This privacy notice explains how we will process your personal information obtained through your use of our website at https://www.cerinahealth.com, your use of our "Cerina" app, our supply of services to you, and through other interactions with you (e.g., marketing activities and networking events).
It also covers other situations where we process personal data that is not covered by other notices, such as in the case of our corporate partners' and associated parties or organisations we work with.
Through use of the Cerina website and app, registered users can access our online services that allows users to make purchases or set up accounts for one or more repeat sessions. It is important that you read this privacy notice, together with any just in time privacy notices we may provide elsewhere on our website and app, so that you are fully aware of how and why we are using your data, and what data protection rights you have.
Your use of our website or app will constitute your acknowledgement of the terms of our privacy policy.
We keep our privacy policy under regular review and make amendments to it whenever needed. Please check regularly for the updates.
Last revised date: 04 April 2024.
Version: 1.3
We also continuously review and update our Privacy Policy to reflect changes in our data practices. Should there be any changes in the purpose for which we collect and use your personal data, we will update our policy accordingly and may re-obtain your consent if required by law. Please visit our website regularly for the latest updates.
Its purpose in providing evidence-based tools and techniques is to manage emotions and promote psychological well-being in the context of self-help and self-monitoring. The app is not intended to provide diagnosis, prognosis or treatment of any condition or illness.
When we say "we," "us" or "our" in this privacy policy, we mean NoSuffering Limited, a company incorporated and registered in England and Wales with company number 12605982 and whose registered office is at 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ.
For the purposes of the Data Protection Legislation, we are the controller of your personal data. This means that we are responsible for deciding how we hold and use personal information about you.
Cerina is a mental health app that aims to provide CBT to people with anxiety disorders. The App is available in both iOS and Android app stores. The intended use of the App is for providing evidence-based tools and techniques to manage your anxiety as an early intervention tool in a self-help context. You make the choice of using the features based on your own estimate of need, and agree that this is only suitable for basic self-help and self-monitoring. It is not intended to be a substitute for face-to-face psychotherapy or to provide diagnosis, treatment, or treatment of an illness or condition. With this app, you can track and learn contextual evidence-based techniques that can help you manage your anxiety better. The apps and services are not intended for use in crises, emergencies, or serious mental illnesses. Apps and services cannot or do not provide medical or clinical advice. It only suggests that the user seeks medical assistance.
Cerina app and services are available to the users above 18 years of age.
If you have any knowledge of a child accessing the app, please report it by emailing [email protected].
We use your personal data only for the purposes we collected it for. We will use it for another reason only if it is aligned with the original purpose. We may process your personal data on multiple legal grounds, depending on the specific purpose for which we use your data. If required or permitted by law, we may process your personal data without your knowledge and consent.
We may collect, use, store and transfer different kinds of personal data which we have grouped together as follows:
| Data Parameters | Source | Reason for Collection |
|---|---|---|
Personal Identifiers:
|
Provided by the user | To create a user account after signing up; and to provide better services and support your inquiries. To provide and improve customer support services. |
Other personal information
|
Voluntarily provided by the user. (Users can choose not to share this information.) | To better understand the demography to provide the appropriate content. |
Technical data
|
From the device. | To better understand app usage and issues and to provide relevant features and security updates. |
We irreversibly anonymise and redact any personal identifiers before warehousing the data. Any personal identifiers are only used for the basic functioning of the app. It will never be used for Marketing.
| Data Parameters | Source | Reason for Collection |
Clinical questionnaires
|
Provided by the user |
To assess the user's mental health and to provide a better therapy
experience accordingly.
[Clinical questionnaires are a proven way to track progress of your mental well-being.] |
Wellness Data
|
Provided by the user | To better understand the user's requirements during the CBT. To provide personalised care. |
|
Essential Therapy/ Exercises related data
Data that is related to/collected by/during the therapy Sessions, Exercises or any self-help tools. e.g., Goals, Worries (in worry diary) |
Provided by the user | This data collection is essential for the proper functioning of the iCBT (Internet-based cognitive behavioural therapy) |
This data is encrypted while at rest in the Database. No human can directly access the data. It is anonymised and aggregated before being used for R&D and AI/ML Functions.
A data parameter that is too personal or sensitive to be collected or stored on the cloud could be stored on the user's device itself. An aggregated summary backup of this data may be performed. On-Device functions of the app will use this data. We do not have any access to this data.
| Data Parameters | Source | Reason for Collection |
Usage patterns
|
From the device | To provide users with personalised reminders, notifications, Suggestions and content. To improve their interaction quality. For basic analytics-related studies that help us improve app features. |
Communication data
|
Provided by the user | To better serve your queries. To improve customer services. |
This Data is never personally identifiable. No personal behavioural profile is generated. The entire process is automated. The Data is irreversibly anonymised before being used for the AI, ML and Data Science related features.
We may also collect, use and share anonymised, aggregated data such as statistical or demographic data. Anonymised data may be derived from your personal data but is not considered personal information in law as this information does not directly or indirectly reveal your identity. e.g., We may aggregate information on how you use our website and/or app to calculate the percentage of users accessing a specific website and/or app feature.
Special category data: special category data refers to sensitive information such as racial or ethnic origin, religious and philosophical beliefs, genetic data, and data concerning health and sexual orientation. We will only process special category data with your consent, in permitted circumstances
Failure to provide personal data:Where we need to collect personal data by law, or for the provision of services, and you fail to provide that data when requested, we may not be able to carry out or provide you with our services. In this case, we will notify you if this is the case at the time.
We will only use your personal data when allowed under the Data Protection Legislation. For example, for reasons such as consent, contact, legitimate interests, or legal obligation. Where we need to perform the services, we are about to enter or have entered into with you.
Legitimate Interest: means the interest of our firm in conducting and managing our business to enable us to give you the best service. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests.
Cerina follows the "Data minimisation" principle, which means we limit the collection of personal information to what is directly relevant and necessary to accomplish the stated purpose. We retain that data only for as long as is required to fulfil that purpose.We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us. Some examples are: to manage your account and our relationship with you (including responding to your enquiries); to manage payments, fees, charges, and to collect debts which you may owe to us; to interact with you professionally (e.g. if you represent our current or prospective client, supplier or business partner) to manage our relationship with the organisation you represent; to administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data); to ask you to leave a review or complete a survey; to send you our blogs, newsletters or other electronic marketing communications if you are our existing customer; to increase our business or promote our brand through delivering relevant website content and advertisements to you (including recommending new products and products that may be relevant to you); to measure or understand the effectiveness of the advertising we provide to you; to improve our website, products, services, marketing, and customer relationships and understanding; to conduct web analytics; for the prevention and detection of fraud and spam.
Automated technologies or interactions as you interact with our website and advertisements, we may automatically collect technical data (as described in section The personal data Cerina collect above). We collect this personal data by using cookies, server logs and other similar technologies. For further details, and to change or withdraw your consent to accept cookies, please see our Cookies Notice available at https://www.cerinahealth.com and click on the cookie notice at the bottom of the page and press settings. Third parties or publicly available sources We may receive personal data from various third parties and public sources. E.g., analytics providers such as Google based outside the EU; advertising networks based inside the EU; search information providers based inside the UK or EU.
Consent: we may process your data based on your consent for certain marketing purposes. Where your permission is required, we will ask you for such consent clearly and separately from the body of this privacy policy our terms and conditions. You have the right to withdraw consent to marketing at any time. However, this will not affect the processing before your withdrawal of consent.
Contract: We will use your personal data if we need to do it to perform our obligations under a contract with you, or if it is necessary for a contract which we are about to enter with you. For example, if we need to: register you as a new customer or administer your account (e.g., set up your subscription and administer invoicing and payments); provide our services to you; deliver your order to you; manage our relationship with you (e.g., to respond to your enquiries or to notify you about changes to our services and to inform you about updating preferences); and provide you with customer services (e.g., technical support through our website and app’s support chat function). Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Change of purpose: We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
Cookies: You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly. For more information about the cookies we use, please see our Cookie Policy
To be able to provide our services, we use third-party suppliers to store and process your data. We evaluate service provider security and privacy practices. We strictly require compliance with confidentiality and non-disclosure obligations, as well as applicable laws and regulations, including related data protection laws. We also require that they or their providers (fourth parties) access your information only to the extent necessary to perform the tasks on our behalf. We are using the following third-party service providers.
To provide the service, we collect, transfer and store your data in secure servers provided by our authorised cloud service providers. We maintain a Data Processing Agreement (DPA) with Standard Contractual Clauses (SCCs) and Business Associate Agreement with our cloud service providers. We use Amazon Web Services (AWS) as our cloud service provider.
| Service Providers | Purpose & Other Details |
| Firebase, Google Analytics | To analyse the app event data. Only pseudonymized user identifiers are shared along with the event data. User conversations and personal information are not shared. All event data is encrypted so no medical or psychological profiles gets created by analytics providers. No data is used for any direct advertising or direct marketing. The use of Google Analytics is governed by the Google Data Policy and Privacy Policy. Events automatically collected by Firebase can be found here. Your use of Firebase is subject to the Firebase Terms of Service, Acceptable Use Policy, and Crashlytics Terms of Service. We maintain data processing agreements (DPAs) with SCCs with these service providers. |
| Microsoft 365 | We use Microsoft 365 to provide our corporate email service, to store Information received from our clients and end-users in OneDrive. We have a signed DPA with SCCs and BAA with Microsoft 365 |
| Third party payment gateway providers | We use Stripe as a payment provider along with those provided by app stores to process payment when you purchase from us. Your use of 'payment providers' is subject to their Terms of Service and Privacy Policy. We do not collect or store your credit card-related information. |
| CloudFlare | We use Cloudflare for CDN and DDoS protection. Cloudflare helps us serve you securely and efficiently. To provide these services, Cloudflare accesses your IP Address; these IP Addresses are never mapped to your conversation/ messages, so your conversation/ messages remain secure and private at all times. Cloudflare may access/ process your browser and operating system related information for logging and abuse prevention purposes. Read Cloudflare's Terms of Service, Privacy Policy, and GDPR Compliance to learn more about how they process your data. We maintain Data Processing Agreements (DPA) with SCCs with these service providers. |
To use the organisational version of the app, you may need the organisational code provided by us or your organisation. Your institution may also have access to usage data for analytical and research purposes based on the consent you have given to your institution and us.
We may collect your country, division and in some cases your city information to provide aggregated analytics. We do not share your messages with the Institution. Any inadvertent identifiers get removed prior to the aggregated analysis.
In addition, if the app is integrated with your institution's system, your institution may share your assessment results with us, and we also share aggregated user data with them. Such assessment results may be processed by us to serve your institution. Assessment responses are never processed for diagnostic purposes or to provide clinical advice
We take your consent to perform the following processing.
| Data/ Process | Purpose |
Website Cookies
|
Understanding website visits and engagement. To use AWS operational cookies. For sharing anonymised event data with 3rd party service providers for analytics purposes |
Cerina Website Contact Form
|
To respond to your enquiries and provide support |
|
App usage data and reports
(Clinical questionnaires data, wellness data) |
To process and share app usage and related analytics data with your organisation and/ or research partner. |
| In-app push notifications | Notifying or informing users of the reminders they have set. To remind users about upcoming sessions. |
Promotion event data
|
To obtain/ process the survey/ feedback and correspond on programme-related matters. To send programme-related information |
Users can opt-out of the processing activity for their data by writing to the Data Protection Office.
What "Processing Activity" and for which "Data Points" users cannot opt-out and why?
| Data Points | Processing Activity and Why users cannot opt-out? |
| Personally Identifiable Data: Name, Email, Location, Internet protocol (IP) address, Browser type and version and Time Zone (setting) | This Data helps us identify a user and their location and helps us customise our app functioning based on this data. Certain regulations also require us to store data in a user's country, to do so, we need to know their location, IP and related data. |
| Clinical questionnaires, Essential Therapy/ Exercises related data | Our app takes users' Clinical questionnaire answers to determine their Anxiety and Depression Scores, which is an essential first step of the app journey. Essential Therapy/Exercise-related data is necessary for the basic functioning of the app. |
We do not collect, retain, or store your personal and card information. Card processing is handled by an external payment institution. We do not collect any personally identifiable information from the Play Store or from third-party payment gateway providers after purchase. Please read their Terms of Service and Privacy Policy before making payment. Payment confirmation and subscription details will be received and processed by us. This is to assist with subscription-based requests.
We use the minimum required data for research purposes and aggregated data for publications. This data is completely anonymized by a one-way hash function before it is used. This helps us improve our products and services and contribute to user-centred mental health best practices around the world.
We do not use your conversations for research or analysis. Only a limited number of random messages are selected and used by a particular AI chatbot endpoint.
You can always write to us at [email protected] to restrict processing and opt-out of your data for research purposes.
The app may contain links to third-party websites and resources. Clicking on these links may allow third parties to collect or share information about you. We do not control these thirdparty websites and are not responsible for their privacy policy. We encourage you to read the privacy policy and terms of use for the external links you access.
We have appropriate security measures to prevent personal data from being accidentally lost or used or accessed unlawfully. We limit access to your personal data to those who have a genuine business need to access it
Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Art. 33 of GDPR (EU), "Notification of a personal data breach to the supervisory authority", requires us to report any suspected breach to authorities. Following the Data Protection Act 2018 (UK), we will report any suspected data breach of personal data within 72 hours to the Information Commissioner's Office.
The security of your data is important to us. We have implemented adequate technical and organisational safeguards to protect your data.
Electronic transmissions of data or data storage methods are not perfect or inviolable. We will do our best to protect your personal information, but we cannot guarantee its absolute security. We also need your help to ensure the security of your data. Do not copy the conversation and share it with strangers.
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or possible litigation.
To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
By law we have to keep basic information about our clients (including Contact, Identity, Financial and Transaction Data) for six years after they cease being our customer. In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
You have the right to withdraw your consent for the use of your personal data at any time. To exercise this right, please notify our Data Protection Officer (Prasannajeet Mane, email: [email protected]) at the designated email address provided in our privacy policy. Upon receiving your request, we will cease the processing of your data for the purposes you originally consented to, unless otherwise required by law.
We use data overwriting and cryptographic erase methodologies for data deletion. These methods comply with the latest industry standards and ensure user data safety.
Data Deletion during Erasure (to be forgotten): any Data deletion done whilst following up on a Data Erasure request is irreversible as the data is deleted from all copies, including backups.
We are hopeful that we can resolve any query or concern you may raise about our use of your information. You may contact us by using the contact methods set out in this privacy policy.
The Data Protection Legislation also gives you a right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner, who may be contacted at https://ico.org.uk/concerns, telephone on 0303 123 1113, or by post to: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We would, however, appreciate the chance to deal with your concerns before you approach the Information Commissioner’s Office, so please contact us in the first instance. You can contact our Data Protection Officer directly at [email protected]Legal rights You have rights under Data Protection Legislation in relation to control your personal information held with Cerina. You can exercise these rights free of charge, unless your request is manifestly unfounded or excessive (in which case we may charge a reasonable administrative fee or refuse to respond to such request).
| Rights | Explanation |
| Access | This enables you to receive a copy of the personal data we hold about you and to check if we are lawfully processing it. |
| Rectification | The right to require us to correct any inaccuracies in your personal data. |
| Erasure (to be forgotten) | The right to require us to delete your personal data in certain situations. |
| Restriction of processing | The right to require us to restrict processing of your personal data in certain circumstances (e.g., if you contest the accuracy of the data we hold). |
| Data portability | The right to receive, in certain situations, the personal data you provided to us, in a structured, commonly used and machinereadable format and/or transmit that data to a third party. |
| To object | The right to object at any time to your personal data being processed for direct marketing (including profiling) or, in certain other situations, to our continued processing of your personal data (e.g., processing carried out for the purpose of our legitimate interests). |
| Not to be subject to automated individual decision-making | The right not to be subject to a decision based solely on automated processing (including profiling) that produces legal effects concerning you, or similarly significantly affects you. |
If you wish to exercise any of the rights set out above, please contact the DPO at [email protected]
What we may need from you?
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response. Time limit to respond: We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month (but no longer than two months) if your request is particularly complex or you have made several requests. In this case, we will notify you and keep you updated.
We have appointed a data protection officer (DPO) if you have any questions in relation to this privacy policy. If you have any questions about this privacy policy, or a request to exercise your legal rights, please contact your data protection officer using the details provided below.