Privacy Policy

Last Updated and Effective: October 17, 2024

What is this document?

Privacy policies can be dense and inaccessible. Sometimes you just want your question answered quickly without having to navigate pages of text. With this document, we hope to make that easier. We tried our best to make our Privacy Policy as easy to navigate and understand as possible. If you have any questions while reading it, please don’t hesitate to reach out to hello@bigsister.live.

For purposes of this Policy and unless otherwise specified, “data” includes information that is linked to one person or household including things like name, email address, phone numbers, device ID, Third Party identifiers, contact information, device usage data, communications with us using our digital communication platform (the “Platform”) . Some jurisdictions might consider this to be “personal data,” “personally identifiable information,” or “sensitive personal data” in certain circumstances. When you use and access our app or website, you accept and agree to both the Terms and Conditions and this Privacy Policy, including that we’ll share certain data with Service Providers.

Will this document be updated?

We may update this Privacy Policy. When we make significant changes to this Policy, we will notify you through our website or app when you log in to your account. We encourage you to periodically review this page for the latest information.

How to navigate this document

This document is broken into seven sections divided by topic. To navigate to a section, reference the list below which provides examples of the types of questions that will be answered in that section.

SECTION 1

Data Collection and Processing

  • What data do we collect, store, and Process?

  • Why do we collect and Process this data?

SECTION 2

Data Sharing

  • Why do we share your data?

  • How do you use my data to comply with the law?

  • Do we sell your data?

  • Do we share any information between you and your Therapist with Third Party advertisers?

SECTION 3

Data Retention, Erasure, and Exporting

  • How long do we retain your data?

  • What type of data do we retain and why?

  • How can you request data erasure or a copy of your data?

  • Why do we need to retain your data to comply with the law?

SECTION 4

Security and Anonymity

  • How do we keep your data secure?

  • How do you best remain anonymous when using BetterHelp?

  • Who can see the conversations with your Therapist?

SECTION 5

Additional privacy notices for California, UK, GDPR, and non-US/UK/EU residents

SECTION 1: Data Collection and Processing

Do you collect, store, or Process my data?

The categories of data which we Process are listed below. We Process this data to check for potential dangers on your connected devices. We may also Process data to send you periodic emails or text messages. In some cases, these communications are to help provide services. Other times, they are to provide marketing communications. You can opt out of receiving texts or marketing communications at any time. We will NOT Process and share data with Third Parties2 for advertising purposes. You can find more details in the relevant sections of this Policy.

What specific data are you Processing and why do you collect it?

We collect the minimum amount of data to identify dangers, and we delete the raw data only keeping the results of the analysis. We explain in the section below the specific data we collect and Process and, in the section following this, the business purpose for collecting and Processing this data. You will also see a column that identifies the legal basis for processing the data. We may rely on one or more legal bases for processing.

As highlighted in the table below, we collect and Process “Useage Data“..

You can find information on how long we store the data during processing we collect and Process these categories of data in the “How long do you retain my data and how do I request data erasure?” section of this Privacy Policy.

Name of category of data

Information that is collected and what it is used for:

“Visitor data”

What is collected:

When you visit the website, app, or Platform, we Process information like the particular pages visited or which features you interacted with, the amount of time on the website or app, site/app/Platform errors, information about the type of device and browser you’re using, and IP address. We may Process IP address, hashed email address, External Identifiers and Internal Identifiers (if available based on the settings of your device). We will NOT share the information with Third Parties, and will not opt in to Advertising (previously "Targeting cookies") and web beacons.

What it is used for:

  • Connecting you with appropriate services

  • Facilitating a seamless user journey

  • Communicating with you5

  • Monitoring and improving service quality

  • Personalizing your web or app experience

  • Helping us understand how you use our services, how we can improve our products and services to make them more effective and convenient, and offer you new features

  • Complying with laws

  • Protecting your safety and the safety of others

  • Send opportunities, promotions, news, updates and reminders about our services and your account

  • Monitor and protect the security of the Platform

Legal basis for processing

  • Legitimate Interest

  • Consent

“Onboarding data”

What is collected:

To create an account with the Platform, the user first fills out basic account data. We Process the information to onboard you as a user.

What it is used for:

  • Personalizing your web or app experience

  • Complying with laws

  • Sending alerts to your email address in the case a danger is detected

Legal basis for processing

  • Consent

  • Performance of Contract

“Account Data”

What is collected:

Once a user creates an account with the Platform, we Process data such as the account name, other demographic and contact information, such as email, age, phone number, emergency contact details, and whether a user verifies their email address. The user can onboard with consent of their family member basic information to group the monitored devices, namely name and age and whether the person is vulnerable. Device identifiers of the linked devices are collected.

What it is used for:

  • Grouping the devices under user family members

  • Personalizing your web or app experience

  • Complying with laws

  • Protecting your safety and the safety of others

  • Monitor and protect the security of the Platform

Legal basis for processing

  • Performance of Contract

  • Legitimate Interest

“User ID”

What is collected:

We assign each user who create an account a sequentially-generated user ID. User IDs are unique to each account and are required in order to enable the Platform to function.

What it is used for:

  • Connecting you with your devices and data

  • Facilitating the services

  • Communicating with you

  • Monitoring and improving quality

  • Personalizing your web or app experience

  • Helping us understand how you use our services, how we can improve our products and services to make them more effective and convenient, and offer you new features

  • Complying with laws

  • Protecting your safety and the safety of others

  • Send opportunities, promotions, news, updates and reminders about our services and your account

  • Monitor and protect the security of the Platform

Legal basis for processing

  • Performance of Contract

  • Legitimate Interest

“Transaction Data”

What is collected:

We Process data about payment transactions on the Platform such as whether a user completed payment for our services, signed up for services using a trial offer, canceled or ended a trial, received a discount or financial aid, or received any extensions or refunds. We also process whether a visitor has registered to create an account.

What it is used for:

  • Connecting you with services

  • Communicating with you

  • Monitoring and improving service quality

  • Personalizing your web or app experience

  • Helping us understand how you use our services, how we can improve our products and services to make them more effective and convenient, and offer you new features

  • Complying with laws

  • Protecting your safety and the safety of others

  • Send opportunities, promotions, news, updates and reminders about our services and your account

Legal basis for processing

  • Performance of Contract

  • Legitimate Interest

“Engagement Data”

What is collected:

We Process usage data about how you interact with emails we send and different features when you’re logged into the platform. For emails we send, we collect usage data including whether you receive an email, open it, and click any links it contains. When you log onto the Platform, we also collect usage data about activity conducted during that logged in session such as when a user logs in, the login timing, number and length of messages received or sent through the Platform, received or sent message timing, number and duration of live session scheduled or conducted, the number and timing of use of other features such as worksheets, journals, and goals. This category does not include Therapy Data like the content of any messages sent or received by users, the content of any live sessions, or the content of journal entries, worksheets, or goals.

What it is used for:

  • Communicating with you

  • Monitoring and improving quality

  • Personalizing your web or app experience

  • Helping us understand how you use our services, how we can improve our products and services to make them more effective and convenient, and offer you new features

  • Complying with laws

  • Protecting your safety and the safety of others

  • Send opportunities, promotions, news, updates and reminders about our services and your account

Legal basis for processing

  • Legitimate Interest

“Usage Data”

What is collected:

We Process data from the connected devices including keystrokes, web activity, app usage, call lengths and recipients, message content. We do not save this data.

What it is used for:

  • Understanding if there is any potential dangerous activity happening

  • Complying with laws

Legal basis for processing

  • Performance of Contract

  • Legitimate Interest

“Analysed Data”

What is collected:

We analyse Usage Data and glean general patterns of use e.g. screen time, app usage. We also glean potential dangers and categories of dangers.

What it is used for:

  • Information for the user about the potential dangers for their family members

Legal basis for processing

  • Performance of Contract

  • Legitimate Interest

“Quality Data”

What is collected:

We Process client feedback about the app, actions regarding cancellation, and the reason selected by the client. We Process devices connected, those bought but not connected and duration of contracts. 

What it is used for:

  • Monitoring and improving quality

  • Personalizing your web or app experience

  • Helping us understand how you use our services, how we can improve our products and services to make them more effective and convenient, and offer you new features

  • Send opportunities, promotions, news, updates and reminders about our services and your account

Legal basis for processing

  • Legitimate Interest

“Customer Service and Communications Data”

What is collected:

We Process communications users have with our Customer Service team.

What it is used for:

  • Communicating with you

  • Complying with laws

  • Protecting your safety and the safety of others

Legal basis for processing

  • Performance of Contract

  • Legitimate Interest

“Expert Data”

What is collected:

In order to engage with Experts who express an interest in working with us (such ason the Expert advice panel), follow up with Experts who applied to work with us on the status of their applications, to identify, match, credential, re-credential, run checks, pay consultants, we process Expert information such as the Expert's name, bank account information, gender, date of birth, e-mail address, and areas of interest/expertise/language, education, and job history. Experts may also separately and outside of this Policy, consent to using facial photographs to display on the website or promotional activity.

What it is used for:

  • Improving the service through a body of Experts

  • Personalizing your web or app experience

  • Helping us understand how you use our services, how we can improve our products and services to make them more effective and convenient, and offer you new features

  • Complying with laws

  • Protecting your safety and the safety of others

  • Send opportunities, promotions, news, updates and reminders about our services and your account

  • Monitor and protect the security of the Platform

Legal basis for processing

  • Legitimate Interest

  • Performance of Contract

  • Consent

Do you Process location data?

We process your IP address to determine your rough location so that we can personalize the platform for you. For example, we show you relevant information about our service that applies to visitors from your country.

We also utilize your connected device location to provide the parent/carer knowledge of where their children are.

We Process your address information when you provide it as part of your emergency contact information when you start using the Platform. Your contact information is required to comply with our safeguarding policy. It can be used, for example, in case you devices indicate you or your family are in immediate danger. When you are filing out this field, we may process your rough location to provide autocomplete suggestions for your convenience.

Rough location using your IP address is also Processed by the ReCAPTCHA security API tool we use. ReCAPTCHA is a Service Provider we use to identify potentially malicious actors trying to access our site. Here is the ReCAPTCHA Privacy Policy and Terms of Service.

How do we use Artificial Intelligence?

We use Artificial Intelligence (AI) and Natural Language Understanding (NLU) algorithms to support identifying online dangers and alerting you. Our processing of data may include some automated and some human (or manual) methods of processing. To help ensure these tools remain fair and accurate, as well as protect the privacy of our users, we either thoroughly review a model or build it internally.

SECTION 2: Data Sharing

What are the purposes for sharing my data?

Here's some more information about the purposes for which we share your data:

  • Your data may be shared to comply with applicable laws. For example, a court might subpoena information from us where we would be required to share certain information requested in the subpoena. This is not unique to Be Online Safe and Savvy. 

  • Occasionally, your data may be handled by a select number of employees. These employees are under strict duties of confidentiality.

  • We may share certain data with Service Providers12 that provide limited services that help us operate the Platform. Examples include:

    • Data hosting and storage providers: For example, cloud hosting providers such as Amazon Web Services (AWS).

    • Technology Service Providers: For example, we sometimes integrate tools into our Platform which give our Platform more functionality, like technology that helps us provide live audio, video and group meetings.

    • Customer Service Providers: For example, we use a tool that helps keep track of requests and questions from our Members in a secure way.

    • Email management and communication Service Providers: For example, we may use a tool that makes reaching out to you easier for us and more convenient for you.

    • Marketing and advertising Service Providers: For example, we may partner with an agency to run a marketing campaign or to help us better understand how to run our own campaigns to reach more people who may be interested in starting therapy. Remember that Service Providers can only legally use data at our direction - no other person or company can authorize how they use it and they cannot disclose data that is individually identifiable to any other person or company, other than to us or the Service Providers' own subcontractors provided that they're bound to data Processing terms that are no less restrictive than the Service Provider's terms.

    • Billing and payment processing Service Providers: For example, we use Stripe to help process payments in a secure way. Stripe also assists us in paying Therapists and issuing tax documents to them. For this purpose, we may share email addresses of Therapists with Stripe and other data that is needed to pay Therapists such as a Therapist's name and tax ID.

    • Reporting and analytics Service Providers: For example, we might use a service to help us keep track of which pages and features are most used on our site.

    • Advisors and lawyers: To assist with business matters.

    • We may share some of your data with Service Providers to ensure the safety and security of the Platform and that of our users.

  • For Members who receive services in connection with an employer, school, organization, or other business partner, we may share group-level usage data with your organization. 

  • We may share some of your data in connection with an asset sale, merger or bankruptcy.

If you opt in to "Analytics (previously "Performance cookies")", we may use analytics cookies and other tracking technologies to share your data with trusted Service Providers that assist us to Process1 data for activities including but not limited to analyzing traffic sources, visits, and site interactions. This analysis helps us to improve our products and services.

How do you use my data to comply with the law?

When required by law, we cooperate with government agencies. This is not unique to Be Online Safe and Savvy. For example, a court might subpoena information from us where we would be required to share certain information requested in the subpoena. You should also be aware that the Platform may be obliged to disclose information to authorities to meet professional and legal responsibilities. 

Do you sell my data?

We aren't paid by anyone for any data. 

Are you using my data for advertising?

In order to reach people who may be looking for online safety support, we advertise on some Third Party2 web properties such as Third Party websites and apps. In order to minimize advertising costs related to this process and downstream costs to you, we strive to deliver ads that are relevant, interesting, and personal.

We do not engage in “retargeting” advertising. Retargeting advertising is a type of advertising whereby advertisers leverage the fact that you viewed a page or took an action on their site to advertise to you again on third party properties in the hope that you will see the ad and return to their site.

To be clear, we don't share any data or information on your device useage. We don't share information with Third Party advertisers like Member names, phone numbers, danger alerts, or any other type of private communication you have with your Therapist on the Platform.

As described further above at SECTION 2 Data Sharing, we may also partner with some Service Providers to assist in marketing campaigns. Remember that in addition to needing a series of rigorous security standards (as further detailed here), Service Providers can only legally use data at our direction - no other person or company can authorize how they use it and they cannot disclose data that is individually identifiable to any other person or company, other than to us or the Service Providers' own subcontractors provided that they're bound to data Processing terms that are no less restrictive than the Service Provider's terms.

SECTION 3: Data Retention, Erasure, and Exporting

How long do you retain my data and how do I request data erasure?

Be Online Safe and Savvy is committed to ensuring that all applicable Member data is retained only for the amount of time required to provide relevant products and services and in accordance with relevant legal requirements.

Certain categories of data are retained for a period of time after you cancel your Membership or your Membership becomes inactive. These categories of data are retained to allow for a seamless reactivation in the event you begin using our services again and the user to reference historical information. Retaining this data is also needed to ensure our products and services function.

In addition to the data retention schedule outlined below, Be Online Safe and Savvy maintains a process for all Members (regardless of where they live) to receive and process, without undue delay, requests to erase or access their data.

The following sections describe both how long a Member can expect their data to be retained with respect to specific account information as well as how to request data erasure and access. In this Policy, data erasure is defined as the permanent removal or obfuscation of identifiable data (See "What is this Privacy Policy") so that it is no longer accessible by anyone.

Retention Policy

Be Online Safe and Savvy data retention policies are based upon what data is being Processed1, and if the Member proactively requested data erasure or if the erasure is triggered due to Platform inactivity.

I am a Member who...

How long your data is retained

Did not onboard devices & Did not request data erasure

Your data is retained for 3 years after your last login date and is then erased.

Did onboard device(s) & Did not request data erasure

Your data is retained for 10 years after your last login date and is then erased. Your Device “useage data” is deleted after it has been analysed.

Did not onboard device(s) & Did request data erasure

Your data is erased within 24 hours of the erasure request.

Did onboard device(s) & Did request data erasure

Your information which is Communications (e.g. record of Member complaints or deletion requests), or disclosures of PII to Third Parties2 is erased after 10 years.

All other personal identifiable information in the following categories is erased within 24 hours of the erasure request..

Exercising Your Data Protection Rights:

As stated, you have certain rights under data protection laws, including the right to request that we erase personal data we hold about you, and the right to request a copy of it. The following sections describe how you can exercise those rights.

Requesting Data Erasure:

To request data erasure, please log in to your account and go to Menu > My Account (or Account Settings) > My Personal Information, where you will see a link to request complete erasure of your account. Click that and follow the instructions to begin the data erasure process. You will receive a confirmation email from us within 24 hours of your request.

If you do not have access to your account or are having trouble with this method, you can directly contact Member Success at hello@bigsister.live and they will assist you with the process. Additionally, if, under applicable data protection laws, you have the right to request that data we hold about you be edited or rectified, you may make this request by contacting hello@bigsister.live. You can expect to receive an email confirming receipt of your request within 24 hours.

Additionally you can visit our opt out instructions page to request erasure or to opt out of previous settings you have opted into.

You may reach out to us at  hello@bigsister.live if you need additional help. We will only comply with a request for the erasure of your data if we can verify your identity. There is usually no charge. In exceptional circumstances, we may charge a reasonable fee after discussing the fee with you.

If you reach out to  hello@bigsister.live, we have specific requirements that must be met in order for us to process your data erasure request.

Requirements:

  • Only you or your authorized representative may make a request on your behalf. You may also make a request on behalf of your minor child depending on the applicable laws.

  • You must provide sufficient information that allows us to reasonably verify your identity or status as an authorized representative.

  • You must provide details that allow us to understand, evaluate, and respond to your request.

In some circumstances, legal or regulatory requirements limit our ability to honor erasure requests. As such, we may decline requests for erasure if the information is:

  • Subject to a litigation hold or legal request to preserve it.

  • Necessary to comply with laws and regulations and to maintain business integrity.

Additionally, compliance obligations require us to retain records documenting certain interactions you have with us related to your Membership. As such, we cannot honor erasure requests for information contained in records of:

  • Communications about complaints and erasure or access requests.

  • Disclosures of personal data to Third Parties.

If we don’t intend to comply with a request, then we will tell you why this is the case, and outline how we weighed your rights and freedoms against our legal obligations. In such instances, any information retained will only be used for purposes contemplated under the legally recognized exemption.

Requesting a copy of my data

To receive a summary copy of your data, please log in to your account and go to Menu > My Account (or Account settings) > My Personal information, where you will see an option to request a copy of your data. 

Additional data which we maintain includes email interactions with our help desk, which is stored on your email system. You may also request this information by writing to  hello@bigsister.live. As with data erasure, we are not always able to respect your request for data access. For more information on why this may be and how the situation will be handled, please reference the previous section.

SECTION 4: Security and Anonymity

How do you keep my data secure?

We apply industry standards and strive to apply best practices to prevent any unauthorized access and disclosure. Internet-based services carry inherent security risks, but our systems infrastructure, encryption technology, operation and processes are all designed, built, and maintained with your security and privacy in mind. Our Platform is certified by Cyber Security Plus.

Be Online Safe and Savvy employs data security professionals whose job it is to make sure we use secure technology to protect your data. We have an Information Security team who test internal security at Be Online Safe and Savvy to try and anticipate threat actors and act defensively to build processes and infrastructure to prevent incidents and attacks. We have numerous robust security practices such as:

  • All messages have 256-bit encryption.

  • Our servers are distributed across multiple Tier 3 AWS Data Centers for optimal security and protection.

  • Our browsing encryption system (SSL) follows modern best practices.

  • Our databases are encrypted and scrambled rendering them useless in the unlikely event that they are stolen or inappropriately retrieved.

  • We have robust monitoring and alerting systems and procedures in place that include both automated systems and humans.

For your own security, keep the following in mind:

  • Phishing: This is a type of online identity theft or account hacking. We will never request your login information or credit card information in any non-secure or unsolicited communication. You should always be diligent when you are asked to provide your account information and make sure it is in our secure system.

  • External links: Our Platform may contain links to an external website or service. We do not control external websites, and do not have control over their privacy policies and terms of use. The fact that we link to a website is not an endorsement, authorization, or representation of our affiliation with that external party or of their privacy and security policies or practices.

Can I sign up for Be Online Safe and Savvy and remain anonymous?

When you sign up for an account on Be Online Safe and Savvy, we do not ask you for your full name. You may pick any name or “nickname” which will identify you in the system. You will need to provide an email address so that we can verify your account, and so we can communicate with you. You can choose an email that does not include your name (including if you are coming to us from an employer, organization, or other business partner and do not want to use your organization’s email address), but you should be aware that in some jurisdictions emails may be considered “personal data,” “personally identifiable information,” or “sensitive personal data” in certain circumstances. When you decide to use the service, we’ll ask you for your contact information for emergency situations such as if the Platform deduces you or someone else is in immediate danger.

Even though we try to limit the kinds of information you must provide to us as discussed above, it is very difficult to be truly “anonymous” when you use any app or the internet. Read more about what data we Process1 and why here:

Who can see the data on my family members and devices?

Our internal Trust and Safety or Legal teams may review correspondence for specific accounts if we have a reason to believe that there is a security, legal, or fraud issue occurring with that specific account.

Data and alerts are not shared with any Third Party2

How do you treat data from children?

We follow a strict safeguarding policy for data from children. The legal parent or guardian must be the account holder and the consent of the child obtained. 

SECTION 5: Additional privacy notices for California, UK, GDPR, and non-US/UK/EU residents

Additional Privacy Notice for California Residents

This Privacy Notice for California Residents supplements the Be Online Safe and Savvy Privacy Policy to comply with the California Consumer Privacy Act of 2018 ("CCPA") and the California Privacy Rights Act ("CPRA") of 2020.

The CCPA and the CPRA are California laws that provide its residents with certain rights over information about them, including notice about the categories of personal information we have collected from them in the preceding twelve (12) months and the purposes for which the information is used or disclosed, and correction of personal information.

The following Sections outline the data that is Processed1 by us, as well as the purpose for collection, and the categories of sources of such information:

The data referenced at those links may fall in certain defined categories under the CCPA and CPRA. Accordingly, we may have collected:

  • Identifiers;

  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e));

  • Protected classification characteristics under California or federal law;

  • Commercial information;

  • Biometric information;

  • Internet or other similar network activity;

  • Geolocation data;

  • Sensory data;

  • Sensitive Personal Information;

  • Professional or employment-related information; and

  • Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

The information that we have disclosed in the past 12 months and the recipients of the information are described above, in the section titled "What are the purposes for sharing my data?" The information that we may have shared in the past 12 months falls into the following personal information categories under the CCPA and CPRA:

  • Identifiers;

  • Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e));

  • Protected classification characteristics under California or federal law;

  • Commercial information;

  • Internet or other similar network activity;

  • Geolocation data;

  • Sensory data;

  • Sensitive Personal Information; and

  • Professional or employment-related information;

  • Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

We aren't paid by any external or Third Party2 for any data. The information that we may have “sold” (for purposes of the CCPA and CPRA) in the past 12 months falls into the following personal information categories under the CCPA and CPRA:

  • Identifiers;

  • Commercial information; and

  • Internet or other similar network activity.

Do I have the right to know what information you have about me?

Yes, as a California resident you can request certain information about what we have Processed over the past 12 months. Once we receive and verify your consumer request, we can provide:

  • The categories of personal information we collected about you.

  • The categories of sources for the personal information we collected about you.

  • Our business or commercial purpose for collecting that personal information.

  • The categories of Third Parties with whom we shared that personal information.

  • The specific pieces of personal information we collected about you.

  • Whether we disclosed your personal information for a business purpose and the personal information categories that each category of recipient obtained.

We will verify your identity by matching the information you provide with information that we maintain about you or via biometrics (specifically, FaceID via iOS). You also have the right to request that we correct personal information about you if it is found to be inaccurate. To make such a request, please send an email to hello@bigsister.live

Can I “opt out” or request that you delete my information?

Yes, you can request that we delete your data as described in the section of this Policy called: "How long do you retain my data and how do I request data erasure?" Once your request is received and verified by matching the information you provide with information that we maintain about you or via biometrics, we'll move forward with the Process of deleting your information in line with our legal requirements and Retention Policy. We cannot fulfill a deletion request and need to retain your information if the data is necessary to:

  • Provide you services, take actions reasonably anticipated within the context of our ongoing business relationship, or otherwise perform our contract with you.

  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.

  • Debug products to identify and repair errors that impair existing intended functionality.

  • Exercise free speech, ensure the right of another consumer to exercise their free speech rights, or exercise another right provided for by law.

  • Comply with applicable laws, including but not limited to, the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 seq.) and information covered by the California Confidentiality of Medical Information Act.

  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.

  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

General Data Protection Regulation (GDPR) and UK General Data Protection Regulation Notice

This section provides additional information about our Policy relevant to you if you are from the European Economic Area (the EEA), United Kingdom, and Switzerland (together “European Area Countries”). It supplements and should be read in conjunction with the rest of the Policy. Under the European Area Countries' privacy laws, we are the Controller with respect to your data.

What are my rights and choices under European Area Countries laws?

European Area Country residents have specific rights regarding their data. This section describes your rights if you are resident in the European Area Countries and explains how to exercise those rights.

  • Subject access request: See further how to exercise this right here.

  • Right to rectification: If the data we hold about you is inaccurate, you may request rectification. The data will be checked, and, where appropriate, inaccuracies will be rectified. Exercise this right by emailing Member Success at hello@bigsister.live and they will assist you with the process.

  • Right to erasure: In certain circumstances, you may be entitled to ask us to erase your data. See further how to exercise this right here.

  • Right to data portability: In certain circumstances, you may wish to move, copy, or transfer the electronic data that we hold about you to another organization. See further how to exercise that right here.

  • Right to object: You may object to your data being used for direct marketing. You may object to the continued use of your data in any circumstances where we rely upon consent as the legal basis for Processing it. Where we rely upon legitimate interests as the legal basis for Processing your data, you may object to us continuing to Process your data, but you must give us specific reasons for objecting. We will consider the reasons you provide, but if we consider that there are compelling legitimate grounds for us to continue to Process your data, we may continue to do so. In that event, we will let you know the reasons for our decision. In some instances, objecting to certain Processing may impact our ability to provide you with services.

  • Rights related to automated decision-making including profiling: We use limited data to operate the Platform and to carry out certain profiling activities to support and grow our business. When doing so, we rely upon our legitimate interests as the lawful basis for Processing your data, and you may exercise the above rights if you do not wish us to Process your data in this way.

To exercise the rights in relation to your data set out in this section, please contact us at hello@bigsister.live.

Is my data transferred internationally?

We transfer data from the EU or US to the U.K because our servers are located in the UK. This transfer is conducted on a legal basis to ensure the protection of your data and compliance with applicable data protection laws. The legal basis for this transfer is the EU-U.S. Data Privacy Framework (DPF).

You can contact our Data Protection Officer with questions, about this Policy, or about your data by writing to:

Attn: Be Online Safe and Savvy: Data Protection Officer 12 East Court Mews, Cheltenham, UK, GL52 6UN

While we'll always work with you to resolve any concerns you have about the use of your data, under GDPR you have the right to lodge a complaint with the supervisory authority in your country of residence if you have any concerns about our use of your personal information.

Additional Privacy Notice for non-US, non-UK, and non-EU residents

As a part of our standard business practices, data is transferred outside of many visitors' countries of residence and predominantly used, accessed and processed within the U.K. Fortunately, given the robust and rigorous nature of privacy laws in the US, UK, and EU with which we comply, Be Online Safe and Savvy considers that this has the effect of protecting user information in a way that, overall, is at least substantially similar or in many ways exceeds non-UK data privacy legal requirements. To the extent we contract with vendors who are outside of the U.K, we ensure that specific safeguards have been established to protect that data.

UK GDPR Compliance

Be Online Safe and Savvy complies with the UK General Data Protection Regulation ("UK GDPR") and the EU General Data Protection Regulation ("EU GDPR") with respect to the processing of personal data from individuals in the UK, EU, and Switzerland.

If you are located in the UK, EU, or Switzerland, you have the right to request access to the personal data we hold about you and request that we correct, amend, or delete your personal data if it is inaccurate or processed in violation of applicable data protection laws. We will provide you an opportunity to opt out where your personal data is to be disclosed to a third party or used for a purpose that is materially different from those set out in this Privacy Policy. If you would like to exercise any of your rights, please contact us via the details provided below.

In compliance with the UK GDPR and EU GDPR, Be Online Safe and Savvy commits to resolving complaints about our collection and use of your personal data. We will investigate and attempt to resolve any complaints within 45 days. Individuals in the UK, EU, or Switzerland with inquiries or complaints regarding our handling of personal data should first contact us at [DPO email address].

Be Online Safe and Savvy is subject to the enforcement and sanctioning powers of the UK Information Commissioner’s Office (ICO) and, as applicable, the relevant Data Protection Authorities (DPAs) in the EU regarding our processing of personal data received from the UK, EU, or Switzerland.

Be Online Safe and Savvy commits to resolving complaints about our collection, use, or handling of personal data transferred in compliance with applicable data protection laws. Under certain conditions, you may have the right to lodge a complaint with your local Data Protection Authority or to seek binding arbitration when other dispute resolution procedures have been exhausted.

In the context of an onward transfer, Be Online Safe and Savvy is responsible for the processing of personal data it receives under the UK GDPR and EU GDPR and subsequently transfers to a third party acting as an agent on our behalf. We shall remain liable if our agent processes your personal data in a manner inconsistent with the applicable data protection laws unless we are not responsible for the event giving rise to the damage.

Please note that under certain circumstances, we may be required to disclose your personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.