Privacy Policy

Second Nature Healthy Habits Ltd, trading under the name Second Nature, ("we") are committed to protecting and respecting your privacy. We are registered with the UK Information Commissioner's Office as a Data Controller (Reg No. ZA148098), and have in place a comprehensive Company data protection policy and code of practice.

This Privacy Policy ("Policy") (together with our Terms, which can be accessed at, and any other documents referred to on it) sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us and how you can get access to this information. If you are located in the European Economic Area (“EEA”) or the United Kingdom (UK), “personal information” means any information relating to an identified or identifiable individual. Please review it carefully.

1. Purpose of this Policy

Second Nature provides you (the "User") with access to the online and mobile services including but not limited to, and all associated subdomains (the "Website"), the Second Nature mobile application (the "App"), and any provided healthcare tracking technology, collectively the "System". Our privacy policy is designed in accordance with numerous national and international regulation frameworks, including (but not limited to) the General Data Protection Regulation (“GDPR”), the UK Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”).

2. What personal information do we hold and how we get it

We may collect and process personal information provided by filling in forms on the Website or App, including personal information provided during completion of surveys and other online tools, posting of comments in the Community or requesting further services, and when you report a problem with our System. If you contact us, we may also keep a record of that correspondence. Second Nature also collects and processes personal information with the health tracking technology provided as part of the System, such as wireless weighing scales (which track your weight) and activity trackers (which track your steps and sleep).

Throughout your use of the System we may collect personal information such as: personal demographics information (including but not limited to first and last names, date of birth or age, address, email, phone number); lifestyle or health data (referred as “special category data” and includes height, weight, body mass index, ethnicity, smoking status); other personal health profile information and details of your visits to the System and the resources that you access (including, but not limited to, traffic data, location data, weblogs, other communication data, and the resources that you access).

Your data (steps per day and weight) may also be collected via Apple HealthKit or Google Fit upon installing our iOS and Android apps. This consent will be explained and obtained from you within the app and you may revoke this access at any point within your phone's operating system settings.

Your personal information (steps per day and weight) may also be collected via Apple HealthKit or Google Fit upon installing our iOS and Android apps. These apps will ask for your consent, and you may revoke this access at any point within your phone's operating system settings.

Your personal information, including your health data (referred as “special category data” and includes height, weight, HBA1C level, BP level, cholesterol level, PAM score) may also be provided to us by an electronic patient record, referral or through a secure online platform in order to refer you to the System, e.g. provided through your GP, local NHS service or our partner REED. If this is the case, the relevant party will ask for your explicit consent .

We collect as well technical information and analytics from you concerning your use of the System, including but not limited to pages visited, links clicked, non-sensitive text entered, mouse movements, system and operating system type and version, browser or app version, time zone setting and usage of our iPhone and Android apps.

3. IP addresses and cookies

We may collect personal information about your device, including where available your IP address, operating system, browser type and screen size for use in system administration, to tailor your experience of the System, provide you with customer support and to report aggregate information internally.

For the same reason, we may obtain personal information about your usage of the System by using a cookie file which is stored on the hard drive of your device. Cookies help us to give you a smooth user experience, improve the System and deliver a better and more personalized service. They enable us to: recognize you when you return to our site; maintain personal information you have entered (e.g. during completion of a survey); speed up your searches; estimate our audience size and usage pattern; store information about your preferences; and allow us to customize our site according to your individual interests.

Both Second Nature and our third-party vendors, including Google, may use first-party cookies (such as the Google Analytics cookie) to inform, optimize, and serve ads based on your past visits to the Website on sites across the Internet (also known as 'remarketing'). If you would like to opt out of this you can do so via your Google Ads Preferences Manager.

Below is an overview of the types of cookies we and third parties may use to collect information.

Where required by applicable law, we obtain your consent to use cookies.

You may refuse to accept cookies by changing the settings on your device to prevent cookies from being set. However, if you select this setting you may be unable to access certain parts of the System. Unless you have adjusted your browser setting so that it will refuse cookies, our system will issue cookies when you visit the Website and App.

4. How we use your personal information

Second Nature is dedicated to maintaining the privacy and integrity of your personal information. As such, we have policies and procedures and other safeguards to help protect your personal information from improper use and disclosure.

We collect and use your personal information to deliver our contract to you. We may collect and use your personal information, including your special category data, only if you have given us your specific consent.

We may use and disclose your personal information and special category data for our internal operations, which include administration, planning and various activities that assess and improve the quality and cost effectiveness of the service that we deliver to you. Examples are using information about you to improve quality of the service, satisfaction surveys, de-identifying personal information, customer services and internal training. We may use and disclose your personal information to contact you as a reminder to interact with, or complete tasks relating to your use of the System.

We use also automated decision-making to allocate you to a group of users before starting the use of our service.

We follow a Minimum Necessary Access Policy, so any required disclosure of your identifiable personal information is minimized. The following categories describe different ways that we use your personal information within Second Nature and disclose your personal information to persons and entities outside of Second Nature. We have not listed every use or disclosure within the categories below, but all permitted uses and disclosures will fall within one of the following categories. In addition, there are some uses and disclosures that may require your specific authorization.

How much personal information is used or disclosed without your written permission will vary depending, for example, on the intended purpose of the use or disclosure.

National personal information opt-out policy: as part as our contracts with the NHS, we collect, process and disclose confidential patient information. We always make sure that we do so for individual care purposes only; we only use and/or disclose anonymised personal information for research purposes, and we don’t use or disclose confidential patient personal information for planning purposes. As such, we are compliant with the National data opt-out policy.

Except as described above, we will never share your personal information with any other party without your consent.

5. Legal Bases for Processing European Personal Information

If you are located in the European Economic Area or the United Kingdom, we only process your personal information when we have a valid “legal basis”, including when:

6. Where we store your personal information

All personal information you provide to us is stored on secure servers with trusted 3rd party suppliers, Amazon Web Services ('AWS') within the European Economic Area ('EEA'). AWS complies with the GDPR and the UK GDPR, which set out several data protection requirements, which apply when personal information is being processed. AWS are industry leaders in the provision of hosting services and take security very seriously - you can find out more about their security policies and processes in their Security Whitepaper.

We may transfer personal information outside the EEA or the UK to countries deemed adequate by the European Commission; based on Standard Contractual Clauses; to perform the services that you have requested from us, or with your consent.

Unfortunately, despite these measures, the transmission of information via the internet is never completely secure. Although we will do our best to protect your personal information, we cannot guarantee the security of your information transmitted to the System, and any transmission is at your own risk. Once we have received your personal information, we will use strict procedures to try to prevent unauthorized access in accordance with our Company data protection policy and code of practice, and responsibilities as a registered Data Controller in the UK.

7. Your rights regarding your personal information

You have certain rights with respect to your personal information. If we do not agree to a request by you with respect to your personal information, please consult the Second Nature Privacy and Security Officer whose contact information is below.

If you are based in the UK or the European Economic Area and we do not comply with any of the below, you have the right to complain to the ICO or to your local Supervisory Authority, and to a judicial remedy.

Before meeting your request, we may ask you to provide reasonable information to verify your identity. Please note that there are exceptions and limitations to each of these rights, and that while any changes you make will be reflected in active user databases instantly or within a reasonable period of time, we may retain information for backups, archiving, prevention of fraud and abuse, analytics, satisfaction of legal obligations, or where we otherwise reasonably believe that we have a legitimate reason to do so.

8. Personal Information Retention

As per the ICO's 'Principle 5' and the article 5 of GDPR and the UK GDPR, we retain personal information no longer than is necessary for the purpose we obtained it for. With the context that your personal information may be used for research purposes (as covered in section 3), Second Nature will retain any information held on an individual for up to 10 years after that individual has ceased use of the System. At that point, the individual's information will be deleted. As covered in section 5, you may request that we delete your personal information at any time.

9. EU Representative

If you are based in the EU Second Nature Healthy Habits Ltd has appointed DataRep as its Data Protection Representative for the purposes of GDPR, so that you can contact them directly in your home country. DataRep has locations in each of the 27 countries and Norway & Iceland in the European Economic Area (EEA). If you want to raise a question to Second Nature Healthy Habits Ltd, or exercise your rights (explained above) in respect of your personal information, you may do so by:

When mailing enquiries, please mark your letters for “DataRep” and not “Second Nature Healthy Habits Ltd”, otherwise the letter may not reach DataRep. Please refer clearly to Second Nature Healthy Habits Ltd in your correspondence. On receiving your correspondence, we are likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.

If you have any concerns over how DataRep will handle the personal data they will require to undertake their services, please refer to their privacy policy at

9. Children's Privacy

We do not knowingly collect, maintain, or use personal information from children under 13 years of age, and no part of our Service is directed to children. If you learn that a child has provided us with personal information in violation of this Privacy Policy, then you may alert us at

10. Data Security

We make reasonable efforts to protect your information by using physical and electronic safeguards designed to improve the security of the information we maintain. However, as no electronic transmission or storage of information can be entirely secure, we can make no guarantees as to the security or privacy of your information.

Second Nature provides the System to referrals provided through the NHS. As such, we are compliant with the Data Security and Protection Toolkit 2019 / 2020, our organisation code is 8JF17.

11. Concerns or complaints

If you believe that any of your rights with respect to your personal information has been violated by us, our employees or agents, please communicate with the Second Nature Privacy and Security Officer at: for UK users, or DataRep for EU-based users (contact details above)

12. Amending this Policy

We reserve the right to revise this Policy and to make the revised Policy effective for all personal information that we created or received prior to the effective date of the revised Policy. If you are a registered user, we will notify you of changes by the email address we have for you on file.

Questions relating to revisions to this Policy may be addressed to the Privacy and Security Officer whose contact information is above. This Policy will be promptly revised if there is a material change to a policy described herein.

Effective Date: This Policy is effective as of May 19th 2021.