Boundlss
AI-human health assistant.

Data Protection Policy

The privacy of your health information is important to us. 

Data Protection Policy

Introduction

Boundlss holds Personal Data about our users, employees, clients, suppliers and other individuals for a variety of business purposes.

This policy sets out how we seek to protect Personal Data and ensure that staff understand the rules governing their use of Personal Data to which they have access in the course of their work. In particular, this policy requires staff to ensure that the Data Protection Officer (DPO) be consulted before any significant new data processing activity is initiated to ensure that relevant compliance steps are addressed.

Boundlss operates in several jurisdictions, including Australia, the United Kingdom, Singapore, and Hong Kong.  This policy describes principles and procedures which ensure Boundlss complies with the various regulations across all the regions in which we operate.

The procedures described in this policy must be followed at all times by Boundlss, its employees, agents, contractors, or other parties working on behalf of Boundlss.

Boundlss is committed not only to the letter of the law but also to the spirit of the law and places a high premium on the correct, lawful and fair handling of all Personal Data, respecting the legal rights, privacy and trust of all individuals with whom it deals.

Scope

This policy applies to all staff.  You must be familiar with this policy and comply with its terms.  This policy supplements our other policies relating to internet and email use.  We may supplement or amend this policy by additional policies and guidelines from time to time.  Any new or modified policy will be circulated to staff before being adopted.

As our Data Protection Officer, Michael Kruger has overall responsibility for the day-to-day implementation of this policy.

Training

All staff will receive training on this policy. New staff will receive training as part of the induction process. Further training will be provided at least every year or whenever there is a substantial change in the law or our policy and procedure.

Training is provided through in-house seminars and online training on an annual basis, and covers the applicable laws relating to data protection, and Boundlss’ data protection and related policies and procedures.

Completion of training is compulsory.

If you have any questions or concerns about anything in this policy, do not hesitate to contact the DPO.

Applicable Legislation Considerations

UK Data Protection Act 1998 (DPA)
Under the UK Data Protection Act 1998, Personal Data is defined as data which relates to a living individual who can be identified from that data, or from that data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.

The UK Data Protection Act 1998 also defines “sensitive Personal Data” as Personal Data relating to the racial or ethnic origin of the data subject; their political opinions; their religious (or similar) beliefs; trade union membership; their physical or mental health condition; their sexual life; the commission or alleged commission by them of any offence; or any proceedings for any offence committed or alleged to have been committed by them, the disposal of such proceedings or the sentence of any court in such proceedings.

Boundlss is registered with the Information Commissioner as a data controller under the register held by the Information Commissioner pursuant to Section 19 of the UK Data Protection Act 1998.

Singapore PDPA (PDPA)
Personal Data is defined in the PDPA as “data, whether true or not, about an individual who can be identified a) from that data; or b) from that data and other information to which the organisation has or is likely to have access.”

EU General Data Protection Regulation (EU) 2016/679 (GDPR)
The regulation applies if the data controller (organization that collects data from EU residents) or processor (organization that processes data on behalf of data controller e.g. cloud service providers) or the data subject (person) is based in the EU.

Regulation also applies to organizations based outside the European Union if they collect or process personal data of EU residents.

According to the European Commission, Personal Data is: " any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."

Personal Data

Boundlss defines Personal Data as the broader of the definitions contained in the PDPA, DPA, and GDPR.

Boundlss defines Sensitive Personal Data as the broader of the definitions contained in the PDPA, DPA, and GDPR.

Any use of sensitive Personal Data is to be strictly controlled in accordance with this policy.

While some data will always relate to an individual, other data may not, on its own, relate to an individual. Such data would not constitute Personal Data unless it is associated with, or made to relate to, a particular individual.

For the purposes of the Singaporean PDPA, Boundlss is a Data Intermediary.  From the Act:
“data intermediary” is an organisation which processes Personal Data on behalf of another organisation but does not include an employee of that other organisation.

Generic information that does not relate to a particular individual may also form part of an individual’s Personal Data when combined with Personal Data or other information to enable an individual to be identified.

Aggregated data is not Personal Data.

Boundlss gathers Personal Data for two purposes: for health coaching, and for internal operations.

Personal Data for health coaching relates to identifiable individual users and may include:

·       user profile information such as Full name, Photograph, Date of Birth, Mobile telephone number, and Personal email address;

·       health-related behavioural data such as step counts, fitness activities, weight, and sleep patterns; and

·       messages between users and our coaching service.

Personal Data we gather for internal operational purposes relates to identifiable individuals such as job applicants, current and former employees, contract and other staff, clients, suppliers, and marketing contacts, and the data gathered may include individuals' contact details, educational background, financial and pay details, details of certificates and diplomas, education and skills, marital status, nationality, job title, and CV.

Principles

Boundlss collects and processes Personal Data in compliance with the following data protection principles:

Consent
The user (data subject) must give their explicit, active consent to the collection and processing of their Personal Data. This consent can be revoked at any time.

Notification
Boundlss notifies all users about the intended purpose of any collected data prior to collection.

Purpose Limitation
Personal Data can be used only for the purposes explained to the user, and for which they have explicitly given consent.  The data collected must be necessary for the performance of the purpose, and not excessive with respect to the purposes for which it was collected.

Right to Access and Correction
Users should be able to access their personal, wearable, and messaging data, and to correct said data where applicable.

Accuracy
Boundlss should take all reasonable steps to ensure users’ data is accurate and up to date.

Protection
Boundlss should take all reasonable steps to ensure user data is secured and protected against unauthorised or unlawful processing, accidental loss, destruction, or damage.

Retention Limitation
Boundlss should not keep personal user data for any longer than necessary to fulfil the purposes for which the user gave their consent.

Openness
Boundlss publicly publishes our Data Protection Policy and the direct contact details of our Data Protection Officer.

Data Portability
Upon request, a user should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.

Right to be Forgotten
A data subject may request that any information held on them is deleted or removed, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

Privacy by Design and Default
Privacy by Design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

International Data Transfers
Specific consent from the user must be obtained prior to transferring their data outside their source region.

Boundlss must not transfer data to another geographic region unless Boundlss can ensure an adequate level of protection of the rights and freedoms of users in relation to the processing of their Personal Data within the destination region.

Data Audit and Register
Boundlss will keep a register of annual data audits & their outcomes to manage and mitigate risks. The register will detail what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

Purposes

The purposes for which Personal Data may be used by us include:

  • Providing a personalised digital health coaching service to our users
  • Research and Development of AI and chat technology in support of our health coaching service
  • Compliance with our legal, regulatory, and corporate governance obligations and good practice
  • Gathering information as part of investigations by regulatory bodies or in connection with legal proceedings or requests
  • Ensuring business policies are adhered to (such as policies covering email and internet use)
  • Operational reasons, such as recording transactions, training and quality control, ensuring the confidentiality of commercially sensitive information, and security vetting
  • Investigating complaints
  • Checking references, ensuring safe working practices, monitoring and managing staff access to systems and facilities and staff absences, administration, and assessments
  • Monitoring staff conduct & disciplinary matters
  • Marketing our business
  • Improving our services
  • Risk modelling for our health and life insurance partners

Responsibilities

Responsibilities of the Data Protection Officer
The Data Protection Officer’s responsibilities include:

  • Overseeing the implementation of, and compliance with this Policy, working in conjunction with the relevant employees, managers and/or department heads, agents, contractors and other parties working on behalf of Boundlss;
  • Keeping the board updated about data protection responsibilities, risks, and issues
  • Reviewing all data protection procedures and policies on an annual basis
  • Arranging data protection training and advice for all staff members and those included in this policy
  • Answering data protection queries or complaints from users, clients, staff, board members, and other stakeholders
  • Responding to individuals such as clients and employees who wish to know which data is being held on them by Boundlss
  • Checking and approving with third parties that handle Boundlss’s data any contracts or agreement regarding data processing

Responsibilities of the Engineering Manager
The Engineering Manager’s responsibilities include:

  • Ensuring all systems, services, software, and equipment meet acceptable security standards;
  • Researching and reviewing third-party services Boundlss uses to store or process data (such as cloud computing services) on a regular basis; and
  • Managing authentication and authorisation for engineering staff to access Boundlss’ infrastructure, including cloud services, databases, and application servers.

Responsibilities of the Marketing Manager
The Marketing Manager’s responsibilities include:

  • Approving data protection statements attached to emails and other marketing copy; and
  • Coordinating with the DPO to ensure all marketing initiatives adhere to data protection laws and Boundlss’s Data Protection Policy.

Responsibilities of the Coaching Manager
The Coaching Manager is responsible for:

  • Ensuring all Coaches complete training in Boundlss’ policies and procedures, including the Data Protection Policy;
  • Managing the authentication & authorisation of Boundlss’ coaching staff.

Organisational Measures

Boundlss shall ensure that the following measures are taken with respect to the collection, holding, and processing of personal data:

  • All employees, agents, contractors, or other parties working on behalf of Boundlss are made fully aware of both their individual responsibilities and Boundlss’s responsibilities under this Policy, and shall be provided with a copy of this Policy;
  • Only employees, agents, sub-contractors, or other parties working on behalf of Boundlss that need access to and use of personal data in order to carry out their assigned duties correctly shall have access to personal data held by Boundlss;
  • All employees, agents, contractors, or other parties working on behalf of Boundlss handling personal data will be appropriately trained to do so;
  • All employees, agents, contractors, or other parties working on behalf of Boundlss handling personal data will be appropriately supervised;
  • Methods of collecting, holding and processing personal data shall be regularly evaluated and reviewed;
  • The performance of those employees, agents, contractors, or other parties working on behalf of Boundlss handling personal data shall be regularly evaluated and reviewed;
  • All employees, agents, contractors, or other parties working on behalf of Boundlss handling personal data will be bound to do so in accordance with the principles of this Policy by contract;
  • All agents, contractors, or other parties working on behalf of Boundlss handling personal data must ensure that any and all of their employees who are involved in the processing of personal data are held to the same conditions as those relevant employees of Boundlss arising out of this Policy;
  • Where any agent, contractor or other party working on behalf of Boundlss handling personal data fails in their obligations under this Policy that party shall indemnify and hold harmless Boundlss against any costs, liability, damages, loss, claims or proceedings which may arise out of that failure.

Our Procedures

Consent
Boundlss ensures consent is given by making informed, explicit, active consent a requirement of the mobile app’s registration process, including a clear identification of what the relevant data is, why it is being processed, and to whom it will be disclosed.

Notification
Boundlss ensures Consent is informed by notifying users in plain language about the intended Purpose of any data prior to collection, and by requiring users to give their consent to that Purpose as part of the mobile app registration process.

Fair and lawful processing
We must process Personal Data fairly and lawfully in accordance with individuals’ rights.  This generally means that we should not process Personal Data unless the individual whose details we are processing has consented to this happening.

The processing of all data must be:

  • Necessary to deliver our services
  • In our legitimate interests and not unduly prejudice the individual's privacy
  • In most cases this provision will apply to routine business data processing activities.

Purpose Limitation
Boundlss staff must not use Personal Data for any Purpose other than that consented to by the user.  In the general case, this means that it must be for the purpose of delivering a health coaching application and or supporting activities.

Boundlss staff should not access Personal Data except where required to do so in the course of their work.

Right to Access, Correction, and Accuracy
Users can use the Boundlss mobile app to access their personal, wearable, and messaging data, and to correct their profile data at any time.

Boundlss should take all reasonable steps to ensure users’ data is accurate and up to date.

Boundlss assumes that Personal Data collected directly from the user will be accurate and complete.

We will ensure that any Personal Data we process is accurate, adequate, relevant, and not excessive, given the purpose for which it was obtained.  We will not process Personal Data obtained for one purpose for any unconnected purpose unless the individual concerned has agreed to this or would otherwise reasonably expect this.

Individuals may ask that we correct inaccurate Personal Data relating to them.  If you believe that information is inaccurate you should record the fact that the accuracy of the information is disputed and inform the DPO, Michael Kruger.

Protection
Boundlss should take all reasonable steps to ensure user data is secured and protected against unauthorised or unlawful processing, accidental loss, destruction, or damage.

In cases when data is stored on printed paper, it should be kept in a secure place where unauthorised personnel cannot access it.  Printed data should be shredded when it is no longer needed.

Sensitive Personal Data should never be saved directly to local devices such as workstations, laptops, or smartphones – it should be kept secured on remote storage provided by Boundlss’ selected cloud storage provider.

All digital services used by Boundlss should be protected on a per-user basis, by strong passwords, with role-based permissions.

We encourage all staff to use a password manager to create and store their passwords.

Personal Data should not be stored on local storage media such as CDs, DVDs, or memory sticks.

The DPO and Engineering Manager must approve any cloud service used to store data.

Data should be regularly backed up in line with Boundlss’s backup procedures.

All servers or services containing sensitive data must be protected by security software and firewalls.

All data should be transmitted over secure networks only.  Transmission over unsecured networks is not permitted in any circumstances, including via email.

No personal data may be shared informally.  If an employee, agent, sub-contractor, or other party working on behalf of Boundlss requires access to any personal data that they do not already have access to, such access should be formally requested from their relevant manager.

If Personal Data is being viewed on a computer screen and the computer in question is to be left unattended for any period of time, the user must lock the computer and screen before leaving it.

Under no circumstances should any personal passwords be written down or shared between any employees, agents, contractors, or other parties working on behalf of Boundlss, irrespective of seniority or department.

Retention Limitation
oundlss should not keep personal user data for any longer than necessary to fulfil the purposes for which the user gave their consent.

Boundlss keeps personal user data for a maximum period of 12 months after the user’s most recent access of the app, unless the user requests that their account be deleted.

Boundlss will (soft) delete the user’s account within 5 working days of confirmation of the request by the user.

Deleting a user account has the following effects:

  • The user’s wearables (if any) are immediately disconnected from our service
  • User’s name is deleted from their profile
  • User’s messaging history is anonymised by redacting the user’s name wherever it appears
  • User’s email address & mobile phone number are deleted
  • User account is soft deleted
  • Wearable data is retained to train our AI
  • Messaging history is retained to train our AI

Openness
Boundlss publicly publishes our Data Protection Policy and the direct contact details of our Data Protection Officer.

Data Portability
Upon request, a user should have the right to receive a copy of their data in a structured format. These requests should be processed within one month, provided there is no undue burden and it does not compromise the privacy of other individuals.

Boundlss achieves this by enabling the user to instantly download a copy of their data via the mobile app.

Right to be Forgotten / Erasure
A user may request that any information held on them is deleted, and any third parties who process or use that data must also comply with the request. An erasure request can only be refused if an exemption applies.

Boundlss allows users to request that their account be deleted via the mobile app, or by direct email to the DPO.

Privacy by Design and Default
Privacy by Design is an approach to projects that promote privacy and data protection compliance from the start. The DPO will be responsible for conducting Privacy Impact Assessments and ensuring that all IT projects commence with a privacy plan.

When relevant, and when it does not have a negative impact on the data subject, privacy settings will be set to the most private by default.

Transferring Data Internationally
No data may be transferred outside of the Boundlss’ Australian (Azure) data centres without prior approval from the DPO.

Specific consent from the user must be obtained prior to transferring their data outside their source region.

You must not transfer Personal Data to another geographic region unless 1) Boundlss can ensure an adequate level of protection of the rights and freedoms of users in relation to the processing of their Personal Data within the destination region, and 2) you have been given permission to do so by the DPO.

Data Audit and Register
The DPO will conduct regular data audits to manage and mitigate risks, and record the data held by Boundlss in a Data Register.

The Data Register contains information on what data is held, where it is stored, how it is used, who is responsible and any further regulations or retention timescales that may be relevant.

User Access Requests
Individuals are entitled, subject to certain exceptions, to request access to information held about them.

If you receive a subject access request, you should refer that request immediately to the DPO. We may ask you to help us comply with those requests.

Please contact the Data Protection Officer if you would like to correct or request information that we hold about you. There are also restrictions on the information to which you are entitled under applicable law.

Processing data in accordance with the individual's rights
Do not send direct marketing material to someone electronically (e.g. via email) unless you have an existing business relationship with them in relation to the services being marketed.

Please contact the DPO for advice on direct marketing before starting any new direct marketing activity.

PDPA & GDPR Provisions for Users

Privacy Notice - Transparency of Data Protection
Being transparent and providing accessible information to individuals about how we will use their Personal Data is important for our organisation.

The following are details on how we collect data and what we will do with it:

What information is being collected?
Boundlss collects Personal Data about users including, but not limited to:

  • Full name
  • Photograph
  • Mobile telephone number
  • Personal email address
  • Health Coaching conversations, including individual goals
  • Wearable data such as step counts, distance travelled, floors climbed
  • Health app data such as details re: fitness activities, intensity, & durations
  • Health-related data such as weight, height, and BMI

How is it collected?
Boundlss collects data using the Boundlss mobile app (which may be branded according to our clients’ requirements) and via third-party wearable and health apps.

Boundlss specifically asks the individual for permission to collect their data for the purpose of providing a digital personalised health coaching service & obtains the user’s consent as part of the registration process.  Users can not access the Boundlss service if they withhold their consent.

Boundlss also requires explicit consent to collect Personal Data for any additional purposes required by our clients.

Boundlss only collects data from third parties once the user has provided their permission.  (User permission is explicitly required to enable the retrieval of any data from third parties.)

All of Boundlss’ third-party wearable providers explicitly ask the user’s consent before collecting their data.

Why is it being collected?
Boundlss collects Personal Data for the purpose of providing a digital personalised health coaching service.

If Boundlss’ clients intend to use Personal Data for any purpose other than for providing a digital personalised health coaching service, then Boundlss will explicitly request permission from the user to collect, store, and process their data for that purpose.

Boundlss requires its clients to disclose any and all ways they use the Personal Data collected by Boundlss.

How will it be used?
The data is used by Boundlss strictly to provide a health coaching service, and all supporting activies necessary to provide and improve that service.

Personal Data is accessible only to authenticated and authorized Boundlss administrative, managerial, health, content, research, technical, engineering, compliance, support, and coaching staff for the purposes of:

  • Providing personalised health coaching
  • Monitoring and improving the quality of human coaching
  • Monitoring and improving the in-app experience and user engagement
  • Research & Development of Artificial Intelligence agents to provide AI health coaching
  • Administering the technology platform and sub-systems

Personal Data is accessed by Boundlss staff only where necessary to perform the tasks of their job.(eg: Coaches and Researchers do not have access to the users’ email addresses or mobile numbers.)

All user data is stored remotely in databases secured & hosted on Microsoft Azure in their Australian data centres.

Boundlss users do not extract, copy, or use local copies of user data unless it has been anonymised or aggregated.

Database access by Boundlss staff is authorized on a IP-whitelisted, per-user basis according to the requirements of their job, and authenticated using strong passwords.

Boundlss does not print or save to local storage any Personal Data.

Boundlss does not transfer Personal Data to any third parties excepting our clients on whose behalf we are the data intermediary.

Boundlss transmits Personal Data only:

  • Between servers on our platform,
  • To and from a user’s authenticated installation of the Boundlss app, and
  • To our clients, on whose behalf we are the data intermediary.

Who will it be shared with?
The Personal Data is disclosed to the following:

  • Boundlss AI agents
    to generated suggested responses to user messages
  • Boundlss coaching staff
    to provide QA over AI responses, and to respond to user requests where the AI cannot
  • Boundlss research and health staff
    to improve the health coaching service
  • Boundlss management staff (for QA & coaching management)
    to ensure the coaching conversations meet the standard of quality required by Boundlss
  • Our client, on whose behalf Boundlss is acting as a data intermediary
    for their own purposes, as negotiated on a per-contract basis.
  • Boundlss requires its clients to handle any Personal Data (transferred to them via Boundlss) to the standard required by PDPA.

Boundlss does not provide Personal Data to third parties excepting the clients on whose behalf we are the intermediary.

How can it be accessed or corrected?
Users can access and update their own Personal Data using the Boundlss app.

Boundlss assumes that Personal Data collected directly from the user will be accurate and complete.
(As per Guidelines for Life Insurers c.43.)

How can Consent be Withdrawn?
The Boundlss app provides a single step process for users to disconnect their wearable(s) & disable the ability for Boundlss to retrieve their wearable data from third party providers.

Users can use the Boundlss app to submit a request for their account be deleted (via chat with the coach).

Details of transfers to third countries and safeguards
Boundlss stores data on the Azure hosting platform in two data centres in Australia.

Boundlss keeps all data secured in accordance with the standards required by relevant UK, EU, and Singaporean legislation.

Boundlss keeps all data encrypted both in transmission and at rest.