Privacy Policy
Last Updated: 5 August 2024
The authoritative version of this Privacy Policy is the version in English, hosted on our website.
Samphire's commitment to data privacy
At Samphire, we recognise the transformative potential of technology and data in both empowering individuals to take control of their health and helping to address profound structural inequities in society, such as the gender health gap.
In light of this, we are committed to building, providing, and supporting a suite of health technologies, both hardware and software. In this document, we refer to these technologies as our 'products and services'. Depending on which of our products and services you choose to use, and the extent to which you use them, the types and amount of personal information you provide us may vary significantly.
Regardless, whenever you provide us with any personal or otherwise sensitive information, we take our role as custodians of this sensitive information seriously and are dedicated to maintaining the highest standards of privacy and security. Ensuring your data's security and safety is integral to both our relationship with you, but also our ability to continue to address health inequities, and continue to provide our products and services to those who need them, around the world.
Transparency is a fundamental aspect of our approach, and we are committed to helping you understand how we manage your data amidst the complexities of both our own products and services, and the broader digital technology and healthcare ecosystems. For example, we do rely on various third party providers to deliver our products and services, and they help us in our efforts to secure your information and provide our products and services, as outlined below.
We encourage you to review this Privacy Policy thoroughly to gain a clear understanding of our data handling practices. It is an important document that is part of your relationship with us.
How you can contact us
Throughout this document we make reference in several places to things you can do, or rights you can exercise, by contacting us. We also know that you may have questions about the content of this privacy policy. In either of those cases, you should contact us directly at support@samphireneuro.com.
That email address is monitored by our data and privacy team, as well as our Data Protection Officer (DPO) who oversees compliance with data protection laws and ensures that your data is handled responsibly. The DPO is also available to address any concerns or questions you may have about your privacy.
The data we process
We process three types of data:
- Account Data: When you first engage with our products or services, you typically must create a Samphire account. As explained elsewhere in this document, that process normally involves linking a Samphire account to a separate Apple or Google account. It also involves the collection of your preferred name (which may be a pseudonym) as well as an email address (which may be an alias email address provided by the social login provider). This information is required for us to provide you with our products and services. If you are engaging with a physical variant of our products or services, such as one of our physical medical devices, your Account Data will also include any logistics information you provided to us at the time of checkout, such as your shipping address. Account Data does not include payment information.
- Usage Data: When you use our digital products or services, we process your device and browser data. This includes information such as your device model, name and identifiers, browser settings, and your operating system, as well as your IP address. This information is required for us to provide you with our products and services, and make sure that we can provide a high quality experience free from bugs, crashes or other failures.
- Health and other Sensitive Data: So that we can provide you with our products and services, you may choose to share health and other sensitive data with us. The type of this data can vary, but typically relates to menstrual health conditions and your daily experiences. We only process health and sensitive data that you explicitly provide to us, either through your manual data entry through one of our products or services, or you explicitly connecting other services designed to sync such data to us.
How and why we process your data
Depending on the circumstance, we process your data for different reasons. This section sets out why we process your data, and how we do that.
To provide our services to you
Below are the purposes for which we process your data to provide our services to you, and the type of data that is processed to fulfil each purpose:
- To provide you with personalised insights and recommendations: We use the health information you track in the app, whether entered manually or imported, to offer tailored health insights and recommendations.
- To improve our performance and user experience: Data on your interactions with our app and website, as well as data generated from devices we provide to you and other devices you may use, is collected to enhance performance and user experience.
- To manage your account and communicate with you: We utilise your account information to manage your account, communicate updates, and deliver relevant insights based on the health data you track. Communications can be sent via in-app messages, reminders, notifications, or emails.
Essential third parties
If you are engaging with our mobile application, there are several third-party providers that support our core services:
- Amazon Web Services: Samphire uses Amazon Web Services EMEA SARL (“AWS”) as our cloud infrastructure provider to store our data on secure servers. Samphire uses AWS to ensure efficient service delivery. All data (incl. both personal and non-personal) is stored in the data centres in the United Kingdom.
- PlanetScale: Samphire uses database services provided by PlanetScale, Inc. (”PlanetScale”), a company based in the United States, with EEA and UK representatives, to store all app-related data that enables the core functionality. All data (incl. both personal and non-personal) is stored in the data centres in the United Kingdom.
- Bugfender: Samphire uses Bugfender services provided by Beenario GmbH (”Beenario”), a company registered in Germany, to carry out performance monitoring in the App, including non-personal logs, crash logs. Bugfender has access to the following non-personal data: phone model, OS version, app version. Bugfender does not have access to personal data, such as name or email address. All data is stored in the data centres in the European Union, in an ISO 27001-certified data centre.
Social logins
When you first create your Samphire account, you may choose to sign up using one of the following services:
- Sign in with Apple: Samphire offers the "Sign in with Apple" feature, allowing you to create and log in to your Samphire account using your Apple credentials. If you choose to sign up this way, certain data will be exchanged between Samphire and Apple, including device data, IP address, and information you provided to Apple when you created your Apple account. This might involve transferring your personal data to Apple's servers. You can control how much information you share with Apple and manage these settings in your Apple account. Importantly, no health data will be shared with Apple for the purpose of using the "Sign in with Apple" service.
- Sign in with Google: The "Sign in with Google" option allows you to create and log in to your Samphire account using your Google credentials. By using this feature, you authorise Samphire to collect basic information from your Google account, such as your email address. You can manage this information through your Google account settings. If you sign up with Google, Samphire will exchange data like your name and email address with Google, which may include transferring your personal data to Google's servers. As with Apple, no health data will be exchanged with Google.
Integrations
Some of our products and services, such as our mobile health application, allow you to connect your Samphire Account to external data sources.
- Apple Health (iOS): If you choose to sync your Apple Health app with the Samphire app, please note that Samphire will only interact with Apple Health if you specifically grant permission. This can be done in the settings of the Health app or within the Samphire app’s settings. You have full control over the extent of data exchanged between Samphire and the Health app. Permissions can be granted or revoked at any time in the Health app’s settings. Once approved, Samphire can read and/or write data between the Samphire app and the Health app, which may involve transferring your personal data to Apple servers. For more details, please refer to Apple Health's Privacy Information.
Payment Providers
If you purchase one of our paid products or services, your payment information will be processed. Samphire never directly processes payment information, instead relying on trusted third parties to collect the funds on our behalf. The identity of these third parties will depend on how you choose to pay.
- iOS (Apple Inc.): If you pay via the Apple App Store, Apple will facilitate your subscription payment and become the controller of your payment data, while Samphire will remain the controller for all data related to app usage. Apple will not access your tracked health data or other app-related information. For more details, please refer to Apple's Privacy Policy. We use RevenueCat, Inc (”RevenueCat”), a company registered in the United States, to help us manage subscriptions through the Apple App Store (such as to allow your subscription to work across different platforms and devices). RevenueCat will never have access to any of your tracked data or other app related usage data. RevenueCat describes how it handles payment data in their Privacy Policy. RevenueCat uses AWS data centres located in the United States to store payment-related data.
- Android (Google): If you pay via the Google Play Store, Google will facilitate your subscription payment and become the controller of your payment data, while Samphire will remain the controller for all data related to app usage. Google will not access your tracked health data or other app-related information. For more details, please refer to Google’s Privacy Policy. RevenueCat is used for payments on Android in the same way as described above for iOS.
- Website (Shopify): Orders processed through our website are managed by Shopify. Shopify will handle your payments and become the controller of your payment data, while Samphire will remain the controller for all data related to usage of the app or any devices we may provide to you. Shopify will not access your tracked health data. For more details, please refer to Shopify’s Privacy Policy. You may also choose to pay by PayPal. If you do this, Paypal will take a similar position to that of Shopify. Please refer to Paypal's Privacy Policy.
To provide customer service
From time to time you may wish to contact our customer service department. For example, this may occur when you have questions about one of our products or services that you are either already using, or are considering for future use.
In most cases, our customer service department will communicate with you through email. Sometimes, this communication may also take place directly through our mobile application.
- Third Parties: To provide customer support we rely on services provided by Slack Technologies Limited and Intercom, Inc. Both companies are based in Ireland.
- Legal Basis: When you contact our support team, these interactions are governed by this privacy policy, and you are providing consent for our processing of your personal data, including any health data, so that your query can be answered.
To comply with medical device regulations
Some of Samphire's products and services are regulated medical devices. This means that the clinical efficacy associated with such products and services has been carefully scrutinised by regulatory authorities in the regions where such products and services are made available. It also means that we must collect and process some of your personal information in order to make sure that our medical devices are performing as expected and are not exposing you or other people who use our medical devices to unnecessary risk. Such information is collected in an aggregated way that cannot be directly tied back to individual users.
- Third Parties: We do not rely on any third parties to collect or process your data for this purpose.
- Legal Basis: When you start using one of our regulated medical devices, you are consenting to the use of your data for this purpose.
To further health research, and otherwise advance science
Samphire is a science and research-first company. Many of our products and services are designed to be used by people who are otherwise significantly underrepresented in health research, and closing this research gap is something that drives us in the work we do. Partnering with trusted researchers enables us to advance studies, challenge harmful taboos, and improve healthcare foundations.
To ensure your privacy, we only share data directly relevant to the research questions, adhering to strict protocols. Personal identifiers, such as your name and email address, are removed through a de-identification technique. The dataset is then assigned a random ID to maintain your anonymity with researchers.
If you participate in a scientific study using Samphire to collect information, your personal information will only be shared with the research facility under the consent terms you provided. During these studies, your data will be treated with the same care as all other user data. The research facility is solely responsible for the use of your personal and health data within their study. In these instances, Samphire and the research facilities share joint responsibility for data handling.
- Third parties: Samphire collaborates with selected research partners, and ensures compliance with the data protection safeguards and regulations of the relevant jurisdiction. Each research project is publicly published, and details on each participating research organisation may be found in such publications.
- Legal basis: The processing of your health data for scientific research is based on your consent, provided you have enabled this option in your privacy settings: "I agree to the health data I track in the app being de-identified and shared with carefully selected research partners to advance women’s health, or other scientific research."
You can disable this option at any time. All personal data collected for scientific research is deleted by us once it is no longer required for its original purpose.
To make our products and services better
To improve our products and services
We know there is always room to improve our products and services. Understanding how our users interact with our products and services is an important factor in our ability to continue to do that. Whenever we do this, it is through aggregated use statistics, rather than data relating to specific individuals. Usage information helps us accomplish this, and we set out some examples of how below.
- Exercise: If a significant portion of our users choose to use one of our physical medical devices during morning exercise routines, and share that information with us, we may choose to release additional products and services related to exercise.
- Cycle Length: As another example, if many users report menstrual cycle data that is outside the bounds we expect based on historical research, we may develop new algorithms, or create more personalised insights features.
The examples above should assist you in understanding the types of information we process for this purpose. They include your device ID, IP address, and data related to any physical devices that we may have provided to you as part of our products and services.
- Third Parties: We do not rely on any third parties for this purpose.
- Legal Basis: By using our products and services as governed by this privacy policy, you are consenting to our processing of your personal information for the purpose of improving our products and services.
To improve our website
We use cookies - a common form of web technology - and third party services to improve the performance of our website, and best understand how you and others interact with our products and services and the communications we send. We also implement these so that we can power basic functionality, such as allowing you to log in to manage or cancel orders, or save things for later.
- Third Parties: To assist us in improving our website, we use cookies and services from Klaviyo, Inc. (a company headquartered in the United States) and from Meta Platforms, Inc. (a company headquartered in the United States).
- Legal Basis: If you are visiting our website from a location where it is not legally required to display a cookie banner, you consent to this processing of your information through this privacy policy, which governs your use of our website. If you are visiting our website from a location that does legally require the display of a cookie banner, you consent through the opt-in cookie banner.
Note that where a cookie is essential to the basic functionality of the website (such as to allow a form to be submitted), the cookie cannot be disabled. Such cookies do not store personally identifiable information.
To recommend you products and services.
When you use our products and services, we may process your information to recommend you other products and services that we have which we think would be a good fit for you. For example, if we have a medical device that is designed to alleviate symptoms that you are commonly tracking in our mobile application, we may inform you about our device. This could happen in different ways, such as by emails or push notifications (if you have granted the relevant permissions). When recommending a product or service to you, it is because we believe that product or service will genuinely be of interest to you. In doing so, we minimise the number of such communications and prioritise giving you the best possible experience when engaging with our products or services.
- Third Parties: To determine what products and services to recommend you we do not rely on third parties. However, we may rely on our standard email communication providers (see the section “To send you email communications”) to communicate these recommendations to you. We do not share your sensitive health data with such third parties.
- Legal Basis: When you consent to this privacy policy, you are consenting to our ability to process your data so that we can send your personalised recommendations about our products and services.
To send you email communications
If you opt-in to receive newsletters and promotional emails, we process your contact information to provide these updates, ensuring compliance with privacy regulations.
- Third Parties: Samphire may share information such as your email address to third-party providers for the sole purpose of carrying out our newsletter services. Our current provider for this service is Klaviyo, Inc (a company based in the United States).
- Legal Basis: The legal basis for sending you our newsletter is based on your consent. You can unsubscribe from our newsletters and promotional emails at any time by clicking the unsubscribe link at the bottom of the emails.
All personal data collected for providing our newsletter services is deleted by us as soon as it is no longer required for the purpose for which it was collected.
To provide you with content
Some of our products and services, such as our mobile application, include a library of interactive and static content such as videos and blog articles. In order to provide this content to you, we need to process your personal information. For example, we need to use your IP address to request that our content providers deliver the right content to your mobile device.
- Third Parties: Samphire uses services provided by Sanity US Inc. (”Sanity”), a company based in the United States, for content delivery, such as blogs. Sanity content is stored in the data centres in the United States. Samphire uses services provided by Mux, Inc. (”Mux”), a company based in the United States, for content delivery, such as videos. Sanity content is stored in the data centres in the United States.
- Legal Basis: The legal basis for using your personal information to provide you with content is based on your consent. You can stop requesting access to such content at any time and your personal details will stop being processed for such purpose.
All personal data collected for providing our content is deleted by us as soon as it is no longer required for the purpose for which it was collected.
To improve the way we advertise our products and services
To refine our advertising strategies, we process usage data to understand the effectiveness of our ads. We run advertisements about our products and services in various channels, including social media. Determining the efficacy of these advertisements is an important part of our ability to reach the right people, and ensure that we are allocating the maximum amount of our resources possible to supporting our existing users, and advancing health research.
This also helps make things more effective for you. For example, if you are already an active user of one or more of our products or services, we will take steps to reduce the number of times you see our advertisements.
- Third Parties: In advertising our products and services, we use third parties including Meta Platforms, Inc (a company based in the United States). We never share any sensitive health information with such third parties.
- Your Consent: By using our products and services, you consent to the processing of your usage data to help us improve our products and services
Depending on the platform or medium through which you access our products or services, you may have further options about our processing of your personal information for this purpose. For example, if you access our products or services through an Apple device, you may be prompted to limit this activity.
Samphire will never share your health data with advertisers.
International data transfers
At Samphire Neuroscience, we are committed to ensuring that your personal data is protected regardless of where it is processed. When we transfer your data, we ensure that appropriate safeguards are in place to protect your privacy.
Before we engage with a data processor, we subject them to a rigorous process of audit and review. We also regularly review the data processors that we work with. When a data processor is processing data provided as part of a medically regulated product or service, they are also subject to our quality management system, which acts as an additional review step.
Data processors are all set out in this privacy policy, and we include their headquarters' physical location in this privacy policy as well. If you have any questions about our data transfer practices, you can always contact our privacy and trust team at the details set out in this document.
Your data protection rights
You have many rights when it comes to your data and privacy, and we’ll do everything we can to make sure your rights are fully protected, and able to be exercised by you.
Your data protection rights are broad, and we don’t outline all of them in this privacy policy. Rest assured though, that we comply with all of the requirements of privacy regulations in the regions that we operate in. That said, here are some examples of the rights that you have:
- Obtain copies of your information: You can contact us at the details provided on this page to receive an electronic copy of all information that we store about you, in a format that complies with data portability principles.
- Correct your information: By interacting directly with our products and services you can correct any information that we store about you.
- Withdraw consent to ongoing processing: You can withdraw your consent for us to process your data on an ongoing basis. The way to do this depends on which product or service you are interacting with. For example, you can delete your mobile application user account by contacting our application support team, and you can withdraw your consent to marketing related communications by clicking to unsubscribe in email communications you receive.
- Delete all your data: You can request us to delete all data we have about you, including data sent to any third-party services, by contacting us at the details set out in this document.
Our data security procedures
Your data privacy is central to our mission. We implement robust security protocols to guard against unauthorised use, loss, and modification of the information we manage. Adhering to industry standards, we ensure secure data transfer and storage practices. While absolute protection against misuse, loss, or alteration of data cannot be guaranteed, we make every reasonable effort to prevent such incidents.
How we secure your data in our software products and services
In our software products and services, such as those provided through our mobile application, we secure your personal data in a variety of ways. Here are some examples:
- Secure account access: Your mobile application account is authenticated by linking to the accounts you use with your mobile device, such as your Apple Account or Google Account. This means that Samphire doesn’t store any password information, relying instead on industry standard procedures. You may wish to consult Apple or Google’s privacy policies for more information on the data they hold.
- Secure data communication: When your mobile application is sending or receiving data to our servers, it does so using a HTTPS connection. That means that the data is encrypted during transit.
- No direct payment information processing: Samphire does not store or collect any payment information, relying on regulated, approved third parties such as the Apple App Store, Google Play Store and Shopify to do this. You may wish to consult Apple, Google or Shopify’s privacy policies for more information on the data they hold.
Our recommendations for your own data security procedures
In addition to the steps we take ourselves to secure your data, we want to take the opportunity to make recommendations to you about actions you can personally take to make your own data practices more secure. This is not an exhaustive list, but in our experience are good things to keep in mind:
- Protect against physical device access:
- Secure password on device
- Ensure the ability to erase your data if your phone is lost or stolen
- Secure accounts you use to login to our products and services
- Regularly review who has access to your data:
- HCPs / other providers
- Informal access
- Systematic access, such as through features like HealthKit on iOS
How we comply with legal requests for your data
Samphire is subject to regulation and government oversight in the markets where it operates. This means that, in rare circumstances, Samphire may receive legal requests for user information, such as from law enforcement or other government agencies. In handling these requests, we must balance our legal obligations with protecting your privacy.
- Legal Validity: We require a legally valid request specifying the data being requested. Each demand undergoes a thorough legal review to ensure its validity before any information is disclosed.
- User Identification: Any demand must include identifying information that matches our records for the specific user. Without a match, no information will be provided.
- Limiting Scope: We will only provide information within the scope of the demand and will take steps to limit the scope where possible.
- User Notification: We will notify you of the demand via contact information that you have provided us, unless we are legally prohibited from doing so.
- Data Deletion Requests: Should a legally valid demand for your data be received, we will not be able to delete your data, even if a deletion request is made, while we are legally obligated to preserve it.
Samphire is for adults
We have no intention of collecting, storing or processing data from those under the age of consent to data processing in the countries in which we operate. If you are under the age of consent to data processing in your country, you must not use any of our products or services.
If you have knowledge as to the use of any of our products or services by those under the age of consent to data processing in your country, please contact us using the details found in this policy.
Please note that some of our products and services, such as our medical devices, have additional age limits that are set out in their respective terms and conditions.
Changes to this Privacy Policy
We reserve the right to change this Privacy Policy. We may do that in response to changes in law, changes in our products or their features, changes in our practices around data use and collection, or other reasons such as advances in technology.
You can always see if there have been changes by reviewing the date at the top of this document. If we make changes that are, or could be, material to you deciding to continue consenting to this policy, we will make sure to notify you.