Your data is safe with us

Below, you find the types of data we collect:

Personal data you provide to us.

• Account data: When logging in to the Flow App, you create an account with your email address and password.
• Contact and communication data: When you contact us, for example for user support, you may also provide us with your first and last name, email address, address, phone number and the contents of your communications.
• Your age, health history and habits: We collect information about your age, your mental and physical health condition and history, any medical treatments you have received and your lifestyle and habits. You don't have to answer these types of questions if you don't want to.
• Your mental health and treatment information: Before purchasing the Headset, and when using the Headset or Services, you can provide us with information about your mental health, your treatment, your progress and any other feedback. You don't have to provide this information if you don't want to.
• Information about how, where and when you're using our services: By understanding how, where and when our services are used, we can improve your experience, and the experience of other users.
• Purchasing and delivery information: If you buy the Headset from us, we need your address and payment details to enable your order of the Headset.
• Marketing information: such as your preferences for receiving our marketing communications, and details about your engagement with them.

Personal data we automatically collect.

We, our service providers, and our advertising partners may automatically log information about you, your computer or mobile device, and your interaction over time with the Services and our communications, such as:

• Device data, such as your computer’s or mobile device’s operating system type and version, manufacturer and model, browser type, screen resolution, RAM and disk size, CPU usage, device type (e.g., phone, tablet), IP address, unique identifiers (including identifiers used for advertising purposes), language settings, mobile device carrier, radio/network information (e.g., WiFi, LTE, 3G).
• Headset data, such as duration and frequency of usage.
• Online activity data, such as pages or screens you viewed, how long you spent on a page or screen, the website you visited before browsing to the Services, navigation paths between pages or screens, information about your activity on a page or screen, access times, and duration of access, and whether you have opened our marketing emails or clicked links within them.

We collect this information using cookies and other similar technologies. For more information, please visit our “How we use cookies” Section below.

We use your personal data for the following purposes:

• Providing our Services: We use personal data to operate, maintain, and provide you with our Services, including to process your transactions and to enable your order. In particular, we use personal data to perform our contractual obligations under our Terms of Service.
• To personalize and improve the Services: We process personal data to allow you to track your treatment progress, to provide you with a personalised experience and to better understand when the treatment works or when it doesn't and how it can be improved. We do so to perform our contractual obligations towards you or where it is in our legitimate interest. Where we process your health data, please also refer to the section “How do we use your sensitive personal data?”.
• To assess your eligibility for the Services: You can choose to complete a questionnaire about your mental health, which will allow healthcare professionals we work with to assess your eligibility for the Headset. Completing the questionnaire is optional. We do so to take steps to enter into a contract with you. Where we process your health data, please also refer to the section “How do we use your sensitive personal data?”.
• Communicating with you about our Services: It is in our legitimate business interests to use personal data to respond to your requests, provide customer support, and communicate with you about our Services, including by sending announcements, updates, security alerts and support and administrative messages.
• Monitoring and protecting our Services: It is in our legitimate business interests keep our Services safe for our users, which includes:
  • troubleshooting, testing and research and to keep the Services secure; and
  • investigating and protecting against fraudulent, harmful, unauthorized or illegal activity.
• Anonymisation and aggregation: We may create or use aggregated, de-identified or other anonymized data from personal data we collect for research and development purposes in our legitimate business interests, including to analyze and improve the Services and our business. We make personal data into anonymized data by removing information that makes the data personally identifiable to you. We may use this anonymized data and share it with third parties for our lawful business purposes, including to analyze and improve the Services and promote our business.
• Marketing: We may send you direct marketing communications as permitted by law, including by email. You may opt-out of our marketing communications as described in the “What are my rights and choices” section below. Except where consent is required, we undertake such marketing and advertising on the basis of our legitimate business interests. Where we seek your consent, you may withdraw your consent at any time.
• Interest-based advertising: We may engage third-party advertising companies, such as Google, to display our ads on their online services. We may also share information about our users with these companies to facilitate advertising for our services to them or similar users on other online platforms. For more information, or to understand your choices, please visit our “How do we use Cookies” Section.
• Compliance and protection: We may use personal data to comply with legal obligations, and it is in our legitimate business interests to use your personal data to defend us against legal claims or disputes, including to protect our, your or others’ rights, privacy, safety or property (including by making and defending legal claims);
  • audit our internal processes for compliance with legal and contractual requirements and internal policies;
  • enforce the terms and conditions that govern the Services;
  • prevent, identify, investigate and deter fraudulent, harmful, unauthorized, unethical or illegal activity, including cyberattacks and identity theft; and
  • comply with applicable laws, lawful requests and legal process.

The personal data you provide to us may contain sensitive information, such as information about your health. We only process your health information to allow you to track your treatment progress, to provide you with a personalised experience and to understand when the treatment works.

We also allow you to complete a questionnaire about your mental health, which will enable healthcare professionals we work with to assess your eligibility for the Headset. If you choose to complete the questionnaire, we will only process your health information for these purposes, and will only share the information with healthcare professionals, with your explicit consent.

We may also disclose your personal data to the following recipients:

• Service Providers: To help us deliver our Services, we may share your personal data with our service providers, who help to support our Services. These companies can only use your information based on our instructions, and they cannot use the information for their own purposes. They also have to act in line with applicable data protection laws and contractual terms that specify how they can process information on our behalf.Here is an example: In order to be able to offer you Klarna's payment options and in order for Klarna to assess whether you qualify for their payment options and to tailor the payment options for you, we will pass to Klarna certain aspects of your personal data, such as contact and order details. You can find general information on Klarna here. Your personal data is handled in accordance with applicable data protection law and in accordance with the information in Klarna's privacy statement.
• Healthcare professionals: If you choose to complete an eligibility questionnaire and provide your explicit consent, we will share your personal data with the healthcare professionals we work with, to allow them to assess your eligibility for the Headset.
• Professional advisors: We may share your personal data with professional advisors, such as lawyers, auditors, bankers and insurers, where necessary in the course of the professional Services that they render to us.
• Authorities and others: We may share your personal data with law enforcement, government authorities, and private parties, as we believe in good faith to be necessary or appropriate for the compliance and protection purposes described above.
• Business transferees: We may share your personal data with acquirers and other relevant participants in business transactions (or negotiations for such transactions) involving a corporate divestiture, merger, consolidation, acquisition, reorganization, sale or other disposition of all or any portion of the business or assets of, or equity interests in Flow or our affiliates (including, in connection with a bankruptcy or similar proceedings).
• Anonymised and Aggregated Information: We may show on our website or share with our commercial partners data that does not personally identify you, but which shows general trends. This is 'anonymised' data and is not personal data. This might include, for example, the number of users of our service or trends in a particular age group.

If you've chosen a password or authentication method to access our Services, you are responsible for keeping this password and/or authentication method confidential. Please don't share it with anyone.

Your information is stored with us for no longer than is necessary (for example, we need to store the health information you provide in a questionnaire in order to assess your eligibility for the Headset and to monitor that eligibility during the purchase period), and/or as required by law or by any relevant regulatory body, always in compliance with data minimisation principles. The Headset is a medical device. As such, if you purchase the Headset, we are required by law to store your personal data in case we need to investigate an issue, or make a recall.

To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data. For example, we only store personal data collected through an eligibility questionnaire for thirty days.

We have procedures in place to ensure that your personal data is handled in a safe and secure manner and in accordance with applicable legislation. We employ a number of technical, organizational and physical safeguards designed to protect the personal data we collect. However, no security measures are failsafe and we cannot guarantee the security of your personal information.

All communication between our websites, servers and apps are encrypted with industry standard techniques (HTTPS). The servers where data from our apps is stored are hosted by Amazon Web Services and physically located within the EU. The hosting provider managing our servers has the following security certifications to ensure that your data stays safe:

• ISO 27001, 27017, 27018: Security Management Controls, Cloud Specific Controls, Personal Data Protection
• SOC 1, 2, 3: Security, Availability & Confidentiality Reports

Flow stores your personal data in data centres within the European Union. For technical reasons, our subcontractors may need to move information to other countries outside of the EU. When we engage in cross-border data transfers, we will ensure that relevant safeguards are in place to afford adequate protection for personal data and we will comply with applicable data protection laws, in particular by relying on an EU Commission or UK government adequacy decision or on contractual protections for the transfer of personal information. For more information about how we transfer personal data internationally, please contact us as set out in the “Contact” section below.

You may opt out of marketing-related communications by following the opt-out or unsubscribe instructions contained in the marketing communication we send you or by contacting us as provided in the “Contact” section below. You may continue to receive services-related and other non-marketing emails.

You can opt out of third-party cookies as described in our “How do we use Cookies” Section.

You also have certain rights under applicable data protection laws.

• Right to access: You can request a copy of the personal data Flow Neuroscience has collected about you.
• Right to rectification: We want to ensure that your information is up-to-date and correct. You can request that your information be corrected or removed if you consider it incorrect.
• Right to erasure: You can request us to delete your personal data. We may not delete data that the law requires us to keep.
• Data portability: You can request that Flow Neuroscience transfer your personal data from our IT environment, either to another company or to you. Flow may still retain information that it is required to keep, for example to comply with the law.
• Withdrawal of consent: You can withdraw your consent to share your information or to receive marketing / emails at any time. Either by unsubscribing from the mailing list or by contacting us through email.
• Additional rights: In some cases you can object to and request that we restrict our use of personal information.

You can file a complaint with your local Data Protection Authority if you believe that we are treating your personal data in violation with the law or your rights.

If you wish to enforce any of your applicable rights, please contact us by email (you'll find our email address at the bottom of this policy).

Cookies are files with a small amount of data, which may include an anonymous unique identifier. Cookies are sent to your browser from a website and stored on your computer's hard drive.

Like many sites, we use cookies to collect information on our Services. We only use cookies with your consent. You have the option to accept or reject cookies and can manage your cookie preferences on our cookie banner or at any point by clicking on “Manage cookies” on the Footer of the website. Our cookies are stored for 3 years, or until the session is deleted.

There are 3 main types of cookies we use:

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. They also enable basic site performance monitoring to ensure bugs are quickly spotted.

Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

We use both persistent cookies and session cookies. Persistent cookies stay on your device for a set period of time or until you delete them, while session cookies are deleted once you close your web browser. The cookies placed through your use of our Services are either set by us (first-party cookies) or by a third party at our request (third-party cookies).

The third parties that are involved in placing cookies on our website are as follows:

• Amplitude - https://amplitude.com/
• Google - https://www.google.co.uk/
• Meta - https://about.meta.com/
• Tiktok - https://www.tiktok.com/
• Trustpilot - https://www.trustpilot.com/
• Klaviyo - https://www.klaviyo.com/
• LinkedIn - https://www.linkedin.com/

You can find information about their data processing practices on their respective websites.

We also allow our advertising partners to collect this information through our Services.

You can limit online tracking by:

• Blocking cookies in your browser. Most browsers let you remove or reject cookies, including cookies used for interest-based advertising. To do this, follow the instructions in your browser settings. Many browsers accept cookies by default until you change your settings. For more information about cookies, including how to see what cookies have been set on your device and how to manage and delete them, visit www.allaboutcookies.org.Use the following links to learn more about how to control cookies and online tracking through your browser:
  
  • Firefox; Chrome, Microsoft Edge, Safari (Mac), Safari (Mobile/iOS)
• Blocking advertising ID use in your mobile settings. Your mobile device settings can provide functionality to limit use of the advertising ID associated with your mobile device for interest-based advertising purposes.
• Using privacy plug-ins or browsers. You can block our websites from setting cookies used for interest-based ads by using a browser with privacy features, like Brave, or installing browser plugins like Privacy Badger, Ghostery, or uBlock Origin, and configuring them to block third party cookies/trackers.
• Advertising industry opt out tools. You can also use these opt out options to limit use of your information for interest-based advertising by participating companies:
  • Digital Advertising Alliance for Websites: optout.aboutads.info and https://www.aboutads.info/appchoices (for mobile opt outs);
  • Network Advertising Initiative: optout.networkadvertising.org.
• Platform opt-outs. Some of our advertising partners offer opt-out features that let you opt out of use of your information for interest-based advertising, including:
  • Google
  • Facebook
• App Technologies. You can stop all collection of information via our App by uninstalling the App. For Apple iOS, we will only receive access to your device’s Ad ID (known as an IDFA) if you provide consent. You can reset your device’s Ad Id at any time through your device settings, which is designed to allow you to limit the use of information collected about your device.

Please be aware that if you disable or remove tracking technologies some parts of the Service may not function correctly.

Note that because these opt out mechanisms are specific to the device or browser on which they are exercised, you will need to opt out on every browser and device that you use.

Flow Neuroscience AB is the entity responsible for processing your personal data as the ‘controller’ under applicable laws.

If you have any questions regarding this policy, regarding the use of your personal data or about your rights, please contact us at: support@flowneuroscience.com.