Privacy Policy

v3.0

The Preptrack Foundation takes data privacy seriously. This privacy policy explains who we are, how we collect, retain, disclose and use Personal Information and Special Category Data, and how you can exercise your privacy rights.

Being transparent and providing accessible information to individuals about how an organisation will use their Personal Information is a key element of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. To ensure that we process your Personal Information fairly, lawfully and transparently when using our mobile application or website, we are required by law to provide you with the following information:

  • What information we collect and process about you
  • How we process your Personal Information
  • The purpose of the processing
  • Recipients of your Personal Information
  • How long we retain your Personal Information
  • The lawful bases for processing
  • Your rights – to view, request access copies of your Personal Information, or object to the processing of your Personal Information

We recommend that you read this privacy policy in full to ensure you are fully informed. However, to make it easier for you to review the parts of this privacy policy that apply to you, we have divided up the document into sections that are specifically applicable to Website Visitors (Section 2), App Users (Section 3) and Email Subscribers (Section 4). Sections 1 and 5 are applicable to everyone.

As well as this policy, we recommend that you read the mobile app terms and conditions.

If you have any questions or concerns about our use of your Personal Information, then please contact us using the contact details provided at the end of Section 5.

To the extent we provide you with notice of different or additional privacy policies, those policies will govern such interactions.

1. The Basics

1.1. About us

The Preptrack Foundation is a registered charity (reg. number 1190908) in England and Wales ("we," “us,” “our,” “Preptrack,” “The Preptrack Foundation,” and “The Foundation”).

1.2. Key terms

In this privacy policy, these terms have the following meanings:

App User” means any person who downloads, installs, or uses any of our mobile applications, including but not limited to Preptrack;

controller” means an organisation or person that decides what data is processed. They also decide how and why this needs to be done. They are legally responsible for that data;

Email Subscriber” means someone who has signed up to receive email communications from us for marketing purposes;

Personal Information” means any information that identifies or can be used to identify an individual directly or indirectly. Examples of Personal Information include, but are not limited to, first and last name, email address, gender and sexual identity, or other demographic information;

PrEP” means oral Pre-Exposure Prophylaxis for HIV prevention;

processed” means when data is processed and any action is taken with it. For example, when it is collected or reviewed;

processor” means an organisation or person that processes data under the instruction of the controller. A controller may appoint a processor;

Special Category Data” is Personal Information that has more legal protection, including data about your health.

you” and “your” mean, depending on the context, either an Email Subscriber, Website Visitor or an App User;

Websites” refers to our websites, including but not limited to https://preptrack.co.uk.; and

Website Visitor” means any person who visits our Websites.

2. Privacy for Website Visitors

This section applies to Personal Information that we collect and process when you visit our Websites. In this section, “you” and “your” refer to Website Visitors.

2.1. Personal information we collect

When you visit our Websites, we may collect information about you. We use cookies and other identifiers, and other tracking technologies, to collect this information. Our use of cookies and other tracking technologies is discussed more below and in more detail in our Cookie Statement available here.

We currently collect and process the following information:

  • Device and browser information: We collect information about the device and applications you use to visit our Websites, such as your IP address, your operating system, your browser ID, and other information about your system and connection. We only collect this data if you consent to data collection.
  • Usage data: We collect usage data about your interactions with our Websites, which may include dates and times you visited our Websites and your browsing activities (such as which pages are viewed and for how long). We only collect this data if you consent to data collection.

2.2. Use of Personal Information

We use the Personal Information we have collected in order to provide, support and improve our Websites and other service offerings, and to improve the effectiveness of our advertising and outreach campaigns.

We may share this information with our third-party analytics service provider, “Google Analytics”. For the purposes of the UK GDPR, The Foundation is a Data Controller and the provider of Google Analytics, “Google LLC”, is a Data Processor. Personal Information processed by Google Analytics is also subject to and processed in accordance with the “Google Privacy Policy”, available here. Further information on the way Google LLC processes information from our Websites can be found here.

We may also share this information with our third-party marketing platform provider, “HubSpot”. For the purposes of the UK GDPR, the provider of HubSpot, “HubSpot Inc.”, is a Data Processor. Personal Information processed by HubSpot is also subject to and processed in accordance with the “HubSpot Privacy Policy”, available here.

We may also share this information with our third-party digital advertising provider, “Meta Ads”. For the purposes of the UK GDPR, the provider of Meta Ads, “Meta Platforms, Inc.”, is a Data Processor. Personal Information processed by Meta Ads is also subject to and processed in accordance with the “Meta Privacy Policy”, available here.

In order for the processing of Personal Information and Special Category Data to comply with UK GDPR Article 5 and Sections 86 of the Data Protection Act 2018, it must be fair, lawful and transparent, and must meet at least one of the Article 6 conditions as well as Article 9 (in the case of Special Category Data). Therefore, the processing of the Personal Information for the Website is permitted under UK GDPR, the lawful basis we rely on for processing this information is:

Your consent (Article 6.1(a) and Article 9.2(a) of UK GDPR). We only collect Personal Information about you on our Websites if you explicitly opt-in to this collection through the pop-up banner that appears on first visit to our websites. You are able to remove your consent at any time. You can do this by contacting dpo@preptrack.co.uk or by clearing your browser’s cookies.

2.3. How we store Personal Information

Your information is securely stored by Google Analytics, HubSpot and Meta Ads. We keep information in Google Analytics for a period not exceeding 26 months from receipt of the Personal Information, after which it will be automatically deleted by Google Analytics. Information in HubSpot and Meta Ads may be retained indefinitely.

3. Privacy for App Users

This section applies to Personal Information that we collect and process when you download, install, or use our mobile applications. In this section, “you” and “your” refer to App Users.

When you use our mobile applications, we will collect necessary information about you in order to provide essential functionality. This information is stored securely on your device, and is not accessible to anyone other than you.

Some of the Personal Information we collect is essential for the proper functioning of our mobile applications, and must necessarily be collected when you use the app. We refer to this as “Necessary Personal Information”.

Optionally, we also collect other Personal Information in order to provide, support and improve our mobile applications and other service offerings. We only do this if you consent. We refer to this information as “Personal Information for Analytics”.

3.1. Necessary Personal Information we collect

When you use our mobile applications, we will collect necessary information about you in order to provide essential functionality.

We currently collect and process the following information:

  • Medical and health information: We collect information about your health, in the form of the times and dates of your PrEP doses, and the way you take your PrEP, e.g. whether you take event-based or daily PrEP.
  • Sex life information: We collect information about your sexual practices, such as the times of your sexual activities that you report.
  • Information about you: We collect information about whether you are over 18 years of age.
  • Information about device performance, problems, crashes and bug reports: We collect information about the functioning of our mobile applications, and about when things go wrong, such as when our mobile applications crash, or when you report bugs or other feedback.
  • Information about your notifications preferences: We collect information about whether you have enabled mobile notifications on your device.

3.2. Use of Necessary Personal Information

We use the Necessary Personal Information we have collected in order to provide the essential functionality of our mobile applications. We only collect the minimum amount of Necessary Personal Information that is required to the enable the proper functioning of our mobile applications.

Information about device performance, problems, crashes and bug reports may be shared with our third-party analytics service provider, “Firebase Crashlytics”. For the purposes of the UK GDPR, The Foundation is a Data Controller and the provider of Firebase Crashlytics, “Google LLC”, is a Data Processor. Personal Information processed by Firebase Crashlytics is also subject to and processed in accordance with the “Terms of Service for Firebase Services”, available here. Further information on the way Firebase Crashlytics processes information can be found here.

Information when you report a bug or send us feedback may be shared with our third-party bug reporting service provider, “Instabug”. The provider of Instabug, “Instabug Inc”, is a Data Processor. Personal Information processed by Instabug is also subject to and processed in accordance with the “Instabug Privacy Policy”, available here.

Information about your notifications preferences may be shared with our third-party notifications service provider, “OneSignal”. The provider of OneSignal, “OneSignal, Inc.”, is a Data Processor. Personal Information processed by OneSignal is also subject to and processed in accordance with the “OneSignal Privacy Policy”, available here.

Under the UK GDPR, the lawful basis we rely on for processing this information is:

Legitimate Interests. We only collect Necessary Personal Information about you in our mobile applications in order to provide our services to support PrEP use.

Some of the information we collect is Special Category Data, including your medical and health information and information about your sex life. Under the UK GDPR, the Article 9 condition we rely on for processing this information is:

Not-for-profit bodies. The Preptrack Foundation, as a registered charity in England and Wales, is a not-for-profit body, and we only use this information to serve our beneficiaries through the provision of essential services.

3.3. How we store Necessary Personal Information

Your medical and health information, your sex life information and information about you is securely stored on your device, and is not accessible to anyone other than you. We keep this Personal Information until you uninstall the mobile application from your device.

Information about device performance, problems and crashes is securely stored by Firebase Crashlytics and will be automatically removed after 90 days.

Information about bug reports and feedback is securely stored by InstaBug and will be automatically removed after one month.

Information about notifications is securely stored by OneSignal and will be automatically removed after 30 days.

3.4. Personal Information we collect for Analytics

When you use our mobile applications, we may collect information about you. We use identifiers and other tracking technologies to collect this information.

We currently collect and process the following information:

  • Device information: We collect information about the device you use to access our mobile applications, such as, your IP address, your operating system, and other information about your system and connection.
  • Usage data: We collect usage data about your interactions with our mobile applications, which may include dates and times you used our mobile applications and your activities (such as what parts of the app are viewed and for how long).

3.5. Use of Personal Information for Analytics

We use the Personal Information for Analytics we have collected in order to provide, support and improve our mobile applications and other service offerings.

We may share this information with our third-party analytics service providers, “Google Analytics”. For the purposes of the UK GDPR, The Foundation is a Data Controller and the provider of Google Analytics, “Google LLC”, is a Data Processor. Personal Information processed by Google Analytics is also subject to and processed in accordance with the “Google Privacy Policy”, available here. Further information on the way Google LLC processes information from our mobile applications can be found here.

If you are an alpha or beta tester, we may receive information about your usage of our mobile applications through “TestFlight”. This information will relate to when our mobile applications crash, or when you provide feedback about our mobile applications. For the purposes of the UK GDPR, The Foundation is a Data Controller and the provider of TestFlight, “Apple Inc.”, is a Data Processor. Personal Information processed by TestFlight is also subject to and processed in accordance with the “Apple Privacy Policy”, available here, and the “TestFlight Terms of Service”, available here. Further information on the way TestFlight processes information from our mobile applications can be found here.

In order for the processing of Personal Information and Special Category Data to comply with UK GDPR Article 5 and Sections 86 of the Data Protection Act 2018, it must be fair, lawful and transparent, and must meet at least one of the Article 6 conditions as well as Article 9 (in the case of Special Category Data). Therefore, the processing of the Personal Information for our mobile application is permitted under UK GDPR, the lawful basis we rely on for processing this information is:

Your consent (Article 6.1(a) and Article 9.2(a) of UK GDPR). We only collect Personal Information for Analytics about you on our mobile applications if you explicitly opt-in to this collection. You are able to remove your consent at any time. You can do this by contacting dpo@preptrack.co.uk or changing your privacy settings in the mobile application.

3.6. How we store Personal Information for Analytics

Your information is securely stored by Google Analytics. We keep this Personal Information for at most 26 months, after which it will be automatically deleted by Google Analytics.

If you are an alpha or beta tester, information regarding crashes and feedback is securely stored by TestFlight. We keep this information for at most 1 year, after which it will be automatically deleted by TestFlight.

4. Privacy for Email Subscribers

This section applies to Personal Information that we collect and process when you sign up to receive email communications from us for marketing purposes. In this section, “you” and “your” refer to Email Subscribers.

4.1. Personal information we collect

When you sign up to receive email communications from us, or when you open and read one of our emails, we may collect information about you. We use cookies and other identifiers, and other tracking technologies, to collect this information. Our use of cookies and other tracking technologies is discussed more below and in more detail in our Cookie Statement available here.

We currently collect and process the following information:

  • Email address, name and organisational affiliations: We collect your email address to be able to contact you, and your name and organisational affiliations to be able to address you appropriately and communicate more effectively.
  • Device and browser information: We collect information about the device and applications you use to visit our email subscription forms and to open and read our emails, such as your IP address, your operating system, your browser ID, and other information about your system and connection.
  • Usage data: We collect usage data about your interactions with our emails, which may include dates and times you open or read our emails, and any links you may have clicked.

4.2. Use of Personal Information

We use the Personal Information we have collected in order to provide, support and improve our email communications and other service offerings.

This information is collected on our behalf by our third-party email marketing provider, “Mailchimp”. For the purposes of the UK GDPR, The Foundation is a Data Controller and the provider of Mailchimp, “Intuit Inc.”, is a Data Processor. Personal Information processed by Mailchimp is also subject to and processed in accordance with the “Intuit Global Privacy Statement”, available here, and the “Intuit Data Processing Addendum”, available here.

Under the UK GDPR, the lawful basis we rely on for processing this information is:

Legitimate Interests. We only ever communicate with you via email if you have explicitly signed up for email communications using one of our online forms. You may stop receiving email communications at any time by clicking the “Unsubscribe” link the footer of any of our emails, or by contacting dpo@preptrack.co.uk.

4.3. How we store Personal Information

Your information is securely stored by Mailchimp, a part of Intuit Inc.

5. General Information

5.1. Your data protection rights

You have a number of important legal rights regarding the manner in which personal data relating to you is used. You can find more information about your rights on the Information Commissioner’s Office website.

We have outlined below the key rights which we believe may be relevant to your use of the Website and App.

If you would like to exercise any of these rights then please contact us using the contact information provided below. Please note that you may be asked to provide us with reasonable proof of your identity so that we can be sure that we are discussing or providing your personal data with, or to, you (or if someone is making a request on your behalf, we need to check that they have the authority to do so).

Your right of access

You have the right to ask us for copies of your Personal Information.

Your right to rectification

You have the right to ask us to rectify your Personal Information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure

You have the right to ask us to erase your Personal Information in certain circumstances.

Your right to restriction of processing

You have the right to ask us to restrict the processing of your Personal Information in certain circumstances.

Your right to object to processing

You have the right to object to the processing of your Personal Information in certain circumstances.

Your right to data portability

You have the right to request the data which you provided to us (not data generated by us) in a structured, commonly used machine-readable format. Your right to portability shall apply only where:

  • data is processed by automated means, and
  • you provided consent to the processing or,
  • the processing is necessary for the fulfilment of a contract.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Please contact us at dpo@preptrack.co.uk if you wish to make a request.

5.2. How to contact us

If you have questions, comments, or requests, you can contact us as at:

Contact details

The Preptrack Foundation Unit 50345 PO Box 6945 London W1A 6US

Email: dpo@preptrack.co.uk

Website: https://preptrack.co.uk

5.3. How to complain

If you have any concerns about our use of your personal information, you can make a complaint to us at dpo@preptrack.co.uk or using the contact details above.

You can also complain to the Information Commissioner’s Office (ICO) at any time at any about our processing of your Personal Information. The ICO is the UK regulator for data protection and upholds information rights. The ICO’s contact details:

The ICO’s address:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Helpline number: 0303 123 1113

ICO website: https://www.ico.org.uk

5.4. Changes to this policy

The terms of this privacy policy may change from time to time. You should check this privacy policy frequently to see recent changes. Your continued use of the App will be an acknowledgement of our updated privacy policy.