Privacy Policy COMPASS Pathwaves

About COMPASS Pathways and COMPASS PathWaves

This privacy policy (“policy”) tells you what to expect when COMPASS Pathways, Ltd. and its affiliates (“COMPASS”, “our”, “we” or “us”) collect and handle your personal data through COMPASS PathWaves (the “app”), and how the data may be used. The main purpose for recording audio is to capture interactions, speech utterances and conversations between two or more parties. Individuals who are authorized to use the app (“users”) will be able to upload audio recordings easily and automatically to a secure cloud environment, subject to device internet connectivity. If there is no internet connectivity, audio recordings will be saved on the device locally and are inaccessible to any party until uploaded to the cloud environment.

In cases where COMPASS is processing the data, COMPASS will be the data controller under applicable privacy laws. In cases where COMPASS has a service agreement and a data processing agreement with a third-party customer that uses our services, the relationship between both parties will be pre-defined and abided by accordingly. Our registered address is 3rd floor, 1 Ashley Road, Altrincham, Cheshire, WA14 2DT, United Kingdom. You can find out more about COMPASS and our corporate privacy policy here along with our contact details.

What data is collected through the app?

Data input from user. This information may include, but is not limited to:

What do we do with the data we have captured and why?

Data input from the user is required for the user to be able to create a recording, and to access audio files that they have recorded. There may be other data collected through app analytics which might be used to assess how users interact with the app and will help inform app improvements in the future. In cases where other parties require the audio file data, the data collected through the app will be used to map this to the correct party.

How do we store the information and who will have access?

Any recorded and input data through the app will be stored securely by COMPASS in accordance with applicable Data Protection laws. Access to data collected through the app will be restricted, with data being shared only with select COMPASS personnel. Reasonable steps to safeguard personal privacy will be taken through pseudonymization and by encrypting data.

Data sharing

The data we collect will only be shared where there is a contractual agreement, lawful basis, or requirement to do so.

Your rights in relation to the processing

Your rights may be different depending on the country in which you reside. COMPASS Pathways complies with the UK and EU GDPR and the UK Data Protection Act 2018.

For this processing the following rights apply:

Some rights are limited depending on how you use the app and in what context. For example, we will not be able to honour the right to deletion where we have a legal requirement to keep a record.

If you wish to exercise your rights, please email privacy@compasspathways.com.

If you do not feel we have appropriately honoured your rights, and you are a UK Citizen, you have the right to complain to the UK Information Commissioner. You can find out how to do this here https://ico.org.uk/make-a-complaint/

For European Citizens, you can complain to the regulatory authority in your country. There is a register here.

COMPASS also has a European Representative, as required by the EU GDPR. You can contact them at datarequest@datarep.com or via their online form here - https://www.datarep.com/data-request/. Please ensure you use ‘COMPASS Pathways’ in the subject line.

Transfers of data

Our main location for the storage and use of your data will be in the United Kingdom.

UK/EU countries – data may be accessed by individuals working for COMPASS outside the UK and EU.

Non-UK/EU countries – data may be collected in the country in which you practice use of the app and will be stored in the United Kingdom.

Sub-contractors

COMPASS Pathways uses a variety of subcontractors, who mainly host the data for us. Personal data is always protected under an appropriate contract, and these subcontractors cannot share your personal data with other parties without our express and written permission. Where there is a transfer of data to these organizations based outside the UK and EEA, providers will have the appropriate contractual clauses and safeguards in place.