SMARTSTEP PRIVACY POLICY – UK and EU
INTRODUCTION
This Privacy Policy describes the information privacy practices of Blatchford Ltd, registered in the UK (162114 ) and in Europe (“Blatchford”, “Company”, ”we, “us”, or “our”), for the SmartStep platform and associated web-based sites and applications made available and operated by us that reference or link to this Privacy Policy (the “Platform”).
The Platform includes, without limitation, (i) our SMARTSTEP applications for iOS and Android (collectively, the “App”), which allows an authenticated and authorized user to interact with a compatible Blatchford device (“Blatchford Device”) via a secure Bluetooth Low Energy (“BLE”) connection; and (ii) our web-based administration portal (the “Portal”).
This Privacy Policy explains what information we collect about you; how we collect that information; the purpose for collecting it and how it benefits you; the outside parties we share it with; and your rights, including what you can do regarding your information.
This Privacy policy is in addition to our organisational privacy policy for users of the blatchfordmobility.com website and clinical service and this privacy policy for Blatchford Customers in Norway.
For the purposes of the General Data Protection Regulation (EU) 2016/679 and applicable national legislation implementing the GDPR and, if applicable, the UK Data Protection Act 2018 and the UK GDPR (hereinafter collectively the “GDPR”), we are the data controller, unless otherwise stated. We compiled this Privacy Policy and adjusted our processes towards Personal Data in compliance with GDPR as the highest standard for the protection of our users’ personal data rights.
SCOPE OF POLICY
This privacy policy relates to personal data obtained through our app, portal or as part of structured validation studies.
WHAT INFORMATION WE COLLECT ABOUT YOU
Data Protection is a high priority at Blatchford. We work to ensure that we only collect data that is necessary for operation of the Platform. We do so lawfully and in full compliance with the GDPR and applicable local data privacy regulations.
This policy represents the total amount of data collected across all users, your specific authorised use of this product may not involve all data listed, please talk to your clinician for further information.
INFORMATION YOU SUBMIT
General Information:
-
Gender
-
Date of Birth
-
Weight
-
Height
Contact Information: You may share this when you log in or as part of the clinical onboarding process
-
Name
-
Email Address
-
Password or passcode
Health information:
-
Heart Rate Variability
-
Heart Rate
-
Energy expenditure
-
Sleep Quality
-
Gait Data
-
Data related to the use of a Blatchford approved Device
-
Information submitted as part of a structured survey
Other:
-
Video capture of you using a Blatchford approved Device.
-
This is optional and you will be given the choice of opting out
-
The app will need to access your phone camera for this purpose
These indicators are based on metrics the App collects when executing a measurement or importing the data from Apple Health if you decide to connect Apple Health to our App.
INFORMATION COLLECTED AUTOMATICALLY
When you use the Platform, information about your device and user behavior may be collected and processed automatically. This information is generally non-personal, i.e. it does not, on its own, permit direct association with any specific individual. However, a set of this information may allow us to identify you as a separate user of our services, therefore we treat such information as Personal Data and protect it as prescribed by law. We process Personal Data based on the contract between you and us or our legitimate interest in improving our App and giving our users the best experience
Device Details. When you use a mobile device to access our App, some details about your device are reported subject to your privacy choices as provided by iOS functionality. For example, device identifiers and other metadata. Device identifiers are small data files or similar data structures stored on or associated with your mobile device, uniquely identifying your mobile device (but not your personality). Device identifier enables generalized reporting and analytics. In this regard, the following information may be collected and processed:
-
Information about the device itself: type of your device, type of operating system, and its version, model, and manufacturer.
-
Information about the internet connection: mobile carrier, IP address, timestamp, and duration of sessions.
-
Location-related information: IP address, the country code/ region/ state/ city associated with your SIM card or your device, language setting, and time zone.
-
Information about the App: name, API key (identifier for application), version, and App properties can be reported for automated processing and analysis.
-
Cookies and similar technologies. When you use the App, cookies and similar technologies may be used (pixels, web beacons, scripts). A cookie is a text file containing small amounts of information downloaded to your device when you access the App. The text file is sent back to the server each time you use the App. This enables us to operate the App more effectively, we use the minimum required cookies for effective operation of our App and Portal.
-
Log file information. Log file information is automatically reported each time you request to access the App. It can also be provided when the App is installed on your device. When you use our App, analytics tools automatically record certain log file information, including the time and date when you start and stop using the App and how you interact with the App.
-
In-app events. When you use our App, analytics tools automatically record in-app information (e.g. screen navigation and device interactions).
THE LAWFUL BASES AND PURPOSES OF PROCESSING YOUR PERSONAL DATA
Without first notifying you, we will not collect or use your Personal Data. We will handle your Personal Data using one or more of the following lawful bases, depending on which features of the Platform you use:
-
Consent. For example, prior to a Gait Visualiser session we may ask you for your preference for the processing of this data.
-
Legitimate interest. We may process your Personal Data in relation to our interests in providing the Platform services to you, our legitimate commercial interests, our interest in protecting the security and integrity of the Platform, as allowed under the law.
-
Legal obligations. We may be obligated to process some of your Personal Data to comply with applicable laws and regulations, for example reimbursement related activities.
HOW WE PROCESS YOUR PERSONAL DATA
The technical processing activities that Blatchford carry out to deliver the Platform services are done so in secure IT service environments. When we process your personal data we use select third party IT service providers with whom we have established contractual agreements to ensure the security of their processing activities and compliance with application data privacy regulations:
Third Party Processors:
-
Cloudflare: Cloudflare's Privacy Policy | Cloudflare
-
Twilio SendGrid: Twilio Privacy Notice
-
Infor: Privacy (infor.com)
-
Salesforce : Salesforce Privacy Information - Salesforce.com US
|
Processing Activity |
Data Type |
Example |
Lawful Basis |
|
User authentication and training records |
Personal: IP Address, First and last name Clinician training and certification status |
Needed for secure use of the app. Needed to ensure clinical features are only used by suitably trained users |
Legitimate Interests |
|
App network information |
Personal: IP Address |
Used to protect against common cybersecurity risks |
Legitimate Interests |
|
Data store for product warranty information and product performance improvement |
Personal: Device serial number, Date of fitting, Purchase date |
Required for expert remote support of issues and for helping quickly send a replacement device (depending on warranty status) |
Legitimate Interests |
|
Device management |
Special Category (Medical): User survey responses (may contain special category data in free text form field) Gait session videos, Gait session data streams |
Providing device updates, remote device support or remote training support |
Informed Consent |
|
Data store for app device processing |
Personal: Device Identifier, User Identifier Blatchford device logs |
Data store for Device Management Service connection history, analysis of device usage and support |
Legitimate Interests |
|
Data store for physiological data processing |
Personal Health: Weight, Height, Heart Rate, Heart Rate Variability, Energy Expenditure, Sleep Quality |
Capturing user physiological data whilst using the Device, analysis of human response to Device |
Informed Consent |
SHARING OF YOUR INFORMATION
While we use the above listed third parties for technical processing, we do not share your personal data with any other third parties.
Blatchford employees may have access to your personal data for the purposes of fulfilling the Platform services. This is strictly limited to staff who need to access the data as part of their job role. Our employment agreements ensure that our staff are contractually bound to ensure the confidentiality of your data.
YOUR DATA PRIVACY RIGHTS
Under the General Data Protection Regulation (GDPR) and other applicable data protection laws, you have certain rights regarding your personal data. These rights are designed to give you control over how your data is collected, used, and stored.
Right to Access: You have the right to request access to your personal data that we hold about you. This includes information about the data we collect, how it is used, and who it is shared with.
Right to Rectification: If your personal data is inaccurate or incomplete, you can request that we correct or update it.
Right to Erasure (Right to be Forgotten): You can request the deletion of your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected, or if you withdraw your consent on which the processing is based.
Right to Restrict Processing: You have the right to request that we limit the processing of your personal data under specific conditions, such as when you contest the accuracy of the data or object to its processing.
Right to Data Portability: You can request that we transfer your personal data to another organization or to you in a structured, commonly used, and machine-readable format, where technically feasible.
Right to Object: You have the right to object to the processing of your personal data for direct marketing purposes, or when processing is based on legitimate interests, unless we have compelling legitimate grounds for the processing.
Rights Related to Automated Decision-Making: You have the right to not be subject to decisions based solely on automated processing, including profiling, which produces legal effects concerning you or significantly affects you, unless such processing is necessary for the performance of a contract, authorized by law, or based on explicit consent.
EU Member State Variations: Different EU member states may have additional data protection rights or procedures that enhance the protections provided by the GDPR.
EXERCISING YOUR RIGHTS
Blatchford maintains a set of policies and procedures for managing any requests that you might submit to exercise your rights under the applicable data protection regulations. This includes how to handle subject access requests, logging, timeframes, and legal requirement which is centrally overseen and reported.
A Data Protection Officer has been appointed. To make a request to Blatchford for any personal information we may hold, you will need to request the information from us, either verbally or in a written format. You have the choice of either completing the Subject Access Request (SAR) form, or via email, or via letter to the address provided at the end of this Privacy Policy.
DATA MANAGEMENT
RETENTION
Blatchford will only retain personal data collected for the periods defined in our records retention schedule.
INTERNATIONAL TRANSFERS
UK and EU end user data will not be transferred to 3rd parties outside of the EEA. Blatchford’s intra-group transfer agreement allows Blatchford to transfer data to its US entity for operational purposes.
SHARED OR MERGED WITH OTHER DATASETS?
Other than in exceptional circumstances, no personal data will be merged or shared with other datasets. In such instances where this is needed, an enhanced informed consent process will be used.
CHILDREN'S PRIVACY
General limitation. The Services are not intended for children and we do not knowingly collect or solicit any personal information from children under 12. If we learn that we have collected personal information from a child under age 12 without verification of parental consent, we will erase that information as quickly as possible. If you believe that we might have any information from or about a child under 12, please contact us at [email protected]
Limitations for users from the European Economic Area and the United Kingdom.
The use of the Services by residents of EEA or the UK younger than 16 years old is prohibited. If you know that a person under 16 is using the Services, please contact us at [email protected] and we will take measures to delete such information and/or delete the child’s account.
CHANGES TO THE PRIVACY POLICY
This Privacy Policy is updated regularly.
We keep our privacy notice under regular review, and we will place any updates on this page.
This privacy notice was last updated on 17/01/2025
WHO WE ARE AND HOW TO CONTACT US
Blatchford Group is the company that you are supplying your personal information to. The Data Protection Officer for Blatchford and can be contacted by:
Email: [email protected]
Post:
Data Protection Officer
Blatchford Ltd
Unit D Antura
Kingsland Business Park
Basingstoke
Hampshire
RG24 8PZ