European General Data Protection Regulation
Because the work Zoe Global Limited does takes place in the UK, the European Union’s “General Data Protection Regulation” (GDPR) applies to our processing of your personal data, even if you do not live in Europe.
We process two kinds of information about you:
This is information about you, your health and your symptoms if unwell. It includes:
We may also ask other questions from time to time, such as:
We process this data in order that:
Our legal basis for processing it is that you consented to our doing so. Because of the tight regulatory requirements placed on us, we need your consent to process data about your health, which means that if you do not consent (or withdraw your consent), we cannot allow you to use the app. This is not meant unkindly, we are simply not able to provide you with the service without your consent.
We share this data with people doing health research, for example, people working in:
A full list of institutions we have shared data with can be found at the bottom of this page. An anonymous code is used to replace your personal details when we share this with researchers outside the NHS or King's College London.
Before sharing any of your data with researchers outside of the UK, we will remove your name, phone number, email address and the last 3 digits of your post code to protect your privacy.
Because of the nature of the research we carry out, we are unable to set any particular time limit on the storage of your sensitive personal data, but we will keep it under regular review and ensure that it is not kept longer than is necessary.
If you wish us to stop processing your sensitive personal data, you may withdraw your consent at any time by emailing us at leavecovidtracking@joinzoe.com. When you withdraw your consent, we will delete all sensitive personal data we hold about you.
We also collect contact information and other information from your device including:
We use this information for the following purposes:
We will not send any emails not meant individually for you (for example marketing emails) if you do not want us to do so. Every such email will include a link you can click to opt-out from receiving them. We will not sell your contact information to third-parties.
Our legal basis for processing this information is our legitimate interest in developing, marketing and running the app.
We keep your contact information for 6 years after the last communication with us, or the last use of the app, for liability purposes, then we delete it.
The app also allows you to input information about other people in addition to your own by making a separate profile for them. If the other person is able to understand the concept of consent, for example if they are a mentally competent adult or mature child, then you must only do this if they have given their consent.
Younger children may not be mature enough to give consent, but they may be able to understand what you are doing. If so, you should explain to them what you are doing and what may happen to information about them to the extent they are capable of understanding. You should also try to take into account their views, even if you make the ultimate decision. We trust you to know your child and to do what is appropriate given their level of maturity.
If your child is attending school, you may optionally tell us about their school, their bubble and other things about their attendance. We use this information in the same way we use other sensitive personal data, but in addition we may (where it would not identify any individual) use it to alert you to an infection in your child’s bubble and to help the school plan for any impact of COVID-19.
We use third parties to process some of your personal data on our behalf. When we allow them access to your data, we do not permit them to use it for their own purposes. We have in place with each processor, a contract that requires them only to process the data on our instructions and to take proper care in using it. They are not permitted to keep the data after our relationship with them has ended.
These processors include:
Under the GDPR you have a number of important rights free of charge. In summary, those include rights to:
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the United Kingdom Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation.
If you would like to exercise any of those rights, please email, call or write to our data protection officer using the contact details given below.
The General Data Protection Regulation also gives you the right to lodge a complaint with a supervisory authority, in particular in the European Union (or European Economic Area) state where you work, normally live or where any alleged infringement of data protection laws occurred. The supervisory authority in the UK is the Information Commissioner who may be contacted at https://ico.org.uk/make-a-complaint/your-personal-information-concerns or telephone: +44 0303 123 1113.
Our UK address is: 164 Westminster Bridge Road, London SE1 7RW
Data Protection Officer: dpo@joinzoe.com
Institutions we share data with: