BFB Labs: Privacy notice

Introduction

BFB Labs Limited (‘BFB’) and buyers of its products recognise the importance of protecting personal data.  

Both are committed to complying with data protection legislation and, as part of that, being transparent with individuals around the use of their personal data.  This is any information relating to that individual. 

This Notice seeks to ensure transparency.  It is important for all to read, especially children (through their Parent or Guardian) and the Parent/ Guardian themselves before deciding to provide personal data for processing by the organisation who enabled access and BFB. 

This Notice is provided largely on behalf of the organisation who enabled access who act as ‘Data Controller’ of child and Parent/ Guardian personal data.  They may also have their own Notice which provides similar and additional information. Children (through their Parent/ Guardian) and the Parent/ Guardian should also read the Privacy Notice of the organisation who enabled access..  

Key terms

Distributors are staff within the organisations who make the product available to children and their Parent/ Guardian. 

A Data Controller is an organisation (the enabling organisation) who determines why personal data should be processed and how. 

Where a Distributor acts as a Data Controller, BFB acts as its Data Processor -an organisation (BFB) who processes personal data on behalf of a Controller and to its instructions. 

There are occasions where BFB processes personal data of the child or Parent/ Guardian for its own purposes.  Where that is the case and we act as a Data Controller this Notice will say so. 

Special Category Data is personal data potentially used by the enabling organisation and, in the context of the app,  is that revealing racial or ethnic origin… religious or philosophical beliefs, or health.  

Who are the Data Controllers? 

The primary Controller will be the organisation who made the product available to the child through their Parent/ Guardian. You should have their contact details.  If you do not please contact us at support@bfb-labs.com

We are BFB Labs Limited (‘BFB’).  Our registered office is C/O Better Space, 127 Farringdon Road, London, England, EC1R 3DA. 

We are registered at Companies House UK under company number 09700274. 

Our Data Protection Officer can be contacted via support@bfb-labs.com

We are also  registered with the ICO (UK) under number ZA393479.

Who are BFB? 

We are providers of a NICE recommended digital therapeutic game - Lumi Nova: Tales of Courage- that helps with the symptoms of worries or anxiety and its impact on children aged 7-12 years and enables them to learn to self-manage their worries/anxiety.

It is an engaging intergalactic adventure mobile game facilitating graded exposures (the active ingredient of Cognitive Behavioural Therapy in line with NICE guidance) to empower 7-12 year olds with mild to moderate needs, to learn to self-manage their anxiety in a non-stigmatising way.

Also, it provides psychoeducation to the child and Guardian. The software collects data against widely accepted outcome measure scales and enables children/ parents/ guardians to set goals and create exposure ladders. In addition the software will encourage children to take exposure steps in and out of the software environment. 

The product is made available via the enabling organisation. 

Whose personal data is collected and further processed 

  1. Children who are signed up for the game by a ‘Distributor’ or their Parent/ Guardian.  

  2. The relevant Parent/ Guardian 

  3. Distributors-  staff from an enabling organisation including clinical or educational practitioners who are directly involved in supporting children.


What personal data is collected and further processed 

  1. Children- name; birth date; gender; ethnicity; disability information; postcode; GP surgery; user profile;  unique game key; goals to achieve; health information;  information about usage of the game; answers to reflection questions; 

  2. feedback about your experiences with the game and its effectiveness.

  3. Parent/ Guardian-  mobile phone number;  email address; agreement to Terms and Conditions; response to outcomes rating scale survey;  unique game key, goals for child to achieve;  end of goal outcomes survey; feedback about your experiences with the game and its effectiveness.

  4. Distributors - name, email, phone number, who you work for, username

Please note that you are under no obligation to provide personal data.  However if you do fail to provide it then it is likely that you will not be able to access the game or Hub or, if you are,  make full use of it.  


Why is personal data processed? 

Children 

The child’s information will be used in order to validate their account and ensure data accuracy and what is attributed to them is correct. This ensures that the professionals working with the child can be confident they are looking at the correct child’s data in the Hub.  

Gender, ethnicity, and disability information may be used to understand who is accessing the product / service.  This is because some demographics are more vulnerable to mental health problems. Postcode information can be used to link to the indices of multiple deprivation (IMD) and, again, enables organisations who made the product available understand who is accessing the product / service. 

Health Data is used by the enabling organisation (through the Distributor) to review the effectiveness of the game and how it is helping the young person to deal with their anxiety

Information is also used to create and manage users of the game, monitor use of the game and progress including game analytics and survey responses provided by guardians.

Information is also used to consider feedback about your experiences with the game and its effectiveness.

Personal data (such as age, gender, disability) is used to identify who is using the game and how it is being used. In doing this we do not focus on any individual’s data.  All data is aggregated (combined) and, during that process, the data becomes anonymous. This anonymised data provides us with insights which helps us improve our products, show us who is using the product and their progress, where the product (region) is being used, demonstrate usage and how the product helps to the organisations that enable access to Lumi Nova and to market our products more effectively. 

We also use personal data to ensure the security of your data by ensuring that access to the same by professionals is controlled (by the use of log- ins and passwords) and that data of one user  cannot be accessed by someone else or added to by someone other than the registered user. 


Parent/ Guardian

Information is used  in order to ensure verification and to ensure the Parent/ Guardian of the child is sent the right information to access the game.  Information is also used to  provide the Parent/ Guardian with a unique game key and provide the guardian with updates on their child’s progress. It is also used if there is a need to contact them regarding the game or evaluation of it.  

Information is used to record consent to Terms and Conditions, to provide the Privacy Notice, to review outcomes of surveys, send reminders and to enable guardians to facilitate use of the game by their child. 

Information is also used to provide support to the Parent/ Guardian for them, in turn, to support their child. 

Information is also used to consider feedback about your experiences with the game and its effectiveness.

Distributor (BFB acts as Data Controller)

To enable an administrator within BFB to create and maintain a list of distributors of the game; to send them notifications (email) and generate log in details.  To enable distributors to access the Hub and make use of the child’s and parent/ guardian’s data contained within it. We also use personal data to ensure the security of data by ensuring that access to the Hub is controlled (by the use of log- ins and passwords)

What is the legal basis to collect and further process personal data 

Enabling organisation (through Distributors)

Most of the processing of the data of the child/ parent/ guardian is done with the consent/ explicit (in the case of special category data) consent of the child (given by their Parent/  Guardian).  For the Parent/ Guardian, again most data is processed with consent. 

Where consent is provided it can be readily withdrawn.  If a child (through their Parent/ Guardian) or the Parent/Guardian wish to withdraw consent please contact the referring organisation or email us at   support@bfb-labs.com  

As an alternative the data is processed as it is necessary for performance of a task carried out in public interest or in exercise of official authority by the enabling organisation. 

As regards special category data this may be processed for reasons of substantial public interest or where it is necessary for the purposes of preventive medicine, the provision of health or social care or treatment or the management of health or social care systems and services. 

BFB 

Distributors - we process your personal data in the legitimate interests of the organisation you work for - enabling them to provide support services to children and families.. 

Children/ Parents/ Guardians -   Personal data (such as age, gender, disability) is used to identify who is using the game and how it is being used. In doing this we do not focus on any individual’s data.  All data is aggregated (combined) and, during that process, the data becomes anonymous. This anonymised data provides us with insights which helps us improve our products, show us who is using the product and their progress, where the product (region) is being used, to report on the impact our organisation has, and to promote our products more effectively. This we do in our legitimate business interests. 

If a child (through their Parent/ Guardian) or the Parent/ Guardian objects to us processing to meet these legitimate interests then please email us at  support@bfb-labs.com  telling us why.  We will consider what you have to say and provide a response to you. 

Who is personal data shared with? 

Enabling organisations - Please see their Privacy Notice to see if any personal data is shared by them. 

BFB

We make use of  a sub- processor - Twilio.  This is used for one-way SMS messages which allows us to communicate with parents/ guardians. Twilio also generates and sends a unique game key and game download instructions via SMS . 

Twilio ensures secure storage and secure disposal of data. They have the following accreditations:

ISO 27001; 

ISO 27017

ISO 27018

SOC 2 Compliant

Some personal data is processed by Twillio within Eire (European Union)  and, as such, the protections of the European GDPR apply. 

We also make use of another sub- processor -  Amazon Web Services (‘AWS’) for platform hosting, product service delivery and analytics.

AWS provides start-to-end information management, ensuring secure storage and secure disposal of data.  They have the following accreditations: 

ISO 27001 (Information Security Management System);

ISO 27017 (Cloud Security);

ISO 27018 (Cloud privacy);

SOC 1, 2, and 3 (security, availability, integrity, confidentiality and privacy);

BSI’s Common Cloud Computing Controls Catalogue. 

Personal Data processed by AWS does not leave the UK. 

Apart from the above we may share personal data to:

Comply with the law or orders served on BFB;

Protect or defend the rights or property of BFB Labs (including the enforcement of our agreements); 

To act in urgent circumstances to protect the personal safety and welfare of users of our products or members of the public.

How long do we keep personal data for

Referring organisations will decide how long to retain personal data that they control. Please see their Privacy Notice.  In this regard BFB acts as their Processor. 

BFB will only keep your personal data that we collect or generate as long as it is necessary for the purpose for which it was processed. When it is no longer needed we will securely remove your personal data from our system.

Where is my personal data stored? Does any personal data leave the United Kingdom? 

The only processing of personal data which is outside of the United Kingdom is in respect of Twilio as set out above. 

How is my data kept safe and where is it stored? 

BFB is committed to protecting the security of your personal data. We use a variety of security technologies and procedures to help protect personal data from unauthorised access, use, and disclosure. For example, we store personal data on computer servers with limited access that are located in controlled facilities. 

The Product stores all data using encryption so that only Professionals with the appropriate ‘keys’ are able to access the personal data. The Product sends all communications, except e-mail, using HTTPS.

When we replace our servers we erase the old equipment completely as part of ISO 27001 compliance and in line with National Cyber Security Centre (NCSC) guidelines.

The data that is being collected from the therapeutic game app is automatically encrypted and transmitted to the secure online data portal (VitaMind Online Hub) where it is encrypted at rest.

All data transfers will be in accordance with Secure File Transfer Protocols within the N3/HSCN network and/or in accordance with HSCIC Good Practice Guidelines, published at: http://systems.hscic.gov.uk/infogov/security/infrasec/gpg.

We will always ensure that any proposed secure transfer is in line with the latest guidance issued by the National Cyber Security Centre and industry best practices. 

BFB also holds the Cyber Essentials accreditation and meets the requirements of the NHS Data Security & Protection Toolkit.

What rights do I have?

You have the right to request from the appropriate Controller:

  1. access to your personal data; 

  2. to rectify any inaccurate personal data 

  3. to erase personal data

  4. to restrict processing of your personal data and/ or object to what is done with it, and, 

  5. a right to data portability. 

If you wish to exercise a right please contact either the referring organisation or us at support@bfb-labs.com.  

Complaints

We hope that there are no issues with your use of the game however if you are dissatisfied with the way your personal data has been processed, please contact the appropriate contact the enabling organisation, or us.  

Where your complaint relates to our processing of your personal data we will look into matters for you and reply to you within a reasonable time period.  

After that, if you are still dissatisfied you have the right to complain to the ICO.  They can be contacted via this link.   

Would you like to know more? 

Contact BFB Labs: support@bfb-labs.com

Last Updated: 19th June 2024