Privacy Policy

Effective date: April 29, 2025

Introduction

Spectrum.Life (“Spectrum.Life”, “we”, “us”, or “our”) respects your right to privacy and the confidentiality of your personal information. This overarching Privacy Notice explains how we collect, use, store, and protect your personal data across all Spectrum.Life services. It has been updated to reflect our expanded services and the latest regulatory requirements as of 2025 (including compliance with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the EU-U.S. Data Privacy Framework, the EU Network and Information Security Directive (NIS2), the EU Digital Services Act, and considerations for health app and AI data handling regulations). We strive to use plain English while maintaining legal robustness.

This Notice is addressed to all individuals outside our organisation with whom we interact, including users of our services provided via their employer, educational institution, or insurance providers, as well as visitors to our websites and mobile applications, customers, vendors, and partners (together, “you”). By using any of our services, you acknowledge the terms of this Privacy Notice.

Information About Us

Spectrum Wellness Limited (trading as Spectrum.Life) and Spectrum Wellness UK Limited are responsible for the processing of your personal information, depending on where you are based.

• If you are based in Ireland, the Data Controller of your personal information is Spectrum Wellness Limited (Company Registration No. 555787), with its registered office at 95 Merrion Square, Dublin 2, Ireland.
• If you are based in the United Kingdom, the Data Controller is Spectrum Wellness UK Limited (Company Registration No. 10670700), with its registered office at Habib House, 9 Stevenson Square, Manchester, M1 1DB, United Kingdom.

Spectrum.Life determines the purposes and means of processing your personal data (the “data controller”) for the services we provide. In certain instances – for example, where we deliver services on behalf of a client organisation – we may act as a data processor, processing your personal data strictly under the client’s instructions, with the client organisation acting as the data controller.

For any privacy-related queries or to exercise your data protection rights, you can contact our Data Protection Officer (DPO) at:

• Email: gdprspectrumlife@spectrum.life
• Postal Address: Data Protection Officer, Spectrum Wellness Limited, 95 Merrion Square, Dublin 2, Ireland.

If you are based in Ireland, you have the right to lodge a complaint with the Data Protection Commission (DPC), whose contact details are available at www.dataprotection.ie.
If you are based in the United Kingdom, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), whose contact details are available at www.ico.org.uk.

Services Covered by This Notice

Spectrum.Life provides a range of health and wellbeing services. This Privacy Notice applies to all Spectrum.Life offerings, including, but not limited to:

• Employee Assistance Programme (EAP) – workplace wellbeing and counselling services for employees.
• Student Assistance Programme (SAP) – counselling and support services for students.
• Coaching Services – wellbeing, life, or health coaching programs.
• Clinical Services – clinical counselling, therapy, or other health-related services delivered by professionals.
• Workshops and Training – wellness workshops, webinars, and educational sessions.
• Wellbeing Content – articles, videos, and other informational content provided through our platform.
• Spectrum.Life Mobile App – our mobile application through which many of the above services are accessed.
• Spectrum.Life Web Platform – our websites and web application portals for accessing services and content.
• Any Future Services – new programs or digital services we may introduce in the future as part of Spectrum.Life’s offerings.

No matter which service you use, this Notice will apply to the handling of your personal data within that service. Specific details or highlights for certain services or client sectors are noted in this Notice to ensure clarity (for example, additional notes for those using our services through a workplace, educational institution, or insurance provider).

Personal Data We Collect

We only collect the personal data that we need to provide our services and to comply with legal or contractual obligations. The types of personal data we may collect, and process include:

• Identity Data: Information that identifies you, such as your name, date of birth, gender, and the organisation you are associated with (e.g. your employer or college).
• Contact Data: How we can reach you, including your email address, phone number, and postal address.
• Health and Wellbeing Data: Information related to your health or wellbeing provided in the context of our services. This may include medical or psychological information you share during clinical sessions or assessments, wellness program data (e.g. fitness activity, nutrition or sleep information if you choose to record them), or results of any clinical assessments/questionnaires. (This type of data is considered “special category” data under GDPR, and we take extra care to protect it, as explained below.)
• Technical Data: Information automatically collected about your device and usage of our digital services. This includes IP address, device type, operating system version, browser type, unique device identifiers, and usage logs or analytics information about how you navigate through our app or website.
• Usage Data: Data about how you use our services, such as which features you use, pages or content viewed, clicks and scrolling information, time spent, and crash or error reports. This helps us understand engagement and improve our platform.
• Transaction Data: If payments are involved (for example, purchasing a service or processing an insurance-related fee), we collect data needed for billing and payments, such as payment card details or bank information. Payments are processed securely via accredited payment processors (e.g. Stripe), and we do not store full financial account numbers except as needed for records.
• Communication Data: Content of communications you send to us or through our services. This includes emails, chat messages or texts to our support team, feedback or survey responses, and any messages or posts you make on our forums or community features.
• Profile Data: Information you provide to set up an account profile on our app or platform, such as username, profile photo, interests, and preferences (for example, your preferred well-being topics or goals).
• Cookies and Tracking Data: Data collected through cookies, pixels, and similar technologies when you use our websites or app. Cookies are small text files that websites or apps store on your device to remember your preferences and track your activity. We use cookies and similar tools to enhance your user experience (for example, keeping you logged in, remembering preferences), to analyse usage of our site, and for marketing purposes (detailed more in Cookies and Tracking Technologies below).

Additional context about specific data collection: Different Spectrum.Life services might collect additional data particular to that service: for instance, if you engage in a coaching program, we might collect information about your personal goals and progress; if you attend a workshop, we may record your attendance and any feedback or queries you submit; if you use our clinical counselling services, therapists might record session notes or outcomes which form part of your confidential clinical record. We will always inform you at the point of collection what information is required for a given service and what is optional.

How We Collect Your Data

We collect personal data through several channels:

• Direct interactions: You may give us your data by filling in forms or by corresponding with us via phone, email, chat or during sessions. For example, when you sign up for an account, fill out a well-being assessment, enter details for a coaching session, or contact customer support, you are directly providing personal data.
• Through your use of our Services: As you use our mobile app or web platform, we collect technical and usage data automatically. This is done through cookies and similar tracking technologies, and through app analytics tools that record events like logins, button clicks, or errors. (See Mobile App and Web Platform Data below for more specifics.)
• Third parties and integrated partners: We may receive personal data about you from third-party sources. For example, your employer, college, or insurer might provide us with your name and contact details to enable us to offer our services to you under their sponsorship. We may also receive data from healthcare providers or referral partners (for example, if a general practitioner or a student support office refers you to our services, they might share relevant background information with us, with your consent). Additionally, if you choose to integrate third-party apps or devices with Spectrum.Life (such as syncing a fitness tracker or wearable device), we will receive certain data from those third parties based on what you have authorised (e.g. your step count from a connected Fitbit account).

Data Collected via Our Mobile App

Our Spectrum.Life mobile application allows you to access services on the go. In addition to the categories listed above, the mobile app may collect certain data specific to mobile devices:

• It may request access to device features such as your camera or microphone — for example, if you opt to upload a profile picture, scan a document, or participate in a video counselling session or voice call through the app. These features are entirely optional and will prompt you for permission. If you grant permission, the camera or microphone will only be used for the specific functionality (e.g. capturing your photo or enabling a video session) and not for other purposes.
• The app collects device identifiers and mobile network information (such as a device ID, device model, operating system, and push notification token) to ensure the app functions properly and to send you notifications if you have enabled them. Push notifications may be used to remind you of upcoming sessions, share wellbeing tips, or alert you to new content. You can control push notifications in your device settings.
• If you use location-based features (for example, if in the future our app offers to find nearby wellness resources or events), we would collect geolocation data, but currently our services do not require or track precise GPS location. If that changes, we will ask for your consent to access location data.
• The mobile app uses analytics to track how users engage with it (e.g., which screens are most visited, where users encounter errors). This helps us improve the app’s usability. These analytics may be provided by third-party SDKs (software development kits) integrated into the app. We ensure any third-party analytics providers do not use the data for their own purposes and comply with appropriate privacy standards.
• If you connect the app with third-party health apps or devices (like syncing data from Apple Health, Google Fit, or Fitbit), we will collect and use that health and activity data only for the purposes of providing you the service (for example, to incorporate your step count into a wellness challenge, or to tailor advice to your activity level), and always with your explicit permission. You can disconnect such integrations at any time in the app settings.

Data Collected via Our Web Platform

When you use our websites or web-based platform, data collection will occur through your interactions and through your browser:

• Forms and web entries: If you sign up or input information on our website (such as registering for a webinar, completing an online wellbeing assessment, or posting on a forum), we collect whatever personal information you enter into the web forms (e.g., your name, email, and any content you post).
• Cookies and similar technologies: Our web platform uses cookies, pixels, and local storage in your browser to collect Technical and Usage Data. For example, we use cookies to keep you logged in as you navigate pages, remember your preferences (like language or font size), and collect analytics on page load times or errors. We also use cookies for marketing and analytics as described in Cookies and Tracking Technologies.
• Web analytics: We use third-party analytics tools (like Google Analytics or similar) on our websites that automatically collect information about your device and browsing actions. This includes data like your IP address, browser type, pages visited, time spent, and referring page. This data is generally aggregated and used to analyse overall usage trends, but it may be associated with your user account if logged in, in order to personalise your experience (for example, recommending content based on what you viewed before).
• Forums and community features: If our web platform includes community forums, chat rooms, or similar interactive features (for instance, allowing you to discuss wellness topics with other users), any content you choose to post will be visible to others in that forum. Please be mindful that if you include personal data in a public post, it becomes available to other users; you should only share information you are comfortable being public. We moderate these forums to uphold community guidelines and the requirements of the EU Digital Services Act (DSA) – for example, we may remove illegal content or personal data posted inappropriately and provide mechanisms for users to report issues – but we are not responsible for voluntary disclosures you make about yourself in these spaces.

How We Use Your Data

We use your personal data for a variety of purposes in connection with providing and improving our services. Below is an overview of the main purposes for which Spectrum.Life processes personal data, with examples:

• To Deliver Services and Manage Your Account: We process data to provide you with the services you have signed up for. This includes using identity and contact information to register your account, authenticate you when you log in, and deliver the specific service (for example, scheduling a counselling session, providing coaching feedback, or granting you access to wellbeing content). If you are using a service provided via your employer, school, or insurer, we use your affiliation info to verify your eligibility.
• To Personalise Your Experience: We may use data like your past activity or provided preferences to tailor the content and recommendations you see. For example, if you consistently engage with fitness-related content on the platform, we might highlight new fitness articles or programs for you. Personalisation improves the relevance of our services to you.
• To Communicate with You: We use contact information (like your email or phone number) to send service-related communications. These include confirmations and reminders (appointment reminders, program updates), announcements of new features or Notice changes, and responses to any inquiries or support requests you send us. If you opt-in, we might also send newsletters or wellness tips. (See Marketing Communications below for how we handle promotional messages.)
• To Maintain and Improve Our Services: It’s in our interest and yours that we continually enhance our offerings. We analyse usage data and feedback to debug issues, develop new features, and improve performance and user satisfaction. For instance, we might review app analytics to identify points where users struggle and then simplify that part of the interface. We also use aggregated data to understand trends (e.g., what content is most popular) so we can produce more of what users find valuable. Any analysis for improvement is done in line with our legitimate interests in running a successful service, and we apply measures to protect your privacy (such as aggregating or anonymising data where feasible).
• To Ensure Security and Compliance: We process some data to keep our services and users safe and to meet our legal obligations. This includes using technical data (like IP addresses and logs) to detect and prevent fraudulent or malicious activity on our platforms, and to maintain the security of our network. It also includes using identity and transaction data to comply with legal requirements, such as verifying your identity where required by law or preventing unauthorised use of your account.
• If required, we might use certain data to carry out identity checks, comply with anti-fraud or anti-money laundering rules, or to meet obligations under applicable cybersecurity laws (for example, logging certain activities to comply with NIS2 Directive requirements on incident monitoring).
• For Legal and Contractual Obligations: Sometimes we need to process data to fulfil our contracts with you or with our client (e.g., your employer or school), or to comply with laws. This might involve retaining billing records for financial audits, or sharing information when lawfully required (such as a court order to release information).
• For Marketing (with Consent): Where you have given us consent, we may use your contact details and preferences to send you promotional communications about Spectrum.Life offerings that we think may interest you. This could include new wellness programs, events, or resources we are launching. You have full control over these communications – see Marketing Communications to learn how to opt in or out. We do not sell your information to third parties for their own marketing.
• To Conduct Research and Analytics: With appropriate safeguards, we may use data (often in aggregate or pseudonymized form) to conduct internal research and analytics. For example, we might analyse outcomes across our coaching programs to publish insights on wellbeing (without identifying any individuals), or use usage data to generate statistics that help communicate the value of our services to clients. If we ever use your data for broader research projects that could identify you, we would do so only with your explicit consent or under an appropriate legal basis, and in compliance with applicable research ethics and data protection standards.

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason that is compatible with the original purpose and permitted by law. If we need to use your data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so, or seek your consent if required.

Legal Bases for Processing

Spectrum.Life is based in the EU and operates in compliance with the GDPR, which means we must have a valid legal basis to process your personal data. Depending on the specific context, one or more of the following legal bases under GDPR (and equivalent provisions in UK law) will apply:

• Performance of a Contract: Much of our data processing is necessary to perform our contract with you (or with the organisation that provides you access to our services). When you sign up for Spectrum.Life services (whether individually or via a provider like your employer), a contract is formed for us to deliver those services. We need to process your data to fulfil our obligations – for example, using your login details to provide you access, or processing health information you share with a counsellor to provide advice and support. If you refuse to provide data that is necessary to a service (such as identity or contact information), we may not be able to deliver that service.
• Consent: We rely on your consent in certain situations, especially for processing sensitive data and for sending marketing communications. In particular, explicit consent is our primary legal basis for processing your health data or other special category data – we will ask you to agree (for instance, by accepting this Notice and any specific consent forms for clinical services) before we collect or use your health information. Consent is also obtained for optional aspects like integrating a third-party app or receiving our newsletter. You have the right to withdraw your consent at any time (see Your Rights below), and if you do, we will stop the processing that was based on consent. (Note: withdrawing consent does not affect the lawfulness of processing we already carried out when we had your consent.)
• Legitimate Interests: We process certain data as necessary for our legitimate interests, provided those are not overridden by your data protection rights. Our legitimate interests include things like improving and securing our services, understanding how users use our platform, and communicating with our users to ensure a positive experience. For example, it’s in our legitimate interest to use cookies and analytics to improve our web platform’s performance, or to use your email to send you satisfaction surveys after a service interaction. When we rely on this basis, we consider and balance any potential impact on you (both positive and negative) and your rights. We will not use your data for activities where our interests are overridden by the impact on you (for example, we won’t use sensitive personal data under legitimate interests without your consent).
• Legal Obligation: We will process personal data when we need to comply with a legal or regulatory obligation. For instance, data relating to financial transactions may be kept for a minimum period as required by tax law. We may also have to provide information to authorities if required by law (such as compliance with occupational health regulations, or responding to lawful requests in criminal investigations). When processing is necessary for us to meet a legal obligation, this will be done strictly for that purpose.
• Vital Interests: In rare, emergency situations, we may process or share personal data to protect someone’s life or health. For example, if during a counselling session we believe you or someone else is at immediate risk of serious harm, we might need to contact emergency services or a designated emergency contact. GDPR allows this under the legal basis of vital interests. This is not common and would only happen in critical, urgent circumstances where consent cannot be obtained.
• Public Interest (in the area of public health): If applicable, we might process health data for reasons of public interest in the area of public health or healthcare provision (as allowed by GDPR Article 9). This could apply if, for example, we participate in public health initiatives or reporting that require the use of health statistics. In such cases, appropriate safeguards and, if required, regulatory permissions would be in place.

(Note: We may rely on different legal bases concurrently for different aspects of processing the same data. For example, we might rely on contract to provide a service and on consent to process the health details within that service. We ensure a valid basis applies for all processing activities.)

Special Category Data (Health Information)

Because many Spectrum.Life services involve health and wellbeing information, it is important to understand that such data is given extra protection under law. Health data, as well as data about mental health, biometric data, etc., are considered “special category” personal data under GDPR and UK law.

• When we collect health information about you (for example, details you share with a counsellor, results of a mental health assessment, or your self-reported lifestyle data in the app), we will usually ask for your explicit consent to process this data for the purposes of providing our service to you. You have the right to refuse or withdraw consent, but note that if you do, we may be unable to provide certain aspects of the service that rely on that data (for instance, a clinical assessment cannot be performed without collecting health information).
• In some cases, processing your health data may also be justified under other legal bases in addition to consent: for example, when providing “health or social care” services under the supervision of a health professional (GDPR allows this under Article 9(2)(h)), or if necessary for an employer to fulfil their health and safety or duty of care obligations (which might apply for certain EAP/SAP contexts under Article 9(2)(b) or (h)). We will always ensure an appropriate lawful basis exists for any special category processing and will inform you of it.
• We apply strict access controls to health-related data. Only authorised personnel (such as your counsellor, coach, or a clinical supervisor) and necessary technical support staff will be able to see your health data, and even then solely on a need-to-know basis. All staff with such access are bound by confidentiality obligations. For example, a counsellor is ethically and legally obligated to keep your session content confidential, aside from exceptional circumstances like serious risk of harm as described under Vital Interests above.
• We do not use your health or sensitive data for any purposes other than to provide you with the services you have requested, to ensure your safety, to carry out our contract (e.g. reporting to your sponsoring organisation in limited ways as described later), or to comply with the law. We especially ensure that such data is never used for marketing or advertising targeting.

By using our clinical or wellbeing services, you acknowledge that we will necessarily process some health-related information about you, but always in line with this Notice and with respect for your privacy and dignity.

Cookies and Tracking Technologies

Our websites and mobile applications use cookies and similar tracking technologies to function effectively and to enhance your user experience. This section explains how we use these technologies:

• What Are Cookies? Cookies are small text files placed on your device (computer, smartphone, etc.) when you visit a website. They allow the site to remember your actions and preferences (such as login, language, font size and other display preferences) over a period of time, so you don’t have to re-enter them whenever you come back to the site or browse from one page to another. We also use similar technologies in our app and emails, like pixels or SDKs, which perform functions analogous to cookies (e.g., confirming if you opened an email or interacted with a notification).
• How We Use Cookies: Spectrum.Life uses cookies to ensure our services work properly and to collect information about how users interact with our content. For example, we use cookies to keep you logged in on our platform as you navigate between pages, so you don’t have to re-enter your password on every click. We also use them to remember your preferences (such as your preferred language or region). Additionally, cookies help us track usage patterns and analyse statistics (via analytics providers), which is essential for improving service performance and troubleshooting issues. Some cookies enable our marketing efforts by allowing us to show relevant Spectrum.Life promotions on our site or others (these are typically third-party cookies from advertising networks, used only if you have given consent for marketing cookies).
• Types of Cookies We Use:
  • Necessary Cookies: These cookies are essential for the operation of our website or app. They enable core functionality such as security, network management, and accessibility. For example, authentication cookies that keep you logged in, or load-balancing cookies that ensure the site loads evenly. You cannot opt-out of necessary cookies, as the services cannot run without them.
  • Functional Cookies: These cookies allow the site to remember choices you make (such as your username, region, or personalization settings) and provide enhanced, more personal features. They may be set by us or by third-party providers whose services we have added to our pages (for instance, a chat support widget). Disabling these may impact your experience but the site can still function.
  • Analytical/Performance Cookies: These cookies collect information about how visitors use our site, such as which pages are most visited and if users encounter error messages on web pages. The information is aggregated and anonymous, used to improve how our website works. For example, we might use Google Analytics cookies to see overall usage trends. We treat these cookies as optional – you can opt out and still use our sites, though our understanding of how to improve the service may be limited.
  • Marketing/Advertising Cookies: These cookies track your online activity to help deliver more relevant advertising or communications, or to limit how many times you see an ad. They can share information with third parties like social media platforms or ad networks. Spectrum.Life might use these cookies to advertise our services on other websites you visit or to measure the effectiveness of our ad campaigns. We will only use advertising cookies if you have explicitly allowed them in our cookie consent manager. Even if allowed, these cookies do not tell us who you are – they only recognize your device and browser, and the data is typically collected and used by our advertising partners.
  • Third-Party Cookies: When you visit our website, we may embed content from third-party sites (like an embedded video player or social media “share” button). These third-party services may set their own cookies on your browser. We do not control the data collected by these third-party cookies and their use is governed by those third parties’ privacy policies. For example, if we embed a YouTube video, YouTube may set cookies to track video views. We advise you to review the privacy policies of any third-party services for information on their cookies.
• Cookie Consent and Management: On your first visit to our site (and periodically thereafter), we will present you with a cookie banner to obtain your consent for any non-essential cookies (such as analytics or marketing cookies). You can choose to accept all, reject all, or customize your choices. If you opt out of certain cookies, those will be disabled. You can also manage or delete cookies at any time through your browser settings. Each browser (Chrome, Firefox, Safari, etc.) has options to control your cookie preferences or to clear cookies. Keep in mind that blocking all cookies, including necessary ones, may impair the functionality of our services – for example, you might not be able to log in or use certain features if cookies are disabled.
• Do-Not-Track Signals: Some browsers offer a “Do Not Track” (DNT) feature that lets you signal to websites that you do not want to be tracked across sites. At this time, our websites do not respond to DNT signals in a standardised way, because there is not yet a common understanding of how to interpret them. Instead, we adhere to the consent choices you make in our cookie banner and your browser cookie settings. We will continue to monitor developments around DNT and may update our practices as standards emerge.

Who We Share Your Data With

Spectrum.Life is not in the business of selling your information to third parties. We consider the information you provide to be a vital part of our relationship with you. However, in order to run our operations effectively and deliver services, we sometimes need to share personal data with third parties. We do so in a responsible manner and only in certain circumstances, described below:

• Group Companies: Spectrum.Life is part of a group of related companies under Spectrum Wellness Limited. We may share your personal data with other entities within our corporate group (for example, Spectrum Health or other subsidiaries) to support the services outlined in this Privacy Notice. This sharing is typically to facilitate integrated services (such as if another part of our group provides a specific clinical service to you on our behalf) or for internal administrative purposes. All group entities are required to follow this Privacy Notice and maintain the same level of data protection.
• Service Providers (Processors): We use trusted third-party companies to help us operate our website, mobile app, and services – these include IT hosting companies, cloud service providers, data analytics providers, communication tools, payment processors, and other vendors. These third parties act under our instructions and are “data processors” for us, meaning they only process your data for our specified purposes. For example, we use cloud hosting providers (such as Amazon Web Services or Microsoft Azure) to store and process data securely; we use payment processors like Stripe to handle credit card transactions; we might use an email/SMS service to send out appointment reminders; and analytics tools to gather usage statistics. We have contracts in place with all service providers which oblige them to protect your data to GDPR standards, keep it confidential, and not use it for their own marketing or other purposes. We carefully vet our providers for strong security practices.
• Partner Companies and Sub-Processors: In some cases, we partner with other organisations to deliver specialised aspects of our wellness services. These partners may have access to some of your information as needed for their role. For example, we might partner with a telehealth platform to facilitate video counselling sessions, or with wellness product providers as part of a wellness program. We also integrate with health-related services/devices by choice (like Fitbit) at your request. Such partners are also usually acting as our processors (or co-controllers in some cases) and must handle your data per our agreements and applicable law.
• Examples of partners we work with include:

We partner with trusted third-party providers to support the delivery and enhancement of our services. These partners are subject to robust contractual obligations, including compliance with applicable data protection laws and implementation of appropriate security measures. Examples include:

• Fitbit (Google LLC): If you choose to integrate your Fitbit device data with Spectrum.Life (for fitness tracking in our wellness programmes), we will receive data such as your step count or activity logs from Fitbit. Fitbit’s systems will also know that you are using their integration with Spectrum.Life. Both Spectrum.Life and Fitbit act as independent data controllers for our respective processing activities. We only receive and use your Fitbit data with your consent to enhance your wellness experience.
• Specsavers: Spectrum.Life may partner with providers like Specsavers (a vision care company) to offer specific health services, such as eye check-ups or vouchers as part of a corporate wellness package. If you participate in such a service, we might confirm your eligibility with Specsavers and share only the minimum necessary information (such as a voucher code or confirmation of eligibility). Specsavers will use this information solely to provide the specific service.
• Randox: In certain corporate wellness or healthcare programmes, Spectrum.Life may partner with Randox Laboratories to deliver health screening and diagnostic services. If you participate, only limited personal information necessary to facilitate the service (such as your booking details or sample identification) is shared securely with Randox, who acts as an independent data controller for their processing.
• Stripe: For any payments you make to us, your payment details are securely processed by Stripe, a PCI-DSS-compliant payment processor. Stripe processes your payment information independently and securely. Spectrum.Life does not store your full credit card details on its systems.
• Other IT and Sub-Processor Examples:
  • Salesforce: Used for managing customer support, clinical records (where applicable), and service ticketing. Limited necessary personal information (e.g., your name, email address, case details) may be processed in Salesforce systems.
  • Twilio: Used to send secure text messages or make voice communications related to service delivery (e.g., appointment reminders, service alerts). Only contact details required for communication are used.
  • AWS (Amazon Web Services): Spectrum.Life’s platforms and customer data are hosted on AWS infrastructure within the European Economic Area (EEA) or the United Kingdom, ensuring robust cloud security in line with GDPR standards.
  • Tableau: Used for reporting and analytics purposes, primarily to generate anonymised or aggregated reports that help us enhance service quality and operational efficiency. Personal data visibility within Tableau is restricted and appropriately safeguarded.
  • Microsoft Office 365: Employed for internal email communications and document management. Personal information such as your contact details or email correspondence with us may pass through these systems under strict security measures.
  • SendGrid/Mailchimp: Utilised for sending newsletters, service updates, and event communications. Only necessary contact information (e.g., your name and email address) is shared, and marketing communications are only sent where lawful grounds (such as consent or legitimate interest) apply.

(The above are illustrative examples of key partners and sub-processors. We maintain a regularly updated full list of our sub-processors, which is available upon request. All partners and sub-processors are contractually required to meet strict data protection, confidentiality, and security standards.)

• Agents and Consultants: Spectrum.Life employs or contracts with professionals such as counsellors, coaches, medical consultants, and IT consultants to deliver our services. For example, if you engage in a counselling session through the EAP or SAP, the counsellor (who might be an external practitioner contracted by us) will have access to the information you share in sessions and relevant background that you provided. These agents are under strict confidentiality agreements and, in the case of health professionals, professional ethical obligations. Similarly, an external IT consultant might have temporary access to systems containing data for the purpose of troubleshooting a technical issue, but they would be contractually bound to privacy and only act under our direction.
• Business Transfers: If Spectrum.Life undergoes a business transaction such as a merger, acquisition by another company, or sale of all or part of its assets, your personal data may be transferred to the new owner or successor entity as part of the transaction. If such a transfer occurs, the use of your personal data will remain subject to this Privacy Notice (unless you are notified of changes and consent to them). We will communicate with you about any change in ownership or control of your personal information, as it may involve a change in the data controller.
• Legal and Regulatory Disclosures: We may disclose your personal data to third parties when required by law, or if we believe in good faith that such action is necessary to: (a) comply with a legal obligation, legal process, or lawful request (for example, responding to a court order, subpoena, or request from data protection authorities or law enforcement); (b) protect and defend the rights, property, or safety of Spectrum.Life, our users, or the public; or (c) investigate and defend against legal claims or allegations, or to prevent fraud or mitigate credit risk. When permissible, we will notify you of such requests unless doing so could compromise an investigation or is not allowed by law.

We make sure that any third party that receives personal data from us is contractually or legally required to protect it and to use it only for the purposes of the disclosure. We do not allow our service providers to use your personal data for their own marketing or unrelated purposes. We also require any third-party handling personal data on our behalf to implement robust technical and organisational security measures (see Data Security below).

Data Sharing with Your Organisation or Sponsor

Many Spectrum.Life services are offered in partnership with client organisations, such as employers, educational institutions, or insurance companies that sponsor or facilitate your access to our services. We understand you may be concerned about what information, if any, is shared back with these organisations. This section clarifies our practices for different contexts:

Employee Assistance Programme (Workplace) – Is my data shared with my employer?

If you are using Spectrum.Life’s EAP services provided through your employer or workplace, you can be assured that the personal details of your counselling or support sessions remain confidential. We do not share any of your sensitive personal data or details of your usage (such as what you discuss with a counsellor, your assessment results, or what content you accessed) with your employer.

• Aggregated Anonymous Reports: Your employer may receive periodic overview reports about the EAP’s usage across their workforce. These reports might include metrics like the total number of employees who used the service, general categories of issues addressed (e.g., stress, financial advice, etc.), or overall wellbeing trends. Importantly, these reports contain only anonymised and aggregated data – meaning no individual is identifiable. The purpose is to help the employer understand the value and uptake of the service while preserving employee confidentiality.
• Registration Information: In some cases, your organisation might require confirmation of service uptake for program management. We may disclose minimal identifiable information to your employer strictly as needed to administer the program. For example, an employer might receive a report that lists employees who have registered for the EAP platform or the number of sessions used (typically without details). This is usually limited to confirming eligibility or usage count for contract purposes. We will never share the content of your interactions, your specific health data, or the topics discussed in your sessions with your employer. Any identifiable sharing is limited to what is contractually necessary (e.g., confirming that “Employee John Doe used 1 counselling session this quarter” for billing purposes, if applicable). We will inform you in advance if such confirmation reports are part of your employer’s program, and these are only done in accordance with employment assistance best practices and data protection law.
• Emergency or Risk Situations: The only scenario where more detailed information might be shared with an employer without your consent is if there is a grave and immediate risk situation (e.g., credible threats of violence in the workplace). Even in such cases, our general approach is to involve emergency services or appropriate professionals, not the employer directly, unless the situation specifically warrants employer involvement for safety. Again, this would be extremely rare and guided by law and duty of care.

In summary, confidentiality is core to EAP. We want you to use our workplace services with full peace of mind that your employer will not know the personal issues you are addressing. If you have any concerns about privacy relating to your use of an EAP, please contact us or your HR representative for clarification.

Student Assistance Programme (Education) – Is my data shared with my educational institution?

For students using our SAP services via a college, university, or school, our goal is also to protect your privacy while helping your institution support student wellbeing and safety. However, there may be instances under the SAP where sharing certain information with your institution is necessary to fulfil their duty of care to you, with your knowledge and consent:

• Explicit Consent for Required Sharing: When you engage with the Student Assistance Programme, we will typically ask you to sign or agree to a consent form at the outset which outlines what information may be shared with designated personnel at your educational institution. This is to ensure you are fully aware and in agreement. The information shared is only what is needed for your institution to support you (for example, confirmation that you are attending counselling, or if a particular accommodation or intervention is recommended for your wellbeing). This consent is explicit and a condition to proceed with services because the institution plays a part in the support process. If you do not consent, we will not share data, but it might limit the ability to provide certain supports in coordination with your institution.
• Examples of Information Shared: With your consent, we might share things like: that you have accessed the service and the general nature of support (e.g., academic stress, personal issue – but not a detailed account), recommendations for the institution to assist (like allowing a leave of absence or connecting you with campus resources), or in some cases, a summary report after your sessions if it’s part of a care plan. The exact details will depend on the agreement with your institution and will be explained to you. We will not share therapy session notes or very sensitive personal details unless it is specifically agreed and necessary for your care (and typically, you would also be involved in that communication).
• Emergencies/Duty of Care without Consent: If there is a serious concern for your safety or the safety of others (for example, if you are at immediate risk of self-harm or harm to someone else), our counsellors or staff might alert the appropriate authority at your institution (such as the student welfare office or campus security) even if you haven’t given explicit consent at that moment. This is aligned with duty of care obligations and legal allowances for vital interest. Our priority will be to ensure you get help. We would limit the information shared to only what is necessary to address the emergency (for example, that you have expressed intent to harm yourself and immediate intervention is needed).
• Academic or Disciplinary Uses: We do not share information you disclose in SAP counselling for any academic or disciplinary purposes. Your professors or academic records office will not receive information about your counselling sessions. The communication with your institution, when it happens, is handled by the student support/welfare side and is intended to help you, not penalize you.

In summary, for SAP: your privacy is respected, and sharing with your institution is done transparently and with consent, except in rare emergencies. The aim is to coordinate support, not to breach your confidentiality. If you have questions about what is shared under your academic institution’s program, we will happily provide details.

Insurance-Provided Services – Is my data shared with my insurance company?

Spectrum.Life also partners with insurance companies in some cases to offer wellness or assistance services to their members or Notice holders. If you are using our services as a benefit provided by your health insurance or another insurer, here is how we handle data sharing with the insurer:

• Minimal Necessary Information: We do not routinely share your personal details or session content with your insurance company. The insurer’s role is typically to pay for or subsidize the service, not to receive your health information. We may share only the information that is needed for administrative purposes, such as confirming that you are eligible for the service (e.g., verifying your Notice number or membership) and that you have used the service so that the insurer can process payments to us. For example, we might report to the insurer that “Notice holder” Jane Doe had 3 coaching sessions this quarter” so they cover the cost under your plan.
• No Sensitive Details: The insurance provider will not receive clinical details or specifics of what was discussed or addressed in your sessions. For instance, if you see a counsellor through an insurance-provided program, the insurer does not get to know your diagnosis or personal circumstances from us. They would at most know that you availed of the counselling service and perhaps generic outcomes like completion of the program or referral status (if needed for care coordination).
• Aggregated Program Reports: Similar to employer reports, an insurer might receive aggregated data about how many of their members use the service and general outcome statistics to evaluate the program’s effectiveness. These reports will not identify you individually. They serve to help the insurer understand the value and usage of the offering.
• Consent and Legal Compliance: When you sign up for the service via an insurer, you may be informed about certain data sharing needed between us and the insurer. We ensure that any such sharing is done with a proper legal basis. Often it can fall under contract (to administer your benefits) or explicit consent (especially if any health data is involved in the communication).
• Claims and Support: If your use of the service is tied to an insurance claim (for example, the insurer covers a certain number of therapy sessions under a claim), there may be instances where the insurer requests information for claim adjudication. In such cases, we will either redirect that request to you or only provide information with your consent or as legally required. You often have rights under insurance law to see what is shared.

In short, when your service is insurance-sponsored, your insurer’s knowledge about your participation is limited to what is necessary for them to fund or manage the benefit. They do not get free access to your personal notes or data. We treat your information with the same care as in any other context. If you are ever unsure about what an insurer might know, you can ask us or the insurer for clarification.

Your Choices and Control

Using Spectrum.Life services is voluntary, and you have choices about the personal data you provide and how it is used:

• Choosing Not to Provide Data: You can choose not to provide certain personal information requested. However, be aware that we may not be able to deliver certain services without the relevant data. For example, if you do not provide an email address, we cannot create an account for you on our platform; if you decline to share any health information with a counsellor, they will not be able to offer meaningful guidance; if you choose not to allow cookies at all on the web platform, some features may not function (like staying logged in). We will always indicate which data elements are mandatory for a given service and which are optional.
• Managing Communication Preferences: If you have an account with us, you may usually manage some of your preferences (like marketing opt-ins or notification settings) through your profile settings on our app or web portal. You can also opt out of non-essential communications as described in the Marketing Communications section. Essential service communications (like password resets or appointment reminders) cannot generally be opted-out of, because they are integral to the service, but you can minimize them by deactivating your account if you no longer use it.
• Integration and Social Features: If our platform offers integration with social networks or health platforms (for example, logging in via Google/Facebook, or sharing your wellness achievement on LinkedIn), you can decide whether or not to use those features. They are entirely optional. Not engaging with these features will not hinder your core use of our services; they are just there for convenience or enhanced experience.
• Privacy Settings: We endeavour to build any new features with privacy in mind. Check for any in-app privacy settings – for example, controlling who can see your profile or posts if community features exist, or whether you appear on leaderboards in wellness challenges. We encourage you to review such settings and adjust them to your comfort level.
• Withdrawal of Consent: Where we rely on your consent to process data, you have the right to withdraw that consent at any time. You might have given consent for things like receiving our newsletter, or for us to collect certain health metrics, etc. If you change your mind, you can usually withdraw consent in the same manner you gave it (for example, unchecking a box in your profile settings, or contacting us). See Your Rights – Withdraw Consent below for more details. Keep in mind, if you withdraw consent for us to use certain data that is necessary to deliver a service, we may have to discontinue that service for you (but we will advise you of any such consequences at that time so you can decide).

We want you to feel in control of your personal data. If you ever need any assistance with adjusting your preferences or have questions about how to exercise control over your data, please contact us and we will be happy to help.

Data Retention – How Long We Keep Your Data

We retain personal data only for as long as it is necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Different types of data may have different retention periods, based on the nature of the data and the context in which it was provided:

• Clinical Service Records: If you have engaged in clinical services (such as counselling or therapy through EAP/SAP or other clinical programs), records of those services (session notes, assessments, outcomes) are typically retained for seven (7) years from the date of your last session. This retention period aligns with healthcare industry standards and legal requirements for maintaining clinical records, ensuring that information is available for continuity of care or in case of any later issues. In the case of services to minors (if any), the retention period might be longer (e.g., until a certain period after they reach adulthood) in accordance with local regulations.
• General User Account Data: Information like your account profile, login information, and general usage history is retained for as long as your account is active. If you cease using our services or request deletion of your account, we will delete or anonymize your personal data within a reasonable time after fulfilling any outstanding obligations (for example, completing any program you’re enrolled in, or waiting a short period in case you reactivate). We might retain minimal information thereafter to note that you were previously registered (to avoid sending you new invitations, for example) or as required for legal purposes.
• Communication and Support Data: If you contacted us for support or we corresponded via email, we may retain those communications for a period of time as needed to ensure we have a history of what was discussed. Typically, support tickets or emails are kept for a few years (often 2-3 years) in case you come back with a follow-up or for training and quality assurance, unless you request their deletion and we have no ongoing need.
• Payment and Transaction Data: Financial transaction records (invoices, payment confirmations, etc.) are retained for at least seven (7) years or more as required by tax law and auditing standards. This is to comply with accounting and revenue regulations. Even if you delete your account, we will retain invoices or receipts that contain your personal data (like name and transaction date) for the legally mandated period.
• Analytics Data: We often aggregate or anonymize analytics data for long-term trend analysis. Raw analytics logs are either deleted or anonymized after a relatively short period (perhaps 14-24 months, depending on the tool) since we don’t need personally identified analytics beyond that. Aggregated statistics (with no personal identifiers) may be kept indefinitely.
• Legal Hold: If we are in a legal dispute with you or are required to preserve data by law (e.g., due to a litigation hold or government investigation), we will retain the data for as long as instructed or necessary to comply with those obligations. During such period, we cannot delete the data until we are authorized to do so.
• Deletion and Anonymization: When personal data is no longer needed, we either delete it securely or anonymize it so it can no longer be associated with you. For example, we might shred or securely archive old paper records, wipe electronic data from systems, and/or replace identifiable information with codes in datasets retained for research.

If you would like more specific information about the retention period for a particular type of data or service (for instance, “How long do you keep my chat logs with a coach?”), please contact us. We will provide details or our retention Notice relevant to that context. Also, note that under Your Rights (right to erasure), you can request deletion of your data sooner in some circumstances – we will accommodate such requests where we can, provided we do not have a compelling reason or legal obligation to keep the data.

Data Security

Data security is very important to Spectrum.Life. We are committed to protecting your personal data from unauthorised access, alteration, disclosure, or destruction. We have implemented a variety of security measures to safeguard the data in our care, in line with industry best practices and regulatory requirements (including the heightened cybersecurity standards under the EU’s NIS2 Directive). Key aspects of our security program include:

• Technical Security Measures: We use encryption to protect personal data in transit and at rest. This means that any data you send to our servers (for example, via the app or website) is encrypted using protocols like HTTPS/TLS, and sensitive databases or files are encrypted when stored on our systems or on the cloud. Access to our systems requires authentication, and we employ multi-factor authentication for our own administrators and staff to prevent unauthorised logins. We maintain firewalls and network security monitoring to guard against external attacks. Our infrastructure is regularly updated with security patches to address vulnerabilities.
• Organisational and Physical Security: Only personnel who have a genuine business need to access personal data can do so, and their access is limited to the scope needed. For example, a counsellor can access client files for those they counsel, but not all client files; an IT support engineer can access system logs but not, say, counselling notes, unless necessary under supervision for a specific task. We conduct background checks and confidentiality agreements with our staff and contractors handling personal data. Our offices and data centres (including cloud data centres via our providers) have physical security controls such as access badges, surveillance, and visitor logs.
• Security Standards Compliance: We adhere to recognised security frameworks. Spectrum.Life’s information security management draws on standards like ISO/IEC 27001 (an international standard for information security) and IASME Cyber Essentials (a cybersecurity standard in the UK). We have policies and procedures in place governing data handling, incident response, and access control in line with these standards.
• Testing and Auditing: We conduct regular security audits and testing of our systems. This includes vulnerability scanning, penetration testing by independent experts, and routine review of access logs. We also assess our third-party service providers for their security posture. Any findings from testing are promptly addressed with corrective actions. We may also receive audits or assessments from some of our enterprise clients to ensure we meet their security requirements.
• Incident Response and Breach Notification: Despite best efforts, no system can be 100% secure. We have a detailed incident response plan to handle any suspected data breach or security incident. If a personal data breach were to occur, we will contain and investigate it immediately. We will also notify the relevant supervisory authority (like the Data Protection Commission in Ireland or the ICO in the UK) as required by law, and we will inform affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms. Our procedures reflect GDPR’s breach notification rules (generally aiming to notify authorities within 72 hours and individuals promptly thereafter, if needed).
• Continuous Improvement: Cyber threats evolve, and so do we. We stay updated on the latest security threats and regulatory requirements (like new guidelines under NIS2) to continuously improve our defences. Staff receive training on data protection and security practices annually, so they remain vigilant and informed. We also maintain cyber insurance as an additional risk mitigation measure, though our focus is on prevention first.

In using our services, you should also play a part in keeping your data safe. Ensure you use a strong, unique password for your account and do not share it with others. Be cautious about phishing scams – Spectrum.Life will never ask you for your password via email, and any official communications from us will come from our domain. If you suspect any unauthorised access or security issue related to your data or our services, please notify us immediately so we can take action.

International Data Transfers

Spectrum.Life is based in Ireland and our primary data storage and processing activities occur within the European Economic Area (EEA). However, in today’s interconnected world, some of the third-party services we use or certain operational needs may involve transferring or accessing personal data in other countries. We want to be transparent about how we handle international data transfers and the safeguards we have in place:

• EEA and Adequate Countries: If your data stays within the EEA or goes to countries that the European Commission has deemed to have an “adequate” level of data protection (such as countries in Europe, Canada, Japan, etc.), then your data enjoys essentially the same level of protection as under EU law. We largely aim to keep data in jurisdictions with strong data protection laws. For example, our primary servers are in the EEA, and if we ever store backup data in another country, we would aim for an adequate country or ensure strong protections.
• Transfers Outside Protected Zones: If we (or our processors) need to transfer your personal data to a country that is not considered to have adequate data protection laws (for example, to the United States or India or other locations where some of our service providers might be based), we will ensure one of the following safeguards is in place:
  • Standard Contractual Clauses (SCCs): We will sign the European Commission’s approved Standard Contractual Clauses with the data importer. These are legal contracts that bind the recipient to protect the data to EU standards, giving you rights and remedies if the data is mishandled. The SCCs have been updated in recent years to address international transfer concerns, and we implement any supplementary measures (like encryption in transit/at rest, minimization, etc.) as needed on a case-by-case basis.
  • EU-U.S. Data Privacy Framework (DPF): For transfers to the United States, we may rely on the new EU-U.S. Data Privacy Framework if the recipient is certified under that framework. The DPF was established to ensure that personal data transferred to certified U.S. companies receives adequate protection (replacing the old Privacy Shield). For instance, if we use a U.S.-based service provider that is DPF-certified, your data can flow to them under that certification. We keep records of which providers are participating in the DPF and require maintenance of their certification.
  • UK Extension (UK-US “Data Bridge”): Similarly, for UK personal data transferred to the U.S., the UK has established an extension of the DPF (often called the UK-US Data Bridge) which we can rely on for certified recipients. In practice, this means if we transfer UK user data to a DPF-certified U.S. entity, it is also covered for UK legal purposes by this arrangement.
  • Binding Corporate Rules (BCRs): Though Spectrum.Life is not a large multinational with its own BCRs, some of our service providers (especially cloud giants) have approved Binding Corporate Rules for their intra-company transfers. Where applicable, we leverage those frameworks.
  • Explicit Consent or Derogations: In very limited cases, we might transfer data based on your explicit consent (after informing you of possible risks) or under another derogation allowed by Article 49 of GDPR – for example, if a transfer is necessary to fulfill a contract with you, or to establish/exercise legal claims. These cases are rare and specific (such as if you request us to forward your records to a practitioner in a country without other safeguards, we would do so with your consent).
• Example – U.S. Service Providers: A number of our technical service providers may be based in or have servers in the United States (for instance, email delivery services or data analytics services). We ensure that any such provider is either DPF-certified or has SCCs in place with us. Additionally, post-Schrems II (the court case affecting EU-US data transfers), we assess whether U.S. law might impinge on the privacy of the data (e.g., government access risks) and take steps like encrypting data such that the provider cannot access content without our keys, where relevant. Our aim is to not transfer data in plain form to any entity that cannot guarantee privacy protections.
• Your Rights and Transparency: If we transfer your data outside the EU/UK, you have the right to be informed of the appropriate safeguards we’ve relied on. We’ve summarized them above. If you want more details, you can contact us and we can provide copies of relevant contractual clauses or references to the framework in use (with any confidential clauses or unrelated data redacted). We make these arrangements to protect your data internationally so that it continues to have a high level of protection, no matter where it’s processed.
• Continued Monitoring: The landscape of international data transfers is evolving. We closely monitor developments such as new court rulings, updated SCC versions, or additional countries being deemed adequate. We will adapt our transfer mechanisms as needed. For example, if the EU were to approve another country’s laws as adequate, we might rely on that in the future. Or if any mechanism we currently rely on is invalidated or expires, we will promptly find an alternative valid solution and minimize transfers in the interim.

By using our services and providing us your data, you acknowledge that your data may be transferred to and processed in jurisdictions outside your home country, including jurisdictions that may have different data protection rules. Rest assured, however, that Spectrum.Life will always take legally required and reasonable steps to ensure any such transfer is carefully managed to protect your rights and interests.

Marketing Communications

Spectrum.Life may send you communications to keep you informed about our services, new content, or wellness tips, but you remain in control of what you receive:

• Service-Related Communications: Regardless of your marketing preferences, we will send you important service communications that are necessary for the performance of our contract with you or for security/administrative reasons. These include messages like appointment reminders, confirmations of account actions (password resets, etc.), critical updates about the services you’re using, changes to terms or policies, or notifications in case of any issues (like service downtime or security alerts). You cannot opt out of these essential messages because they are not promotional in nature – they are core to using the service safely and effectively. (However, if you really do not want to receive even these, the only way would be to discontinue using the service, as otherwise you might miss crucial information.)
• Newsletters and Wellbeing Tips: If you consent, we may send periodic newsletters with general wellbeing content, success stories, or articles that might interest you. We may also send tips or challenges (for example, a monthly wellness challenge invitation) if you’ve signed up for those updates. These are meant to enhance your experience even if you’re not actively in a program.
• Promotional Offers and New Services: With your permission, we could send you information about new services or programs Spectrum.Life is launching, special events (like webinars or workshops), or offers such as a chance to sign up for a beta program, a discount on a coaching package, etc. We might also notify you of relevant services from our partners that complement your wellness journey, but those will always come from us (we don’t give your contact to third parties for them to contact you directly without your consent).
• Channels of Communication: We may communicate with you via email, in-app/mobile push notifications, SMS/text messages, or occasionally by phone. The channels used will depend on what contact information you provided and the nature of the message. For instance, appointment reminders might come as both email and SMS for immediacy; marketing newsletters would typically be email; urgent alerts might use SMS. You can control some channel preferences (e.g., you may opt out of SMS marketing but still get emails). Standard messaging/data rates may apply for texts, and you can always reply “STOP” to an SMS to opt out.
• Opting In: When you first register or use our services, we will ask for your consent before sending you marketing or non-essential communications. This might be a checkbox like “Yes, I’d like to receive updates and offers from Spectrum.Life” on a sign-up form. If you do not check or agree, you won’t get those communications. If you do, we will include you in our mailing list.
• Opting Out: If at any time you decide you no longer want to receive marketing or promotional communications from us, you can opt out. The easiest ways to do this are: (a) clicking the “unsubscribe” link in any marketing email (this will typically stop further newsletters or similar emails); (b) replying with an opt-out keyword (like “STOP” or “UNSUBSCRIBE”) if instructions are given in a message (commonly for SMS); or (c) contacting us directly at our support or DPO email to request removal from marketing lists. We will process opt-out requests as soon as possible. Please note that even if you opt out of marketing, you will still receive essential service communications as noted above.
• Third-Party Marketing: Spectrum.Life will not share or sell your contact information to third-party companies for their own direct marketing, unless you separately consent to that with a partner (for example, if as part of a wellness event, you agree to share details with a sponsor – but that would be outside this Notice’s typical scope). Any promotional message you get should be from Spectrum.Life. If you do happen to get marketing from a partner and you believe we shared your data improperly, please let us know immediately.
• Marketing to Corporate Clients or Prospects: If you represent a company or organisation that we do business with or that has expressed interest in our services, we may send B2B communications to your work contact information based on legitimate interest (e.g., sending a brochure to an HR manager about our new program). Those communications have their own opt-out processes, and this Notice primarily addresses personal consumer data. We maintain separate marketing lists for corporate outreach, and respect opt-outs there as well.

We aim to make our communications useful and infrequent. We know your inbox can get crowded, so we won’t spam you. Typically, we might send a monthly newsletter and occasional announcements. If you’re not finding value in our communications, please opt out — you can always opt back in later if you change your mind. Your decision on marketing will not affect your access to the core services.

Children’s Privacy

Spectrum.Life provides certain services specifically designed for children and adolescents, but we take extra precautions to protect the privacy and rights of young users. Except where explicitly noted for specialist services, our general platform and website are not intended for use by children under the age of 16 (or under 18 in specific service contexts).

General Access and Age Restrictions: If you are under the age of 16, you should not create an account or use Spectrum.Life’s general wellness platform intended for adults. We do not knowingly permit individuals under this age threshold to register for or access our adult-focused services.

Specialist Services for Minors: Spectrum.Life offers dedicated mental health and neurodiversity assessment services for children and adolescents aged 6 to 17. These services include short-term counselling, psychotherapy, digital psychologist support, iCBT (internet-based Cognitive Behavioural Therapy), and online neurodiversity assessments. Where minors access these services, appropriate parental or guardian consent is obtained prior to the processing of any personal data, consistent with GDPR Article 8 and national laws. Consent is typically facilitated through the responsible party (such as a parent/guardian) during service intake or via institutional partnerships, depending on the service delivery model.

Special care is taken to ensure minors’ privacy, including providing age-appropriate information and respecting evolving capacities for decision-making where applicable.

No Marketing or Profiling of Children: Spectrum.Life does not profile, market to, or conduct targeted advertising towards children. Any communication provided to minors is purely educational, therapeutic, or supportive in nature, focused on promoting wellbeing and resilience.

Accidental Data Collection: If we become aware that we have inadvertently collected personal information from a child without the necessary parental or guardian consent, we will act promptly to delete that data, unless retention is legally required (for example, safeguarding obligations). This includes situations where a child misrepresents their age during registration.

Parental and Guardian Involvement: Parents and guardians play an essential role in supporting children’s privacy rights. If you believe that a child under the age of 16 (or under 18, depending on the service) has submitted personal data to Spectrum.Life without your consent, please contact us. We will verify your relationship to the child where necessary and take appropriate action, including deletion of the data or obtaining valid consent.

In summary, while Spectrum.Life’s general services are designed for adults, we also offer specialist, clinically led mental health and neurodiversity services for children and adolescents, always with explicit consent and in strict compliance with data protection laws. We are committed to safeguarding minors’ privacy and supporting families with transparency and care.

Links to Other Sites

Our website and app may contain links to third-party websites or resources that are not operated by Spectrum.Life. We provide these links for your convenience or as part of our content (for example, a blog article on our site might link to an external resource for further reading, or we may link to an online booking portal operated by a partner).

Please be aware that once you click on a third-party link and leave our platform, this Privacy Notice no longer applies to those external sites. We do not control the content, security, or privacy practices of those third parties. If you visit a linked site, that site’s Privacy Notice and terms will govern your use of it and any data you provide there.

We advise you to exercise caution and read the Privacy Notice of every site you visit, especially if you are asked to provide personal information. Spectrum.Life is not responsible for the privacy practices or content of external websites. We do not endorse or make representations about third-party sites; a link is not an endorsement. If you find any external link on our platform that you believe is inappropriate or unsafe, let us know and we may reconsider having it on our site.

That said, we try to only link to reputable sources that we believe will be useful to our users. If we embed content from third parties (like videos, maps, or widgets), we attempt to do so in a way that minimizes data sharing (though, as noted under Cookies, those third parties might still collect some data via their embedded content).

In summary: When in doubt, review the third party’s Privacy Notice before interacting. Your interactions on those external websites are solely between you and that third party.

Automated Decision-Making and AI

Spectrum.Life’s current practices involve a human-cantered approach to delivering wellbeing services. We do not rely on solely automated decision-making, including profiling, that produces legal or similarly significant effects concerning you, as per GDPR Article 22. In other words, there is no computer algorithm at Spectrum.Life that will, by itself, make a decision that significantly affects your rights (such as denying you a service or determining your benefits) without any human involvement.

• Use of AI and Algorithms: We continuously explore ways to enhance our services, and this may include using technology like artificial intelligence (AI) or machine learning for things like analysing anonymized data patterns, providing chatbot assistance for basic queries, or suggesting content that might be relevant to you. However, any such tools are used judiciously and with your privacy in mind. For example, an AI-based recommendation engine might suggest articles on stress management if you’ve been looking at content about anxiety – but this is simply to assist you and does not have a significant impact on you beyond providing helpful tips.
• Human in the Loop: For any important decisions or evaluations, we ensure a human is involved. If in the future we were to introduce something like an AI-driven health risk assessment, the result would always be reviewed or communicated by a qualified professional rather than just an automated notice. We value the nuance and empathy that human professionals bring, especially in mental health and wellness contexts, so AI will remain a support tool rather than the decision-maker.
• Transparency and Compliance: If we do introduce more noticeable AI features, we will be transparent about it and update this Privacy Notice accordingly. We will also comply with any new regulations governing AI. Notably, the EU is in the process of implementing the AI Act, and other regions have their own emerging rules. Spectrum.Life is keeping a close eye on these developments to ensure we meet any requirements (such as assessing the risk level of AI systems, providing explanations for automated processes, and respecting your rights regarding algorithmic decisions).
• No Sale or Sharing for Automated Profiling by Others: We do not sell your data to data brokers or allow others to profile you for their purposes. Any profiling we might do is only to serve you within our platform (like categorising which users might benefit from which program, internally).
• Right to Object: As part of Your Rights, you have the right to object to any form of profiling or automated processing we carry out, and the right not to be subject to decisions based solely on automated processing if they have significant effects. While we currently do not have such decision-making, we uphold that right. If you ever feel that you are being evaluated or treated in a purely automated way on our platform that is unfair or uncomfortable, please contact us. We will address the concern, provide clarifications, and if needed, arrange for a human to review any decision or outcome that you contest.

In summary, Spectrum.Life leverages technology to assist in delivering and improving services, but we put human wellbeing first and foremost. Technology is a tool, not a replacement for human care in our model. You can trust that there is thoughtful oversight behind any significant action involving your data.

Your Rights as a Data Subject

As a user of Spectrum.Life and someone whose personal data we process, you have several rights under data protection laws (particularly the GDPR and UK data protection law). We are committed to upholding these rights. Below, we outline your key rights and what they mean:

• Right to Be Informed: You have the right to be informed about how your data is being collected and used. This Privacy Notice is part of fulfilling that right – providing details on what data we collect, for what purposes, who we share it with, etc. We aim for transparency. If anything is unclear to you, you can ask us questions and we will inform you further.
• Right of Access: You have the right to access personal data we hold about you. This means you can ask us to confirm if we are processing your data, and if so, request a copy of that data (commonly known as a Subject Access Request). We will provide you with a copy of the personal data in our records, along with details such as the purposes of processing, the categories of data, and the parties with whom it’s shared, all in line with legal requirements. Typically we will respond within one month of verifying your identity for the request.
• Right to Rectification: If you believe that any personal data we have about you is incorrect or incomplete, you have the right to have it corrected. For example, if you notice we have an old phone number or a misspelled name on file, let us know and we will update it. Many basic details can also be corrected by you directly through your account profile editing. We may ask for documentation for certain changes if applicable (like proof of a legal name change), but generally we try to make correction simple.
• Right to Erasure (Right to be Forgotten): You have the right to request the deletion of your personal data in certain circumstances. You can ask us to erase your data, for instance, if it is no longer necessary for the purpose we collected it, or if you initially consented and now withdraw consent and we have no other legal ground to keep it, or if you object to processing and we don’t have an overriding interest to continue, or if we handled data unlawfully. Note that this right is not absolute – sometimes we may have to retain certain information despite your request (for example, to comply with legal obligations or defend legal claims). But we will inform you if that’s the case. If you simply want to close your account and delete your data, in most cases we will be able to fulfill that fully, aside from data we must keep by law (see Data Retention above).
• Right to Restrict Processing: You can ask us to restrict (pause) the processing of your personal data in certain situations. This might apply while you contest the accuracy of data (we pause use until it’s verified), or if you’ve objected to processing (and we’re considering if our legitimate grounds override yours), or if processing is unlawful but you want us to hold the data instead of deleting it, or if we no longer need the data but you need us to keep it for an establishment, exercise, or defense of a legal claim. When processing is restricted, we will store the data but not use or share it until the issue is resolved (unless it’s to secure the data or as needed for legal reasons). We will let you know when a restriction is lifted.
• Right to Data Portability: For data you provided to us and which we process by automated means on the basis of consent or contract, you have the right to obtain a copy in a structured, commonly used, machine-readable format (for example, a CSV or JSON file). You also have the right to request that we transmit that data directly to another controller (another service provider) where technically feasible. This right is designed to make it easier for you to move your data between services. It applies to things like data you actively provided (profile info, answers to assessments, etc.) and observational data from your use (like wearable data you uploaded), but it wouldn’t cover our own analysis or derived insights. If you need such portable data, contact us and we will work with you.
• Right to Object: You have the right to object to our processing of your personal data in certain circumstances. Specifically, you can object to processing based on legitimate interests or public interest tasks, and we must stop unless we have compelling legitimate grounds that override your rights or if we need to continue for legal claims. You also have an absolute right to object to your data being used for direct marketing at any time – if you object, we will stop using your data for marketing immediately. Additionally, if we were conducting any profiling or research you object to, you have the right to object. We will carefully consider any objection and respond with our decision and reasoning.
• Rights related to Automated Decision-Making: As noted, you have the right not to be subject to a decision based solely on automated processing (including profiling) that has legal or similarly significant effects on you. Spectrum.Life doesn’t currently make such decisions, but if we ever do, we will ensure a proper mechanism for human intervention is in place. In any case, you could request an explanation of an automated decision and contest it. We include this here for completeness and to affirm our stance on meaningful human review.
• Right to Withdraw Consent: If we are processing any of your personal data based on your consent, you have the right to withdraw that consent at any time. This is easy to do – for example, you can unsubscribe from emails, uncheck consents in your profile settings, or contact us for assistance. Once consent is withdrawn, we will stop the processing that was based on consent. However, please note: withdrawing consent does not affect the lawfulness of processing that happened before the withdrawal. For instance, if you gave consent for us to gather your wellness data for a program and then withdraw at the end, we don’t have to erase the data that was processed while consent was in place (though we might if you also request erasure). It mainly means we won’t continue further processing from that point forward. Some services might require consent to function (especially where health data is involved), so if you withdraw consent in those scenarios, we might have to discuss terminating or altering the service for you.
• Right to Lodge a Complaint: If you believe your data protection rights have been violated or that we have not handled your personal data lawfully, you have the right to file a complaint with a supervisory authority. In the EU, you can do this with an authority in the country of your residence, place of work, or where the issue occurred. Spectrum.Life’s lead authority is the Irish Data Protection Commission (DPC), given our headquarters in Ireland. In the UK, the relevant authority is the Information Commissioner’s Office (ICO). We have provided contact links below in the Complaints section for these authorities. We would, however, appreciate the chance to address your concerns directly before you approach a regulator – so please feel free to reach out to us, and we will do our utmost to resolve any issue in a satisfactory manner.

These rights can be exercised free of charge in most cases. Only if a request is manifestly unfounded or excessive (for example, repetitive requests) might we charge a reasonable fee or refuse to act, as permitted by law – but we have never had to do that, and we hope we never will. Our Notice is to honor your rights as efficiently and transparently as possible.

Exercising Your Rights and Contacting Us

If you wish to exercise any of your rights described above, or if you have any questions or concerns about how we handle your personal data, you can contact us through the following methods:

• Via Email: The most convenient way is to email our Data Protection Officer at gdprspectrumlife@spectrum.life. Please include your name and the specific request or query you have. If you are making a data access or deletion request, we may need to verify your identity (to ensure we don’t give your data to someone else). We might ask for additional information or identification documents purely to confirm you are the right person. Once verified, we will proceed with your request.
• Via Postal Mail: You can also send a written request to:

Data Protection Officer
Spectrum Wellness Limited (Spectrum.Life)
95 Merrion Square, Dublin 2, D02 H244, Ireland

Make sure to provide contact information (like an email or phone number) where we can reach you once we receive the mail, and describe your request in detail. Postal requests might take longer to receive and process due to delivery times and manual handling.

• Via Telephone: If you have a simple query or want to alert us of an urgent issue, you can call our main office (the number is available on our website). However, for exercising formal rights (like obtaining a copy of your data), we will likely ask you to put it in writing (email or mail) so there is a clear record.

Response Time: We will acknowledge your request as soon as possible – typically within a few days – and at the latest within one month from when we receive it. We aim to provide a full response within that one-month period. If your request is complex or we have received many requests, we are allowed to extend this period by an additional two months, but if that’s the case we will inform you within the first month and explain why the extension is needed.

What to Expect: When you exercise your rights, we will do our best to accommodate your request fully. If for some reason we cannot (for example, if you request deletion of records we must keep by law), we will explain the reason to you. If you request access to data, we will provide it in a secure manner (often via email or a secure download link, unless you prefer a hard copy). If you correct data, we’ll confirm the change. If you unsubscribe from marketing, we’ll update our lists promptly (it might take a few days to ensure all systems are updated, so you might get a message that was already in the pipeline, but we’ll try to avoid that).

We do not discriminate against anyone for exercising their rights. Our services will continue as normal after any request (unless of course the request in effect makes it impossible, such as deleting data that is essential for service – in which case we would let you know consequences and perhaps have you confirm if you want to proceed).

Your privacy and satisfaction are our priority, so please do not hesitate to contact us for any reason related to your personal data.

Complaints

While we strive to protect your privacy and address any concerns you have, we understand that you might want to escalate a matter if you feel it hasn’t been resolved. If you are not satisfied with our response to any privacy issue, you have the right to lodge a complaint with a supervisory data protection authority.

As mentioned, our lead supervisory authority is the Irish Data Protection Commission (DPC) since we are established in Ireland. If you are in the UK, you may prefer to contact the UK Information Commissioner’s Office (ICO). If you are in another EU/EEA country, you can contact your national authority, and they will likely coordinate with the Irish DPC.

Here are the contact details for the primary authorities:

• Data Protection Commission (Ireland): You can find more information on making a complaint on the DPC’s website: www.dataprotection.ie (Homepage of the Data Protection Commission). The site provides a webform for complaints and contact phone numbers. The DPC’s headquarters address is 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland. Phone: +353 578 684 800 or +353 761 104 800.
• Information Commissioner’s Office (UK): Visit the ICO’s website at ico.org.uk for guidance on raising a concern. The ICO can be reached via their online reporting tool, or by phone at +44 303 123 1113. Their postal address is Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, United Kingdom.
• Other EU Authorities: A list of national data protection authorities is available on the European Data Protection Board (EDPB) website. For example, if you’re in France, it’s the CNIL; in Germany, there are state-level DPAs; in Spain, the AEPD, etc. You can choose to contact them directly. Under GDPR’s cooperation mechanism, you can file with any one authority and it will be forwarded/handled jointly as needed.

We would ask that before you reach out to a regulator, please consider letting us know what your concern is, so we have one more chance to address it directly. We genuinely want to resolve any issues and ensure you are satisfied. Oftentimes, a quick conversation can clear up a misunderstanding or allow us to correct something to your satisfaction without the need for formal procedures. However, exercising your right to contact a regulator is entirely your prerogative and will not affect any service you have with us.

Your trust is extremely important to us. We view complaints as an opportunity to improve. If you do lodge a complaint, we will cooperate fully with the authority and work to resolve the issue fairly and promptly.

Updates to This Privacy Notice

Spectrum.Life may update or revise this Privacy Notice from time to time to reflect changes in our services, legal obligations, or data processing practices. We encourage you to review this Notice periodically to stay informed about how we are protecting your personal data.

• Notification of Changes: Whenever we make a significant change to the Privacy Notice, we will make the updated Notice available on our website and indicate the date of the latest revision (for instance, by updating the “Effective Date” at the top). If changes are substantial or affect your rights or obligations, we will take additional steps to notify you. This may include sending an email to the address associated with your account, or displaying a prominent notice on our website or mobile app (such as a pop-up or banner) to inform you of the changes before they take effect. For minor changes (like clarifications or typographical corrections that don’t materially alter the Notice), we may not send a direct notification, but the changes will still be reflected on this page.
• Review and Consent to Changes: By continuing to use our services after an updated Privacy Notice comes into effect, you will be deemed to have accepted the updated terms, except for certain cases where your explicit consent is required (if, for example, we were to start processing data for a new purpose that originally required consent, we would seek that from you). If you do not agree with the changes in a new Privacy Notice, you have the right to stop using our services and request that we close your account and/or delete your data (consistent with Your Rights above). We will not enforce new processing on your data without your agreement when consent is the basis.
• Historical Versions: For transparency, we may keep prior versions of this Privacy Notice archived and available for review (upon request or via our website). This allows you to see how our practices have evolved. The “Effective Date” will let you know which version is current.
• Ongoing Compliance: Privacy and data protection is not a one-time effort for us – it’s ongoing. As new regulations come into play (like the ones we referenced in the introduction: e.g., new EU-U.S. transfer frameworks, NIS2 cybersecurity rules, digital services regulations, health data governance changes, AI regulations, etc.), we will adapt this Notice and our practices to ensure continued compliance and trust. We are committed to keeping our privacy practices state-of-the-art and in line with legal requirements and user expectations.

If you have any questions about this Privacy Notice or any changes made to it, please contact us. Your understanding and feedback are important to us as we strive to maintain the highest standards of privacy and security.

Thank you for taking the time to read our Privacy Notice. We value your privacy and are dedicated to protecting your personal data while providing you with effective and compassionate wellbeing services.