Welcome to The Good Mood Co, where we strive to provide a safe and secure platform for our users to access sensitive health information. We understand the importance of protecting your privacy and the confidentiality of your personal health data. This privacy policy outlines our commitment to safeguarding your information and ensuring that it is used only for the purposes for which you have provided it. We take the responsibility of handling your health data very seriously, and we are committed to complying with all applicable privacy laws and regulations. We encourage you to read this privacy policy carefully to understand how we collect, use, and protect your personal information.

Privacy Policy

Date of Implementation: Valid from 1st July 2024

Thank You for visiting the  website “https://www.thegoodmoodco.com/ (hereinafter referred to as "Website") run and managed by the company The Good Mood Co Limited located at 66 Hatton Garden, London EC1N 8LE, UK (hereinafter referred to as "the Company"). Before using the Website as a User / Visitor / Customer (hereinafter referred to as "User", “You” “Your”) please read this Privacy Policy carefully (hereinafter "Policy").

1. INTRODUCTION

The Company is committed to collecting and processing Your personal data in accordance with the provisions of Regulation (EU) 2016/679 (hereinafter referred to as "GDPR"). The Company as Data Controller informs You on the way it collects and processes information about You in accordance with all applicable European and national laws concerning personal data.

Personal Data is any information relating to natural persons whose identity is known or can be identified (hereinafter referred to as "Personal Data"). 

Special Categories of Personal Data refer to specific types of Personal Data that require higher levels of protection due to their sensitive nature such as health data (hereinafter referred to as "Sensitive Data").

Protecting Your Personal Data is very important for the Company, which takes steps to this end.

This Policy sets out the kind of information that our Company may collect from You and informs You on how we use this information. When You voluntarily provide us with personal information, such as Your name, address, or email address, we use this information in strict confidence. Subject to the specific provisions of this Policy, no Personal Data is rented, sold, publicly posted or disclosed to other companies, organizations or websites.

This Policy applies to the collection and use of Your Personal Data by the Company.

2. WHICH CATEGORIES OF PERSONAL DATA DO WE COLLECT FROM YOU, HOW THE PERSONAL DATA ARE COLLECTED AND FOR WHAT PURPOSES.

The tables at the bottom of this page summarises the categories of Personal Data that we collect from You, the sources for those Personal Data, the purposes for which the information is collected and the categories of third parties with whom the information may be shared, as permitted by law.

3. TRANSFERS OF PERSONAL DATA TO COUNTRIES OUTSIDE THE EU AND EEA

We may transfer your Personal Data to countries outside the European Union (EU) and European Economic Area (EEA) in order to provide you with our services. When doing so, we ensure that your Personal Data receives an adequate level of protection and that the transfer complies with the GDPR. Whenever we transfer your Personal Data to countries that the European Commission has recognized as providing an adequate level of data protection, we rely on these adequacy decisions. For transfers to countries without an adequacy decision, we use Standard Contractual Clauses approved by the European Commission. These clauses provide appropriate safeguards for Your Personal Data.

4. INFORMATION SECURITY & STORAGE

The Company uses commercially reasonable administrative, technical, personnel-related, and physical security measures designed to safeguard the Personal Data in our possession against loss, theft and unauthorized use, disclosure, or modification.

Examples of such measures include:

TECHNICAL MEASURES

• Cloud Security Protocols: Strict selection of cloud service providers that comply with leading security standards such as ISO/IEC 27001, SOC 2, and GDPR.
• Encryption: Advanced encryption protocols (AES-256) for data at rest and in transit.
• Access Controls: Strict role-based access controls and multi-factor authentication.
• Security Audits: Regular security audits and penetration testing.
• Intrusion Detection: Intrusion detection and prevention systems.
• Backups: Automated backups with secure off-site storage.
• Firewalls and Anti-Malware: Virtual firewalls and anti-malware protection.

ORGANIZATIONAL MEASURES

• Data Protection Policies: Comprehensive data protection policies regularly updated to align with regulatory requirements and industry best practices.
• Employee Training: Ongoing training programs to ensure employees are aware of data protection obligations and security best practices.
• Incident Response Plan: A structured incident response plan to manage and mitigate data breaches or security incidents.
• Regular Audits: Periodic audits and compliance checks to ensure adherence to data protection policies and regulatory requirements.
• Vendor Risk Management: Thorough due diligence and risk assessments for all third-party vendors and service providers handling personal data.

Your Personal Data, including Sensitive Data and any other data you provide to us, is stored securely on cloud-based servers. We do not use physical data centers for storing your data. We utilize reputable third-party cloud service providers to host and manage your data. These providers are carefully selected based on their robust security measures and compliance with GDPR and any other relevant data protection laws and regulations.

5. RETENTION PERIOD

We retain Your Personal Data both in physical and electronic form, for the period required to perform and complete the purposes stated above, including complying with legal, accounting or information requirements, and fulfilling, to the extent possible, Your needs. More specifically, we will  keep Your Personal Data:

1. If You send us an e-mail at contact@thegoodmoodco.com submitting a request, or if You submit a request through Company’s contact form, Your Personal Data is retained for as long as it is required to address Your request.
2. For information submitted for the registration to our services through the Website, the data will be retained for the duration of the User’s active account. If an account becomes inactive, this information will be retained for an additional two years. In cases where a User requests the deletion of their account, the Personal Data will be deleted within thirty (30) days, unless there is a legal requirement to retain it for a longer period.
3. Health data derived from home tests and blood draws, including test results, diagnostic information, consultation notes and health assessments, will be retained for a minimum of ten (10) years from the date of the last interaction with the User or data entry or from the date of account deactivation. This retention period ensures that the platform remains compliant with applicable laws and medical record-keeping standards and is able to address any future legal or regulatory inquiries. As regards accounts that become inactive, health data will be retained for ten (10) years after the last User interaction. Should a User request the deletion of their health data, it will be deleted within thirty (30) days unless retention is mandated by legal obligations.
4. Administrative and financial records, including billing information, payment records, transaction history, and audit logs, will be retained for ten (10) years to comply with financial and administrative regulations. 
5. Marketing and communication data, such as email addresses, communication preferences, and records of marketing consent, will be retained as long as the User has provided active consent to receive marketing communications. If a User withdraws their consent, this data will be deleted immediately. If a User’s consent for marketing communications becomes inactive or is not renewed, the relevant data will be retained for a period of 15 days from the date the consent became inactive or expired. During this 15-day period, the user will receive notifications reminding them to renew their consent. If the User fails to renew their consent within the 15-day notification period, all marketing and communication data associated with the User will be permanently deleted from our records.

Please note that if there is a pending legal dispute between us that go beyond the aforementioned retention periods, we will keep Your data until issuance of a final court decision. After the retention period expires, Your Personal Data is permanently removed from the Company's records and information systems or we anonymise them so You can no longer be identified.

6. YOUR RIGHTS REGARDING THE PROCESSING OF YOUR PERSONAL DATA

Whenever we process Personal Data concerning you, we take reasonable steps to ensure that Your Personal data is kept accurate and up-to date for the purposes for which it was collected. 

Under GDPR (Articles 12 to 22), You have the following rights:

• Request a copy of Your Personal Data;
• Withdraw Your consent when this is the legal basis for the processing of Your Personal Data;
• Request the deletion of the Personal Data You have provided, subject to any restrictions provided by applicable law;
• Subject to applicable law, ask for restriction of processing;
• Request the portability of Your Personal Data;
• Object to the processing of Your Personal Data.

To exercise the above rights, You may contact us at the following e-mail: contact@thegoodmoodco.com or by post or in person at The Good Mood Co UG, ℅ Eterno Frankfurt GmbH, Bockenheimer Landstr. 33-35, 60325 Frankfurt am Main. In case where You exercise one or more of the above  rights, we will take all reasonable steps to satisfy Your request within a reasonable time, but not later than one (1) month of receipt of the request. The above timeline may be extended by two (2) further months, taking into account the complexity and number of the requests. The Company may retain the minimum Personal Data as regards Your request, necessary to safeguard its legitimate interests.

Taking into account the circumstances and the nature of Your request, we may not be allowed to give You access to Personal Data or otherwise fully comply with Your request, for example, when the exercise of Your request may reveal the identity of another person. We reserve the right to charge the appropriate administrative fee to fulfill  Your request, where permitted by applicable law, and / or to refuse Your request in cases where such request is unfounded, excessive or otherwise unacceptable in accordance with applicable legislation.

Finally, each User has the right to ask the Company about the way their Personal Data is being processed and protected, and if they consider that any of their rights have been infringed, they have the right to file a complaint with the Federal Commissioner for Data Protection and Freedom of Information (BfDI) (https://www.bfdi.bund.de/EN/Home/home_node.html).

7. OUR CHILDREN’S POLICY

We are committed to protecting the privacy of children. You should be aware that this Website content and services are not intended for, or designed to be addressed to visitors/users under the age of 18. No Personal Data should be submitted to the Company through the Website by visitors who are younger than 18 years old. If it comes to our attention that an under 18 years old User of this Website has volunteered Personal Data and/or Sensitive Data, without the given or authorized consent of the holder of parental responsibility over such child, we will promptly, upon relevant notification or request, delete such Personal Data in accordance with our deletion policy. 

8. SOCIAL MEDIA SHARE BUTTON

The Company has official social media accounts, specifically on LinkedIn, Instagram, TikTok and Facebook. On its website, the Company incorporates an additional social media share button for Instagram, inviting Website visitors and users to follow the Company in the respective social media (follow/like) as well as upload posts and comments. During Your use of the social media we may collect certain Personal Data (such as Your profile data in the corresponding medium). 

Based on European Court of Justice case-law, the Company is considered a Joint Controller for processing Your data together with each social medium. Within this context, the Company has posted a link to this Privacy Policy on an easily accessible spot on each corporate social media account and it strictly complies with the obligations relating to the protection of Personal Data by taking the appropriate technical and organisational measures (such as limiting the number of people with access to corporate social media accounts) in order to ensure the safe processing of data.

The purpose of the data processing is to make visible and promote the Company's image and services, to provide updates or to communicate with you, responding to the messages/comments You send us.

The legal basis for processing is Your consent, which You provide when You actively click on the social media share button, the “like” or “follow” button on the Company's social media. You can withdraw Your consent at any time in the same manner in which You provided it, i.e. by clicking “unlike” or “unfollow”.

The Company is not responsible for how each social medium processes Your data and it is Your responsibility to be informed about it by reviewing the respective Privacy Policy of each social medium .

Finally, while the Company wishes and encourages Users to comment on posts and/or pages it maintains on social media, it informs Users that any post or comment uploaded should respect the basic rules of politeness, decency and respect to different views, ensuring a safe online environment and will remove any content deemed to violate the Terms of Service of the Website, such as insulting, pornographic, or threatening content or content violating intellectual property rights, and may block Users who violate these terms.  In any case, if You consider that content posted on Company’s official social media accounts violates the Terms of Service , please contact us  immediately.

9. CalOPPA DO-NOT-TRACK NOTICE

Company does not track its Users over time and across third party websites and therefore does not respond to Do Not Track (DNT) signals. Company does not authorize third parties to collect Personal Data directly from our Users on our Website, such as through the use of third party advertisements.

10. PRIVACY POLICY UPDATES

Company may, at any time, revise this Policy by updating this posting.  Please check the Date of Implementation of the Policy at the top of the Policy to see when it was last updated. The updated privacy policy will become effective as soon as it is published at the Website. 

If we make substantive changes to this Policy that broaden our rights to use the Personal Data that we have already collected from you, we will inform You and provide You with a choice for the future use of these data.