1. Identification of the Controller
IBSA PHARMA LTD., a company domiciled at 4-6 Colonial Business Park, Colonial Way, Watford WD24 4PR, United Kingdom with Company number 03929804 (“IBSA Pharma UK”) is the Controller of your personal data, which is collected and processed in order to provide you the services and content identified in this application (the “Aura App”).
IBSA Pharma UK is committed to the protection of your personal data and this privacy policy is intended to inform you of your rights as a data subject. IBSA Pharma UK processes personal data in Compliance with UK data protection legislation (which includes the Data Protection Act 2018 and the UK retained General Data Protection Regulation 2016/679) and the six principles of the Uk data protection legislation which are (i) Lawfulness, fairness and transparency; (ii) Purpose limitation; (iii) Data minimisation; (iv) Accuracy; (v) Storage limitation; (vi) Integrity and confidentiality. This App is designed with personal data protection principles at its core and is compliant with UK data protection legislation.
This App is not intended or designed for use by minors (under the age of 18 years) and IBSA Pharma UK does not knowingly or intentionally collect personal data of minors under 18 years of age. If you believe a minor has accessed the App and uploaded personal data, please contact us to notify us so we can remove the records and any personal data relating to the minor.
IBSA Pharma UK has appointed a data protection officer (“DPO”), Ellis Chung, in compliance with the Data Protection Act 2018, who is at your disposal for any doubts or queries you may have regarding data protection or in relation to our privacy policy, and whom you may contact via e-mail: [email protected].
For some of the processing activities identified in this Privacy Policy, IBSA Pharma UK acts as a joint-controller with clinics, as set out in section 4 of this Policy.
2. What information will we collect from you?
a) The data you provide directly to us.
We collect personal data about you when you register and create an account in the App, or respond to questions during our onboarding process, complete mood logs in the App, contact us or subscribe to our newsletters or replyto our satisfaction surveys. When you use our services, you may submit personal data including health-related personal data (so called “special category data”) if you provide information relating to your health and any fertility process or other medical treatment you are having. We use your personal data and your health data in order to offer you personalised content and services through the App.
In each of our forms and questionnaires, we will identify the information that is mandatory to fill in, where omission of information may mean it is impossible for us to provide the services requested.
It is essential that you keep your reference data, passwords and access codes safe at all times. You will be solely responsible for the use of your personal account, and in this respect, you undertake to keep your passwords and access codes securely to prevent access by third parties, and to inform us, without delay, of their loss or theft (were it to arise).
In order to ensure that the information provided is always up to date and error-free we rely on you to notify us of any update as soon as possible, by making any change required to your personal data in your profile configuration panel.
Where we collect your personal data for consent-related uses, your consent will be given by your clicking on the “I accept” (or equivalent) button incorporated in the relevant form, indicating that you accept the proposed processing and use of your personal data.
If at any point there are any changes that apply to how your data is collected or used, we will re-obtain your consent and inform you clearly of the changes and implications.
b) Data obtained indirectly through third parties.
We may collect your personal data indirectly, through third parties. The clinic you are receiving treatment from will share your name and basic personal data with us to enable you to create an account on this App (personal data which they have collected from you and obtained your consent to use and share with us).
We do not use cookies on the App that track any personal data or device data or IP addresses. Any cookies used gather only anonymous and aggregated data that is used for statistical purposes. As a result, this privacy notice does not include any cookie policy.
The App may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.
3. How will we use your personal information and what services will we provide you?
IBSA Pharma UK acts as the controller of personal data collected and processed from you for the following purposes:
| Purpose of data collection | Type of personal data collected | Legal basis for collection | Anticipated retention period |
| To verify your identity each time you log in to the App | Your name and email address | Contract | 7 years after last contact or your last Access to your account. |
| To provide support mechanisms and information services related to fertility treatments | Information related to your lifestyle, the medical or health [fertility] treatment you are about to start, DOB and information about other treatments you have undergone in the past (provided via onboarding questionnaire and mood logs) | Contract and explicit consent | |
| To carry out satisfaction surveys, to target and improve our services. | Replies to (optional) survey questions which may include personal data if user provides personal data in free text reply. | Consent | |
| To ensure security of the App and to take steps to prevent fraud or identity theft. | IP address Mobile phone number country code and browser user agent | Legitimate interests | |
| To comply with legal obligations or for the formulation, exercise and defence of claims. | Usually only Name and contact details, although where required for legal claim, may include any personal data taken from your records on our live system including any health or treatment data you have uploaded | Legitimate Interest | |
| To reply to data subject’s rights requests. | Your name and photo identity to verify your identity in the event of a data subject access request; In order to reply fully to a data subject access request, we may access all of your records on our live system including any health or treatment data you have uploaded | Legal obligation | |
| To maintain and support our IT systems (we give access to a third party IT service provider under a written data processing agreement) | Your records on our live system including name, address, any health or treatment data you have uploaded | Legitimate interests |
IBSA Pharma UK acts as a data processor of personal data on behalf of the clinics for the following purposes:
| Purpose of data collection | Type of personal data collected | Legal basis for collection | Anticipated retention period |
| To create an Aura App subscription for a patient in the clinic portal | Patient name, surname, patient ID, and email address. | Consent | Upon termination of contract with Clinic |
| To invite a patient, via email, to activate the Aura App subscription. | Patient name, surname, patient ID, and email address. | Contract | Upon termination of contract with Clinic |
| To update the patient’s subscription status in the clinic portal to identify whether they have subscribed to the Aura App. | Patient name, surname, patient ID | Contract | Upon termination of contract with Clinic |
IBSA Pharma UK acts as a joint-controller of the personal data with the clinics for the following purposes:
| Purpose of data collection | Type of personal data collected | Legal basis for collection | Anticipated retention period |
| To send a list of Aura App users classified as ‘more likely to struggle emotionally” to enable the fertility clinic to provide closer support to those patients. | Identity data (patient name, patient ID); and Categorisation data (“more likely to struggle emotionally”). | Consent (obtained by IBSA Pharma UK); The clinic processes this personal data in accordance with Article 9(h) of the Data Protection Act 2018. | The clinic will not receive specific user responses around their quality of life, emotional wellbeing or any other health or fertility information. |
The joint-controller and data processor relationships with the clinics set out above relate only to the personal data and processing activities mentioned in this section. They are strictly limited to activities carried out within the App. All activities involving the processing of personal data by the clinics outside of the App are exclusively the responsibility of the clinics, and IBSA Pharma UK does not have access to the personal data or clinical notes relating to patients’ treatments, nor does IBSA Pharma UK assume any liability regarding such activities.
In this regard, IBSA Pharma UK will only notify the clinic of users who, based on their initial assessment, have been identified as more likely to struggle during fertility treatment. We will never disclose the answers the users gave to our questionnaires to the clinics; we will only provide them with the names and identities of users based on the overall evaluation of answers.
We may use, analyse, store and transfer anonymised health data for research and analysis. IBSA Pharma UK may transmit information to medical, psychological and social research entities. In this case, the information will be transmitted with prior anonymisation so that no person to whom it refers can be identified, either directly or indirectly. In this instance, the data transmitted to these research entities or universities shall not be considered personal data in accordance with the definition included in the UK Data Protection Act 2018.
4. Change of purpose
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your data for an unrelated purpose, we will notify you and explain the legal basis that allows us to do so.
Please note that we may process your personal data without your knowledge or consent in compliance with the above rules, where this is required or permitted by law.
5. Data transfers and international transfers
Any transfers of personal data that we carry out are necessary for the fulfilment of the above-mentioned purposes:
- Fertility clinics will be notified of users who, based on their initial assessment, have been identified as more likely to struggle emotionally during the fertility treatment (but no specific information beyond the identity will be provided).
In this regard, any transfer will be made considering all the necessary legal safeguards and subject to written terms governing the processing of the personal data (Data processing agreements).
Furthermore, IBSA Pharma UK will ensure that any transfers of personal data to countries outside the UK or other countries not considered adequate under data protection regulations, appropriate safeguards are put in place to ensure that the data can be transferred securely.
IBSA Pharma UK may transmit information to entities dedicated to medical, psychological, and social research. In this case, the information will be transmitted with prior anonymisation, that is, in such a way that no person to whom it refers can be identified, either directly or indirectly. In this case, the data transmitted to these research entities or universities shall not be considered personal data, in accordance with the definition included in the UK Data Protection Act 2018.
6. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed while it is stored with us or while being transferred between us and the clinics or other third parties. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. All personal data is protected from unauthorised access as we have a virtual private network, with access to internal portals password protected by two factor authentication.
Any third parties will only process your personal data on our instructions and they are subject to a duty of confidentiality.
In practice this means that we use AWS in the European Economic Area for all personal data storage. Data Minimisation principles have been followed: IBSA Pharma UK collects data that is adequate, relevant, and limited to what is necessary for our data processing purposes, and we retain it only for as long as needed.
Data transferred between your device (for example your smart phone or computer) and IBSA Pharma UK ‘s systems is encrypted in line with current industry practice and is regularly reviewed using automated vulnerability scans. Penetration testing and hacker checks are carried out regularly by a third party security specialists providing support for our App and services.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
7. Disclosures of your personal data
We will not your personal data with any third parties.
8. Your Legal Rights
You have a number of legal rights in relation to your personal data (set out below), and if you exercise your legal rights we must respond within a month of your request, either to satisfy your request or to explain what steps we have taken and why we have not yet been able to fulfil your request (and notify you of the delay). Your legal rights relating to your personal data include:
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), or where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- If you want us to establish the data’s accuracy.
- Where our use of the data is unlawful but you do not want us to erase it.
- Where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims.
- You have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time to the processing of your personal data and health data where we are relying on consent to be able to process is. Note: However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
You can exercise your rights at any time and for free by sending an e-mail to [email protected] indicating the right you wish to exercise and providing some personal identification to enable us to comply with your request.
If you have any complaints or questions, we would be grateful if you could contact us at [email protected]. You should also be aware that you have the right to make a complaint about the processing of your data at any time to the UK Data Protection Authority, the Information Commissioner’s Office, which can be reached at www.ico.org.uk.
9. Retention periods
We will keep your data on our live database for the duration of your subscription with us unless you request its deletion from our records. On termination of the subscription or on request of deletion, we Will remove your personal data from our live databases. However, we Will continue to retain your personal data for legal reasons for a further seven years on our archived database for reference in the event of legal claims or other legal obligations.
Please note that when your data is archived, it is minimised as much as possible, including deleting any unnecessary personal data records.
10. Security and confidentiality
To prevent unauthorised access or disclosure of personal data, we have implemented appropriate technical and physical measures and management processes to safeguard and secure the information we collect from you.
11. Minors
The services provided by IBSA Pharma UK and, consequently, the use of the App is not directed at persons under 18. To the extent that IBSA Pharma UK cannot control whether users are minors, we shall not accept any liability.
12. Update of the privacy policy
We do our best to keep our privacy policy fully updated. If we make changes, they will be identifiable (for example, we may communicate changes to you by email).
This privacy policy has been updated and published as of 24/03/2025.