To our Friends, Members and Community:
At Alta Flora, we have always taken privacy, data protection, trust and integrity very seriously. We have worked hard to build Eva with you, your privacy and data protection in mind.
Team Alta Flora
We collect, use and are responsible for certain personal information about you. When we do so we are subject to the General Data Protection Regulation which applies across the European Union (including in the United Kingdom) and we are responsible as ‘controller’ of that personal information for the purposes of those laws.
We, us, our Alta Flora Ltd. a company incorporated in England and Wales with registration number 11388347 and whose registered office is at Alta Flora, 1, Sans Walk, London, England, EC1R 0LT, England, UK and including our group companies (“Alta Flora”).
Eva (“the App”) provides an easy way for you to track and monitor your consumption of botanical medicines, experiential medicines and other novel therapeutics and their impact on your quality of life. Eva is available in the Apple App Store and Google Play Store (the “App Stores”).
Personal information means any information that can be used to identify a single person.
Sensitive personal information is personal information revealing racial or ethnic origin, genetic and biometric data, information concerning health, sex life or sexual orientation.
WHAT personal information we collect about you
We may collect and use the following personal information about you:
your contact details, including your name, email address and telephone number. We believe in data minimisation and will only collect any such details to the extent we need them. Your email address (and any passwords) are kept in a separate authentication service and are separated from our main production database
gender and date of birth to enable us to check and verify your identity. In certain jurisdictions, if required by law, we may ask for your government issued ID
your data entered into the App which may include certain Sensitive personal information such as:
your general health e.g. weight, mood, condition, symptoms
type of product
how the product is administered
EQ-5D-5L (or similar) scales
description of your mood (eg. good days, bad days)
adverse effects you may experience as a result of consuming a particular medicine or treatment
diagnosis specific questionnaires (e.g. GAD for anxiety, PHQ-9 for depression, chronic pain questionnaires)
name of the clinic attended by you
a study or trial you are taking part in
location data (country/metropolitan area). We do not collect your precise location
your billing information, transaction and payment card information if you chose to participate in support initiatives for research and study
information about how you use the App and related other systems
your responses to surveys
your responses to research and study related initiatives you may be taking part in
This personal information is required to provide our services to you. You are not required to provide it, but, if you choose not to do so, in many cases we will not be able to provide you with our products or services or respond to queries you may have.
We also collect the following types of data from you (minimised where possible to protect your privacy):
Device data: This data informs us about the device you use to access our services (model; application identifier; crash information). It helps us to fix bugs, tailor our services to your device and improve our services
Event and performance data: This is anonymised data, relating to which features of the App have been used and at what time, which is then aggregated. It helps us to:
better understand which features of the App are most relevant to you;
communicate with you about relevant and timely information;
direct future efforts towards more popular features; and
improve features where appropriate.
IP address: This is required for various security mechanisms and communication protocols within software systems. Your IP address may also be used as part of our regulatory compliance in different countries.
Other collection and processing necessary to comply with professional, legal and regulatory obligations that apply to Alta Flora.
HOW your personal information is collected
We collect most of this personal information directly from you in person, by phone, message or email and/or the App.
However, we may also collect information:
from publicly accessible sources, e.g. Companies House (if applicable)
directly from a third party, eg.
a clinic or a health service provider (with your consent)
an authorised patient alliance group or similar (with your consent)
from a third party (with your consent), eg your caregiver
via our IT systems, eg. communications systems, gmail and instant messaging systems
WHY we use and process your personal information
We may process your personal information for the following reasons:
To provide our services, communicate with you and understand your needs
We collect certain information that allows us to contact you, analyse how you interact with the App, fix any bugs, send you reminders about our services (by email, message, push notifications, phone) and to keep you posted on announcements, our software updates, new features and our upcoming events. You will always remain in control of your communication preferences with Eva. If you don’t want to be on our mailing list, you may opt out from receiving these at any time.
We may also use certain Personal information to help us:
create, develop, operate, deliver, and improve our services and content;
for loss prevention and anti-fraud purposes;
for account and network security purposes, including in order to protect our services for the benefit of all our users; and/or
scanning uploaded content for potentially illegal content.
We will also use your personal information to provide you with important notifications regarding changes in our policies, terms and conditions. As these are integral in our interaction with you, you may not opt out of receiving these notifications whilst you are an Account holder.
From time to time, we may use third party tools to help us with system analytics (eg. software performance analytics and cyber security services). We only let third parties process usage data and minimal personal information on Alta Flora’s behalf and not any of your Sensitive personal information. We only allow technology system providers to handle your Personal information if they take appropriate measures to protect it. We also impose contractual obligations on service providers to ensure they can only use your personal information to provide services to us and to you.
At present, we use Google Analytics (https://privacy.google.com/businesses/compliance/) to collect information about how you use Eva. The data is anonymised before being used for analytics processing. For us, Google Analytics processes anonymised information about:
the screen you visit whilst in app; and
how long you spend in our app
We do not store any of your personal information through Google Analytics (for example your name or address). We will not identify you through analytics information, and we will not combine analytics information with other data sets in a way that would identify who you are.
Advancing scientific and academic research and study
We will share data only with carefully vetted researchers, who have gone through our rigorous due diligence process, to advance health and well-being studies. For that purpose, your Personal information will be anonymised (or de-identified) by removing or hashing any personal identifiers so that neither researchers nor any third parties can link it to you. You can read about our collaborations on our website.
If you are a participant in a particular research and/or study that is run by a research facility or a study using Eva as a tool to collect information for that study, the use of your Personal information and any Sensitive personal information will be governed by the terms and conditions of such research and/or study participation agreements and Eva will only share your information in accordance with your express consent under those agreements. The research facility will be solely responsible for the usage of your Personal information and your Sensitive personal information in the context of their specific study. In this scenario, we and the research facility have a “joint and several responsibility” in the handling of your data.
We do not sell or share your Personal information or Sensitive personal information with organisations outside the Alta Flora Group for advertising or marketing purposes. We do not allow others to advertise their products in the App.
Eva is and always will be free to use. However, we need to generate revenue in order to maintain Eva (including paying salaries and bills at the business). In return for free use of the App, we use anonymised and aggregated data to generate research, the majority of which can then be made publicly available to benefit not only healthcare systems around the world but hopefully you or someone you know. We also support academia and industry to run studies privately using our technology platform for which we charge a fee.
We may process your Personal information for compliance with a legal or regulatory obligation to which Alta Flora is subject, for the performance of a contract to which you are a party, in order to protect your vital interests, or when we have assessed it is necessary for the purposes of the legitimate interests pursued by Alta Flora (e.g to stop an unauthorised or a suspicious activity). In such circumstances, we will only disclose such information that is required or requested to a minimum necessary.
Preventing unauthorised access and modifications to our systems
For our legitimate interests or those of a third party, i.e. to prevent and detect criminal activity that could be damaging for us and for you.
It may be necessary to disclose your Personal information to an authorised third party. For example, in the event of a reorganization, merger, or sale we may transfer any and all Personal information we collect to the relevant third party. Usually, information will be anonymised but this may not always be possible. The recipient of the information (e.g a buyer of our business) will be bound by confidentiality obligations. This will not apply to your Sensitive personal information, which we will never transfer without your consent.
Consents and Your rights
Your rights and a couple of other facts we think you should know
The existence of Automated Decision-Making, Including Profiling We do not take any decisions nor engage in activities which involve the use of algorithms or profiling that significantly affect you.
Integrity and Retention of your Personal information You are in control and can help ensure that your Personal information is accurate, complete, and up to date. And you also have the right to require us to correct any mistakes in your Personal information
Different retention periods apply for different types of personal information and our records retention and management policy will be regularly reviewed and kept up to date. When it is no longer necessary to retain your Personal information, we will delete or anonymise it.
Request information on your personal data processed by Eva
In certain situations, you can request access to your information by requesting a backup of your data in a machine readable format that is commonly used by other organisations or companies. You can make a request by contacting us at email@example.com
Right to be forgotten
By deleting your Account (as explained in the Terms and Conditions of Service) you will irrevocably delete all your data, including all past data sent to third-party services used for tracking and analysis.
Right to Object
You have the right to withdraw your consent from ongoing data processing at any time by deleting your Account and/or unsubscribing from our email communications by contacting us
Right to Complain
We hope that we can resolve any query or concern you raise about our use of your information. You can contact our DPO and you also have the right to lodge a complaint with a supervisory authority, in particular in a European Economic Area (EEA) state or in the United Kingdom if you work, normally live or if any alleged infringement of data protection laws occurred in the relevant state.
The supervisory authority in the UK is the Information Commissioner (the ICO) who may be contacted at https://ico.org.uk/concerns/ or telephone: 0303 123 1113.
For further information on each of those rights, including the circumstances in which they apply, please contact us firstname.lastname@example.org or see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals’ rights under the General Data Protection Regulation.
Where your Personal information is held
We use servers located in the European Union to process and store your Personal information. When you create an Eva account, your personal profile data is stored separately from your daily log/tracking data and your service settings. This allows us to ensure the highest level of privacy for your Sensitive personal information. When you create an Account password with Eva, it is encrypted and cannot be read by us.
Wherever data is transferred between your device and our servers this is done so using HTTPS and only following an authentication process on the App. Data at rest, e.g. when stored on a server, is stored using an AES-256 encryption algorithm.
Transferring your personal information out of the UK and EEA
To deliver services to you, it is sometimes necessary for us to share your personal information outside the UK and/or European Economic Area (EEA), for example:
with our offices outside the UK/EEA
with your and our service providers located outside the UK/EEA
if you are based outside the UK/EEA
where there is an international dimension to the services we are providing to you
These transfers are subject to special rules under European and UK data protection law. The following countries to which we may transfer personal information have been assessed by the European Commission as providing an adequate level of protection for personal information: Canada (commercial organisations only), Switzerland, New Zealand.
Except for the countries listed above with ‘adequacy’, other non-UK/EEA countries do not have the same data protection laws as the United Kingdom and EEA. We will, however, ensure any such transfer complies with data protection law and all personal information will be secure, by using the approved Model Contractual Clauses and by observing applicable privacy regulations.
Keeping your personal information secure
We have appropriate security measures to prevent Personal information under our control from being accidentally lost, or used or accessed or altered unlawfully.
We limit access to your Personal information to those who have a genuine business to access it.
Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We will continually test our systems and follow top industry standards for information security when transferring and storing your data.
We will use all reasonable efforts to prevent misuse, loss or alteration of information.
We have procedures in place to deal with any suspected data security breach.
We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
We believe that the biggest threat to the security and privacy of your data is if a person (most likely someone you know) gains access to your devices without your consent. The data you log in Eva is private and it should stay that way (unless you actively choose to share it).
Protect your device – activate either PIN, Touch ID or Face ID (as appropriate) authentication – this will automatically encrypt your data (including Eva data) and will prevent any person from using your device without permission.
Activate Erase your Device – For iOS , activating this feature is a two-step process: first, you need to Activate ” Find My iPhone ” via iCloud (see instructions on Apple Support pages ) and then enable ” Erase your device ” (see instructions on Apple Support pages ).
For Android, download and set up Find My Device (formerly Android Device Manager) from the Google Play Store and, if needed, use the connected web interface to lock or wipe your phone remotely.
If you would like some other detailed information from Get Safe Online on how to protect your information and your computers and devices against fraud, identity theft, viruses and many other online problems, please visit www.getsafeonline.org . Get Safe Online is supported by HM Government and leading businesses.
If you have ever entered your details in a form on our site, we also use tracking cookies of your browsing habits. These data are used to improve our website and offer content that meets visitors preferences.
On your first visit to our website we have informed you on cookies and asked your permission to use them. In the settings of your internet browser you can opt out of cookies and you can delete all information previously saved.
We use a suite of performance analysis and monitoring tools called Firebase (https://firebase.google.com/support/privacy), which is provided by Google Inc. Firebase allows us to monitor the overall performance and stability of the App, implement internal version control, identify bugs and prioritize fixes.
For this purpose Firebase collects your IP address, device identifier, as well as event and usage data specifically related to your use of the App. This data will be transferred to and stored on a server in the EU and operated by Google, Inc. It is not possible to opt-out of this as Firebase is an essential tool that we require in order to provide a functioning Eva App to you.