the VR App on our behalf. Please note that you can withdraw your consent at any time, but if you do so, you will not be able further use the VR App. Please note that we never share your Health Data with your employer. You can ask us to update or delete your Health Data by emailing us. See the “Your Rights” and “How to Contact Us” sections at the end of our Policy. The legal grounds we have to use your Health Data is your consent and, sometimes, vital interest.

Who Do We Share Your Data With? InsideOut shares your personal data as follows:

• To our third party service providers, who process data on our behalf to provide services to you. For example, we use Amazon Web Services (AWS) to host our Mobile and VR App within the EU. We trust AWS to keep data safe and encrypted. This is to protect it from cyber attack or hacking. AWS are GDPR compliant. This means that they meet all the required standards of the new data privacy rules. AWS do not read or access any of your data. Twilio Inc. provide our video- conferencing functionality within the App on our behalf. Twilio are based in California and have certified that they fully comply with the EU’s high standard of data privacy. You can read Twilio’s privacy policy here: https://www.twilio.com/legal/privacy
• We use ChatGPT, provided by OpenAI OpCo, LLC, to enhance our resource recommendation functionality. Any Personal Data that you supply using that functionality will be transferred to Open AI’s USA-based facilities and servers for processing. We will ensure such transfers are protected by the appropriate safeguards required by applicable law.
• Other third parties to the extent necessary to: (i) comply with a government request, a court order or applicable law; (ii) prevent illegal uses of our App or breaches of our Apps’ Terms and our policies; (iii) defend ourselves against third party claims; and (iv) assist in fraud prevention or investigation.
• In the event we ever sell or transfer a portion of our business or its assets, we may transfer your data to the acquiring party.

Please note that we DO NOT share your Health Data with your employer. However, we do share service usage on an aggregated basis so that we can administer our business, which is an employee benefit. This is on an anonymous basis.

How Do We Protect Your Data? Encryption & Security:  We use a variety of security measures, including encryption to maintain the safety of your personal data. Your personal data is contained behind secured networks and is only accessible by a limited number of people who have special access rights to such systems for the purposes of providing, maintaining and supporting the services which we provide to you. All of our counsellors have been trained in respect of how to handle personal data and are provided with technological solutions to ensure your personal data is kept secure.

How Long Do We Keep Your Data For? We retain your personal data for as long as necessary to fulfil the purposes for which we collect it, and as required by law and regulation. You have the right to request that we delete your personal data at any time. This may result in us no longer being able to provide the services to you. Please see “Your Rights” below.

Your Rights. This is a summary of your rights under data protection law. Some of these rights are very complex so we have just summarised them. You may obtain guidance from the ICO for a more detailed explanation.

• Access: To know whether or not we process your personal data and have access to that data. Providing the rights of others are not affected, we will supply you a copy of your personal data free of charge. Additional copies may be subject to a reasonable fee.
• Rectification: You have the right to have any inaccurate data personal data about you rectified and have any incomplete personal data about you completed. When you communicate with us, we will check the data we have stored and rectify any errors when proof is provided.
• Erasure: You have the right to erasure of your personal data when: Personal data are no longer necessary in relation to the purpose for which it was originally collected. You withdraw consent to consent-based processing. You object to the processing under applicable law. The personal data has been unlawfully processed. We will erase the data as requested on validation of the claims, however data cannot be erased if processing is necessary for exercising the freedom of expression; for compliance; for legal obligation or to establish, exercise or defence against legal claims.
• Restrict Processing: You have the right to restrict processing of your personal data in the same circumstances as described under ‘right to erasure’ where you oppose erasure or have objected to processing and the decision is pending. Where processing is restricted, we will continue to store your personal data, but will only process it for legal claims, for the protection of another person’s rights or for reasons of public interest.
• Object to Processing: You have the right to object to processing of your personal data for direct marketing purposes. You can also object if the processing of your personal data is for reason of public interest, or for the legitimate interests pursued by us or a third party, or if we exercise any official authority vested in us. If you make an objection we will cease to process your data. If you object, we will cease to process your personal data unless we can demonstrate compelling reasons for that processing, which would include establishing, exercising or defending legal claims.
• You have the legal right to lodge a complaint to a supervisory authority responsible for your data protection. We will be bound by the decision of the supervisory authority.
• Withdraw Consent: You can withdraw consent at any time from processing of your Health Data. However, this will mean you can no longer use all the features of the App, as we are not an anonymous service.

Email us at [email protected] to exercise any of your rights in relation to personal data.

Please note that we will attempt to reply within 14 days but during busy periods, it may take up to 30 days.

We may ask for proof of your identity and address (a copy of your driving licence or passport and a recent utility or credit card bill) in order to verify your identity before carrying out your requests.

Complaints If you have a concern about how InsideOut is using your data, please contact us at [email protected] and we will strive to put your mind at rest. If you’re unhappy with our response or if you need any advice you can contact the Information Commissioner’s Office (ICO). Telephone: 0303 123 1113 or via the website www.ico.org.uk

Cookies : We do not use cookies or any other tracking devices on the App.

Changes to this Policy If we decide to change our Privacy and Cookies Policy to reflect changes in the App or the law, we will post the changes on our App and, where appropriate, notify you via the App. We strongly encourage you to read our Policy and regularly check for any changes. The date this Policy was last changed is in the heading at the top of the page.