BLOOM⁴³ App Privacy Policy 

This privacy policy is designed to help you understand why and how we use your personal data. By personal data we mean information that relates to a living individual and which can identify or be identified with that individual. 

Who we are and how to contact us 

Plexāā is the controller of your personal data. You can contact us at: 
Email: app@plexaa.com 
Address: 20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom                            

Our Data Protection Officer (DPO) contact details are provided below. 

We are Plexāā, a trading name of Plexāā Ltd a company with number 11798195 and registered office at 20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom. 

We may use your personal data to: 

  • enable you to access the BLOOM⁴³ app and website (the “app”); 

  • provide you with health information and support in connection with your breast surgery experience; 

  • enable you to log information within your ‘My Health Hub’ on the app; 

  • allow you to participate in our community on the app; 

  • generate anonymised statistics to share with others for the purposes of research; and 

  • send you information about the app, our company, and the development of the app. 

The above is an overview of how your personal data may be processed and is by no means exhaustive – please see below for information on how specific types of personal data are collected, processed and shared. 

Categories of Personal Information Collected 

We collect only the minimum amount of personal data necessary to provide and improve our services. We collect only the minimum amount of personal data necessary to provide and improve our services.  We collect the following categories of personal information from users.: 

  1. Identifiers – Such as your full name, display name, email address, phone number (for two-factor authentication “2FA”), date of birth, and country of residence. 

  2. Protected Classifications – Such as your ethnic origin and sex assigned at birth. 

  3. Health Data – Such as details regarding your medical history, symptoms, surgery, breast cancer treatments, and uploaded clinical documents or images. 

  4. Internet or Network Activity – Such as interactions with the app, pages visited, and features used. 

  5. Community Data – Such as discussion topics you engage in, messages within group conversations, and participation in live sessions. 

  6. Inferences – Such as insights derived from your health data to provide tailored recommendations and support. 

Below, we have tried to provide you with as much information as we possibly can to explain how your personal data may be used. This means there is a lot of information on this page so we have split this information into sections, enabling you to find the information that you are most interested in or the information that is most relevant to you. 

You may contact us by: 

  • email on app@plexaa.com; or 

  • writing to us at 20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom. 

Purposes and Legal Bases for Processing 
We process your personal data for the following purposes and under the following legal bases: 

  • To provide our services – including creating and managing your account (Article 6(1)(b) – performance of a contract). 

  • To improve our app – by analyzing usage patterns (Article 6(1)(f) – legitimate interests). 

  • To communicate with you – such as sending updates or responding to support queries (Article 6(1)(b) or (f)). 

  • To comply with legal obligations – such as fraud prevention and record-keeping (Article 6(1)(c)). 

  • With your consent – for specific uses such as newsletters or optional features (Article 6(1)(a)). 

How is your data processed to enable you to access the app? 

Data collected directly from you 

We obtain the following personal data directly from you: 

  • your full name; 

  • Your display name; 

  • a valid email address; 

  • your phone number (used for two-factor authentication “2FA” when you log in); 

  • your date of birth; 

  • your ethnic origin; 

  • your sex assigned at birth, and 

  • your country of residence. 

We refer to this information as the “access data”

How long is access data kept for?      

We retain your access data for up to 7 years after the date on which your membership account is closed, unless you request deletion earlier under your CCPA rights, subject to legal exceptions. 

How do we use your access data? 

We use your access data to log you in to the app and to verify that you are a real person.  Our legal basis for processing this data is contractual necessity. Without this processing we wouldn’t be able to authorise you to access and use the app. 

Mobile Number Usage: We collect your mobile number solely for the purpose of providing two-factor authentication to secure your account. Your mobile number will not be used for any other purpose or shared with third parties. This information is stored securely and is only used to help verify your identity and protect your account. By providing your mobile number, you consent to its use for this purpose only. 

How is your data processed to provide health information and support? 

Where do we obtain your health data from? 

When you first register for the app and at various points after that, we will ask you to provide health data and complete questionnaires about your surgery and medical history.  This includes questions about your symptoms, surgery procedure, breast cancer treatments, and health background. You can update your answers at any time via the app. You also have the option of uploading personal images and clinical documents for your personal use only which are protected by iOS/Android biometric authentication. We refer to this personal data above as “health data”

Sensitive Personal Information 

Some of the personal data we collect, including details about your health, medical history, and ethnicity, is classified as Sensitive Personal Information under applicable privacy laws, including the California Consumer Privacy Act (CCPA). We collect and process this information solely for the purpose of providing you with personalised health information, tracking symptoms, and improving our services. 

We do not use or disclose Sensitive Personal Information for any purposes beyond what is necessary to operate the app, provide support, and comply with legal obligations. Our legal basis for processing this data is your explicit consent, which you can withdraw at any time by contacting us or deleting the app. 

How long is your health data kept for? 

We retain all your health data for up to 7 years after the date on which your membership account is closed, after which it will either be deleted or anonymized, unless you request deletion earlier under your CCPA rights, subject to legal exceptions. 

How do we use your health data? 

We use your health data to provide you with tailored health information and support, and so that it can be used in the generation of your symptoms tracker report.  

Our legal basis for processing this data is your consent, which you can withdraw at any time by notifying us using the contact details contained in the “Your rights and how to exercise them” below, and deleting the app.  As the data involved relates to your health, then we shall ensure that any such consent obtained is explicit consent.   

Please note that without your consent to do this, we will be unable to offer you access to the app.  This is because your health data is necessary for us to provide the support and information. 

How is your data processed to allow you to participate in our community? 

Where do we obtain your community data from? 

Once you have registered to use the app, you may choose to engage in group conversations, propose new discussion topics, and join live sessions with expert speakers.  By engaging with our community, you agree to share your username with other members of the community on the app. We refer to this personal data below as “community data”

How long is your community data kept for? 

We retain all your community data for up to 7 years after the date on which your membership account is closed, after which it will either be deleted or anonymized, unless you request deletion earlier under your CCPA rights, subject to legal exceptions. 

How do we use your community data? 

We store your community data on the app and will display the community data that you have chosen to share with others with other members of the community. 

Our legal basis for processing this data is your consent, which you can withdraw at any time by notifying us using the contact details contained in the “Your rights and how to exercise them” below, and deleting the app.  By sharing within the community you are making your shared health data public. 

How is your data processed to allow anonymised statistics to be shared with others? 

We also use your health data and in-app questionnaires data to generate anonymous statistics that may then be used by us and shared with third parties for research purposes.  This means that your health data in-app questionnaires data may be used to generate statistics, but you won’t be identifiable from that data.  Our legal basis for processing this data is consent, which you can withdraw at any time by notifying us using the contact details contained in the “Your rights and how to exercise them” below, and deleting the app.  As the data involved relates to your health, then we shall ensure that any such consent obtained is explicit consent.  

How is your data processed to enable us to send you information about the app, our company, and the development of the app? 

We will use your access data (see the “How is your data processed to enable you to access the app” section above for more details as to what this data is) to contact you and provide you with information about our activities and developments and improvements to the app.  We do so on the basis of our legitimate interests in keeping you up-to-date with changes in our business and products.  In doing so, we will offer you an opportunity to refuse marketing when your details are first collected and in subsequent messages. 

Who do we share personal data with? 

Internally, we only grant access to personal data to those people that need access to that data to carry out their role. 

Externally, we may share from time to time personal data with the following categories of recipients: 

  • our service providers, for instance: 

  • the companies that manage our IT infrastructure; 

  • companies that provide us with cloud based IT systems; and 

  • our external advisors, for instance IT consultants, accountants and lawyers. 

  • where we share personal data with service providers we will always ensure that the service provider is committed contractually to only use personal data in compliance with our instructions and data protection law; 

  • Your personal data will only be shared for the purposes previously described with those parties that have entered into legally binding contracts that contain obligations that protect the security of your data. 

  • our regulators, law enforcement, intelligence services and other government authorities, where they require us to do so; and 

  • potential buyers of or investors in our business where necessary in connection with a due diligence exercise. 

Data Security and Storage

We implement industry-standard security measures to protect your personal data. All communications between the app and our servers are encrypted using SSL (Secure Sockets Layer) to ensure the secure transmission of personally identifiable data. Additionally, personal data is securely stored in a PostgreSQL database operated by Heroku. Heroku's infrastructure complies with recognised industry security standards and certifications. For more information, please refer to Heroku’s Security Policy: https://www.heroku.com/policy/security.

Data Selling and Sharing 

We do not sell personal data for monetary compensation. However, we may share certain data with third parties for purposes such as research, analytics, or advertising, in line with applicable laws and privacy regulations. 

All third-party service providers must comply with strict contractual obligations that limit their use of personal data to our specified purposes, in compliance with the CCPA and CPRA. 

For California residents, under the CCPA and CPRA, you have the right to opt-out of any sharing of your personal information for targeted advertising or analytics purposes. If you wish to opt out, please contact us at app@plexaa.com. 

We ensure that any data shared with third parties is either anonymised or subject to strict contractual agreements to protect your privacy. 

 

Transfers of personal data outside of the European Economic Area (EEA) 

  The EEA is a group of countries that share the same basic data protection law, and therefore the law assumes that where your personal data is transferred between these countries it enjoys a similar level of protection. 

We generally store and process personal data inside the EEA. 

   However, in some circumstances the third parties who assist us in providing the services (suppliers), may transfer personal data outside the EEA. 

Where suppliers do so, we require our suppliers to do so in compliance with UK data protection laws, typically requiring them to enter into standard contractual clauses approved by the European Union as providing equivalent protection to what would be in place had the personal data remained in the EEA. 

We can provide more information on the non-EEA countries to which we transfer your personal data on request. 

Plexaa declares that data have been and will be collected and processed in accordance with the General Data Protection Regulation (EU) 2016/679 (GDPR) on the protection of natural persons with regards to the processing of personal data and on the free movement of such data. 

Your rights and how to exercise them 

The law gives you certain rights in respect of the personal data that we hold about you.  Below is a short overview of those rights (for more information about the rights you have in respect of your personal data please visit the Information Commissioner’s Office website: www.ico.org.uk). 

  • Access

With some exceptions designed to protect the rights of others, you have the right to a copy of the personal data that we hold about you. 

Access to the personal data we hold on you is free of charge however, we may make a reasonable charge for additional copies of that data beyond the first copy, based on our administrative costs.  

Where you have given us your personal data (i.e. you have input it into the app), you may have the right to receive your copy of this data in a common electronic format. If you wish, we can provide copies of this data to other people, if it is technically feasible to do so. 

  • Correction

You have the right to have the personal data we hold about you corrected if it is factually inaccurate. This right does not extend to matters of opinion. 

  • Deletion

In some limited circumstances, you have the right to have personal data that we hold about you erased (“the right to be forgotten”).  This right is not generally available where we still have a valid legal reason to keep the data (for example, in connection with a legal claim or because we are obliged to do so by law). 

  • Objection

You have the right to object to our processing of your personal data where we rely on “legitimate interests” as our legal basis for processing, but we may be able to continue processing if our interest outweighs your objection. 

  • Opting out of marketing

You have the right to require us to stop using your personal data to send you marketing information. If you want us to stop sending you marketing information, the quickest and most efficient way is to use the provided “unsubscribe” links in our communications (although you can contact us directly if you prefer). 

  • Temporary Restriction

You also have the right in some circumstances to request that temporary restrictions are placed on how we process your personal data, For example if you contest its accuracy or where we are processing it on the basis of our legitimate interest and you contest our assessment that our interest overrides your rights. 

  • Withdrawing Consent 

If we are processing your personal data on the basis of your consent, you have the right to withdraw that consent at any time, in which case we will stop that processing unless we have another legal basis on which to continue. 

Please be advised that in certain circumstances withdrawal of consent to continue processing your personal data may have further impact on your future access to, or benefit from, the service or part of the service. 

To exercise any of your rights, including withdrawing your consent you can: 

  • email on app@plexaa.com; or 

  • writing to us at 20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom. 

Please note that in order to protect your privacy, we may ask you to prove your identity before we take any steps in response to a request you have made. 

You may also contact our Data Protection Officer: 
Dr. Phil Griffiths 
Email: sar@thedpo.co.uk 

Plexaa shall endeavour to respond to any requests with regards to the rights of the data subjects without undue delay but in any event within one calendar month. 

We treat the protection of your personal data with the utmost importance but if you have cause to complain, we would always ask that you contact us first so we can attempt to resolve the matter for you. However, you also have the right to lodge a complaint about our handling of your personal data with the Information Commissioner’s Office.  You can contact them on 0303 123 1113 or via their website w

ww.ico.org.uk/make-a-complaint 

California Privacy Rights (CCPA & CPRA) 

California Residents’ Rights (CCPA & CPRA) 

If you are a California resident, you have specific rights regarding your personal data under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA). These include: 

  • Right to Know: You can request details about the personal data we collect, use, disclose, or sell. 

  • Right to Delete: You can request deletion of your personal data, subject to certain legal exceptions. 

  • Right to Opt-Out of Sale or Sharing: We do not sell or share your personal data for monetary gain. However, if we share certain information for targeted advertising, you may opt out by emailing us at app@plexaa.com. 

  • Right to Correct: If your personal data is inaccurate, you have the right to request a correction. 

  • Right to Limit Use of Sensitive Data: If we collect sensitive personal data (such as health data), you can request restrictions on its use. 

  • Non-Discrimination: Exercising your privacy rights will not result in any unfair treatment or discrimination. 

How to Exercise Your California Privacy Rights 

You may submit a request by: 

  • Emailing us at app@plexaa.com

  • Writing to us at: 
    Plexāā Ltd 
    20-22 Wenlock Road, London, Greater London N1 7GU, United Kingdom 

We will verify your request by matching information you provide with the data in our records. If we cannot verify your identity, we may deny your request. 

For more information about your privacy rights under California law, visit the California Attorney General’s website at www.oag.ca.gov/privacy/ccpa. 

Do Not Track and Global Privacy Control 

Some web browsers and devices allow you to send a Do Not Track (DNT) signal or use Global Privacy Control (GPC) to indicate your privacy preferences. Currently, there is no universally accepted standard for recognising and responding to these signals. As a result, we do not respond to DNT or GPC signals at this time. 

However, we respect your privacy choices and provide other ways for you to control the collection and use of your data. You can manage your privacy settings within the app, opt out of marketing communications, and exercise your rights under applicable privacy laws as described in the "California Residents' Rights" and "How to Exercise Your California Privacy Rights" sections. 

Additional information for transparency 

  • Data retention: We retain personal data only as long as necessary to fulfill the purposes we collected it for, including satisfying any legal, accounting, or reporting requirements. Where possible, we define specific retention periods based on the type of data. 

  • Your rights: You have the right to request access to your personal data, request correction or deletion, restrict processing, object to processing, and request data portability. 

  • Withdrawing consent: If we rely on your consent to process personal data, you may withdraw it at any time. This does not affect the lawfulness of any processing carried out before your withdrawal. 

  • Supervisory authority: You have the right to lodge a complaint with a data protection authority if you believe your data is not being handled in accordance with the law. 

  • Automated decision-making: We do not use your personal data for automated decision-making, including profiling, that produces legal effects concerning you or similarly significantly affects you. 

  • Further processing: If we intend to use your personal data for a purpose other than that for which it was collected, we will inform you before that processing takes place. 

Changes to this policy 

  We may change this privacy policy at any time. Where we make significant changes, for instance where we use your personal data for materially different purposes, we will email you to let you know. If there are any changes to the purpose for which we collect or use personal data, we will update this Privacy Policy accordingly and, where required by law, obtain your renewed consent before processing your data for the new purpose. If there are any changes to the purpose for which we collect or use personal data, we will update this Privacy Policy accordingly and, where required by law, obtain your renewed consent before processing your data for the new purpose.