Privacy Policy (APP)
This Notice applies to all visitors, data subjects, and others who access our Apps and Services ("User(s)" or “You/r”). Embers the Dragon Limited (“Embers the Dragon”, “Embers”, “We”, “Us”, or “Our”) operates the website embersthedragon.co.uk, the Embers the Dragon App (“Embers App” or “App” and the App’s Content Management System (“CMS”).
​
You may use our App or CMS to access one or more of our services and offerings (collectively the "Service(s)" or “Embers Service”).
​
-
Questionnaires about yourself, your experiences and confidence with parenting, your child’s behaviours and emotions and your hopes, needs and aspirations from using the app.
-
Story-based animations
-
Explanatory videos
-
Courses including worksheets, off-screen games, reward systems, other resources
-
Lesson plans and other classroom resources for teachers
-
Blogs
-
A personalised Positive Behaviour Plan for each child user
-
Services purchased from our website and webpages.
-
Reporting functionality for subscribers
-
The EMERGENT study clinical study
We may also provide these and additional services on behalf of your Institution (“Institutional Services”). An Institution could be an enterprise, school, university, hospital, General Practice or other healthcare provider, local authority, research institution and other public or private organisations. Institutional Services may involve processing information on behalf of the Institution. Where applicable, you must agree to the Terms of Services and Privacy Policies of both Embers and your Institution in order to proceed with using the Institutional Service.
​
This page informs you of our policies regarding the collection, use, and disclosure of your personal information when you use our App and service. This Privacy Notice aims to fulfil our obligation towards your Right to be Informed.. We will not use or share your data with anyone except as described in this Privacy Notice. We align our data protection practices to the key principles prescribed by the UK General Data Protection Regulation (UK GDPR) and other Data Protection Laws (as defined below).
By using our Apps and services, you agree to the use of information as per this privacy notice and cookie policy. Unless otherwise stated, the terms used in this Privacy Notice have the same meanings as in our Terms of Service.
Where not specifically called out, use of uppercase / lowercase and bold / not bold would carry the same meaning in this document.
Updates
​
We may amend this privacy notice from time to time to keep it up to date. We will notify you via our policy webpage when we make any changes to the Privacy Policy. Please regularly check these pages for the latest version of this notice.
Initial Effective Date: April 25, 2024
Do Note :
-
This App is designed to be used by children of any age, however access to the App is controlled by the parent / adult who has the registered account and is aged 16 years or over. All children access it under the supervision of an adult who creates the primary account and sets up the child profile(s). Ember the Dragon Ltd does not take responsibility for any misrepresentation of age of an account creator.
-
We ask for the fewest personal identifiers or sensitive data needed for the service.
-
Embers the Dragon emotional well-being services do not replace other types of support and treatment that may be required. It is meant to empower and support families and children, and not to treat any illness or a health condition.
-
The intended use for providing evidence-based tools and techniques is to manage emotions and encourage mental well-being in a self-help and self-monitoring context.
-
The App is not intended to provide a diagnosis, prognosis, treatment or cure of a condition or disease.
-
The App will not offer medical or clinical advice nor suggest that you seek medical help. The Embers App is designed to offer general mental health advice and support only.
-
Your data is stored in databases maintained by us and third parties located in the UK or the EEU.
​
Definitions
​
Anonymisation is the process of removing personal identifiers from data sets so that the person can no longer be identified from the information in their record.
Cookie is a small amount of data stored on your device (computer or mobile device).
Content Management System (CMS) a web-based, secure database, of information from the App including user data, questionnaire responses, game and web usage information. Secure controlled access to named individuals including role-based access to users in the London Southbank University responsible for the EMERGENT study,
​
Data or Information under this Privacy Policy means both personal and non-personal data or information.
Data Controller or Controller has meaning as defined in applicable data protection laws. It is a natural or legal body which, alone or jointly with others, determines the purposes of the processing of personal data.
​
Data Processor or Processor or Service Providers or Business Associate has meaning as defined in applicable data protection laws. It is a natural or legal body which processes personal data on behalf of the data controller.
​
Data Protection Laws here means in accordance with but not limited to requirements of the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018 (UK DPA), and any other applicable Legal and Statutory requirements.
Data Subject (or User/You) means any living individual who is using our service and is the subject of Personal Data
Encryption is the process of transforming data into unreadable text so that it is only legible to those possessing an encryption key.
​
Personal data or Personal Information has meaning as defined in applicable data protection laws. It is data about a living person who can or could be identified from the data and/or other information either in our possession or likely to come into our possession.
Processing means any operation or set of operations which is performed on personal data or on sets of personal data and as defined in applicable data protection laws.
Pseudonymisation means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific user without the use of additional information.
Non-Personal data or Non-Personal Information means any data that is made anonymous and does not reveal user specific identity.
Sub-Processor/s is a data processor who is sub-contracted some of the personal data processing.
Special Category data or Sensitive data has meaning as defined in applicable data protection laws. It includes personal data revealing or concerning racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health, sex-life or a person's sexual orientation.
Who are we?
​
Embers the Dragon Ltd. is a private limited company having its registered offices in the UK. We are registered with the UK ICO. Our data protection registration number is ZA777493. Where we decide the purposes of our services and personal data processing, Embers will be the Controller. For all services and data processing done at the direction of and on behalf of a Controller or a Processor, Embers would either be a Processor or a Sub-Processor.
What personal data do we process and how do we use it?
​
We only use your personal data for the purposes for which we collected it. We will only use it for another reason if that reason is compatible with the original purpose. We may process your personal data under more than one lawful basis depending on the specific purpose for which we are using your data. We may process your personal data without your knowledge and consent, where this is required or permitted by law.
​
The table lists the data processing that we perform when you use the Embers the Dragon App, the App’s CMS or the Embers the Dragon website.
​
You may voluntarily register to participate in the EMERGENT research study which is a real world study of the effectiveness of the Embers products, run by the London Southbank University (LSBU). The study’s full name is ‘Evaluating eMbers: Digitally suppoRting childrEns meNTal health, and LSBU provide the study-related information about participating and will have asked for your informed consent. If you do consent and enter the study, you will be directed to the Embers App and will be provided with a unique access code to enable you to create an account. The table below also includes the data processing we perform in relation to your participation in this study.
​
​
In addition, when you use the Embers App as part of the EMERGENT study, we process the following personal information:
At the end of the study period all users will be automatically considered as regular (non-study) users of our App until the end of the school year in which they were enrolled.
​
Your data provided during the study will always be kept secure. Read more about our organisational and technical security safeguards under ‘How do we secure your data’ below. Processing of your data in the EMERGENT study, once it has been shared back to the team at London Southbank University, is described in the information provided by LSBU to you as study participants at the time of recruitment into the study.
​
Do we use passive sensing or location data?
​
The App only processes the data from the gyroscope within your mobile device in order to respond correctly to the orientation of your screen. The App does not process any data from your mobile device sensors such as ambient light readings, screen on/off readings and call logs. The App does not process your geolocation at a level that makes your data identifiable.
​
How do we share your data with third parties?
​
To provide you with our services, we use a small number of third-party service providers to help store and process your data. We use the following third-party service providers.
​
Cloud Service Provider
To provide the service, we collect, transfer and store your data in secure servers provided by our authorized cloud service provider, Amazon Web Services.
Other Service Providers
We use Embers the Dragon Ltd authorized third-party service providers to provide our services. List of our service providers include:
​
-
Firebase: used to enable the push notifications / reminders by email.
-
Amazon Web Servies: we use the following AWS services to help us store and process the data for the CMS: Relational Database Service, Elastic container registry, Elastic Container service , S3 storage, Application Load Balancer, and Elasticache for flexible data processing.
Processing of any of your personal data as per our Legitimate Interests
​
We may be required to process your personal data in our legitimate interests.. We will always weigh your rights and freedom before we process any such requests for purposes of legitimate interest. This processing includes:
​
-
For enforcing our policies or contractual obligations with your Institution;
-
For uses and disclosures required by law;
-
For disclosures for judicial and administrative proceedings such as court order or subpoena;
-
For disclosures for law enforcement purposes or national security requests;
-
For disclosure and assistance with an investigation or prosecution of suspected or actual illegal activity;
-
For disclosure and use of a litigation hold. To freeze specific data relating to imminent, pending or current legal action, thereby preventing potential evidence alteration or deletion.
-
For uses and disclosures for public health reporting purposes;
-
For uses and disclosures to prevent serious threat to health or safety;
-
For uses and disclosures for minimal research and analytics purposes to study how users use our products and services;
-
For any service communications relating to your use of App and services;
-
To prevent, detect and repair problems related to the security and the operations of the App;
-
For uses and disclosures to prevent fraudulent use of or abuse of the service;
-
For uses and disclosures to take adequate security and privacy safeguards;
-
For uses and disclosures to ensure App and service availability, accessibility and quality;
-
For uses and disclosures to protect your data protection rights;
-
For uses and disclosures to protect your, our and others data protection rights, property and safety;
-
To use anonymized, non-identifiable, non-confidential user data for benchmarking and marketing;
-
To develop new services, technologies and products;
-
To respond to your enquiries and requests.
​
In the future, if we are involved in any merger, acquisition, sale of assets, business reorganization, bankruptcy, we may transfer or otherwise share some or all of our assets which may include your data. We will take reasonable steps to inform you about this using the following modes.
​
-
Public notice on our website and/or
-
Inform your Institution and/or
-
Where applicable, send in-app notification and/or
-
Changes to this privacy policy and in-app notice.
​
You can always email us at compliance@embersthedragon.co.uk to exercise your data protection rights.
However, in such an event of sale or transfer, we shall reasonably ensure that your data with us is stored and used by the transferee in a manner that is consistent with this Privacy Policy and applicable Data Protection Laws. Any such third-party to whom we transfer shall have the right to continue to use the data that you provide us immediately prior to such transfer or sale. On completion of the sale or transfer, the Privacy Policy of the third-party shall apply with respect to your data.
How do we handle your App password and PIN?
​
For your privacy and security, you are required to set an account password and also your own App PIN to protect unauthorized access of the parent space of the App, for example by a child playing on the App in the child space. The PIN that you use is personal to you, and you are responsible for maintaining the confidentiality and security of your PIN. Please keep your PIN safe and do not share it with anyone. The Password and PIN you set are encrypted using AES 256-bit encryption and stored under a hash algorithm in the CMS.
​
What data do we process after taking your Consent?
​
We take your consent to perform the following processing:
How do we handle user incidents and requests?
​
There may be occasions where you wish to contact us to seek support or make inquiries. If you contact us directly over email, we will collect minimal personal information to service your request. Your communication data is securely stored in our Google Workspace account with access to only authorized users. We have signed agreements with Google Workspace. We will only use your data to investigate the issue or request asked. Your email will be retained within our system for a maximum of 10 years since last correspondence. We will not spam you or contact you for any direct marketing. We will not share or sell your personal data with any third-party disclosure.
Your issues or complaints or requests about the App and services are taken very seriously. You will need to send an email request to support@embersthedragon.co.uk. We will respond to your complaints within 3 business days. Some of your complaints may take longer to resolve. We will continuously provide you with an update until your complaints are satisfactorily resolved.
How do we handle your data when used for customer research and analytics purposes?
​
We use minimal and only the required data for research purposes including aggregated and / or anonymous data for any publications, to explore new technologies or to build new features or products. This helps us to improve our product and services and contribute to emotional wellbeing and parenting support best practices globally.
​
You can always write to us at compliance@embersthedragon.co.uk to restrict processing and opt-out of your data for research purposes.
Your use of third-party weblinks
​
The App may carry links to third-party websites and resources. When you click on those links, you may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. We encourage you to read the privacy policy and Terms of use of every external link you visit.
​
What additional processing is performed?
​
We do not combine and process your personal data with any other third-party available data. Your data, messages or usage is not used for direct marketing nor is it sold to advertisers.
We will update this Privacy Policy and inform you if we perform any additional processing.
​
How do we secure your data?
​
The security of your data is very important to us, and we work hard to secure it. We have implemented adequate technical and organizational safeguards to protect your data. Some of the steps we have taken to secure your data include:
​
Privacy by Design and Default
​
-
You can remove your data from the App at any time using the Settings menu (Delete Account option). However your data will also be held within the CMS. To request deletion of data held in the CMS contact compliance@embersthedragon.co.uk ​
-
We adhere to the 7 key principles set out by GDPR.
-
We perform Data Protection Impact Assessment (DPIA) for personal data processing.
Security by Design
​
-
We use TLS and SSL encryption during transfer and AES-256 protocol at rest.
-
Our systems are secured with role-based access, strong passwords and two-step verification.
-
Only certified App developers access the hosting services for the App.
-
We review and maintain data processing agreements with our service providers.
-
We provide regular awareness and training to our staff.
-
We apply an active, risk-based approach to our Apps and Infrastructure.
-
We conduct regular checks to ensure compliance to our policies.
Certifications and Registrations
​
-
Embers the Dragon Ltd is registered with the UK Information Commissioner’s Office
-
Embers mobile App is registered with UK MHRA as a CE Class I medical device.
No method of electronic transmission or method of data storage is perfect or impenetrable. While we try our best to implement controls to protect your personal data, we cannot guarantee its absolute security.
​
How long do we retain your data including personal data?
​
We may retain one copy of your data even after your subscription or access to the app ends or an Institution contract ends if it is reasonably necessary. This could be in any of the following situations:
-
to comply with applicable legal and statutory requirements;
-
at the request of a returning subscriber;
-
to respond to your requests
-
based on contractual obligations with your Institution;
-
in our backup for a time-bound period;
-
to fulfil processing that is in our legitimate interest.
​
Where not specified we retain your contact data from the website for a maximum of a year after last contact and data in the App / CMS for a maximum of 10 years since the last update and as per our internal information retention policies.
​
International transfer of personal data outside of the country you reside in or are currently located
​
You understand and agree that we may transfer, store and process your submitted data to a third-party processor within the UK or the European Economic Area (EEA) or beyond. Third party processors are listed earlier in this document.
​
What are your data protection rights?
​
You have certain rights under the Data Protection Laws in relation to your Personal data. To exercise any of your rights, you will need to send an email request to compliance@embersthedragon.co.uk . Please note that we may need to verify you before responding to any requests. After verifying you and examining your request, we will respond to you on the action taken within one calendar month from verification. Complex requests may take longer. We may at times be unable to address your request, if we are unable to correctly identify you.
Your individual rights requests may also be limited, where:
-
denial of access is required or authorized by law;
-
grant of access would have a negative impact on other's privacy;
-
required to protect your, our or other’s rights property or safety;
-
data protection laws limit the rights available to you, dependent on the legal provision we rely on for the processing
-
the request is unjustified or excessive.
​
Right to be informed
This privacy policy explains and informs you about how we handle your data when you use our apps and services.
​
Right of access
​
You have the right to exercise a data access request to know what personal data we hold about you.
If you exercise your right to delete and reset your data, you will lose the right to access your data as it will be permanently deleted in our system.
​
You can write to us at compliance@embersthedragon.co.uk for any clarifications or make subject access requests. On receipt, we will review your request, make reasonable efforts to find and retrieve the requested information and aim to respond to you within one month of your request.
As stated earlier, we may at times be unable to address your request, if we are unable to correctly identify you or are limited due to one of the reasons mentioned earlier or any of the exemptions set out by the data protection laws.
​
Right to rectification
​
If your personal data is inaccurate or incomplete, you can write to us to request we correct or complete it. If we share your personal data with third parties, we will inform them about the correction where possible.
​
Right to restrict processing
​
You can write to us to request us to restrict processing of your personal data, where you contest the accuracy of the data or object to our processing it. If we share your personal data with third parties, we will inform them about the restrictions where possible.
​
Right to object
​
You may write to us and object to the processing of your personal data where we apply our legitimate interest. We may stop unless we can demonstrate compelling legitimate grounds for the processing.
Right to data portability
​
You have the right, in certain circumstances, to receive the personal data that you have provided to us in a structured, commonly used and machine-readable format. Where such a request is made, we shall, unless there is an exemption, provide the data to you if the legal basis for the processing of the personal data is consent or to perform a contract with you, and if our processing of that data is automated.
​
Right to Erasure
​
When you use the service, you have the option to delete your data within the App settings. Delete account, remove data deletes all your submitted data held on the app, including your identifiers, reminders, assessment responses and enabled settings. After a delete, you will not be able to recover your past data and you will be considered as a new user of the App. Hence, this feature is to be used at your discretion.
​
However your data will also be held within the CMS. To request deletion of data held in the CMS contact compliance@embersthedragon.co.uk
​
You can also contact us at any time at compliance@embersthedragon.co.uk to request us to delete all of your data, including across the App, CMS and Website.
Right in relation to automated decision-making and profiling
​
You have the right to be free from decisions based solely on automated processing of your personal data, including profiling, which may have a significant effect on your rights and freedom, unless such profiling is necessary for entering into, or the performance of our Agreement or with your explicit consent. You have a right to ask us to stop any automated decision making. We do not intentionally carry out such activities, but if you do have any questions or concerns, we would be happy to discuss them with you. You can contact us at compliance@embersthedragon.co.uk
​
Other important information
​
Withdraw Consent
​
To the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing of your data before we received notice that you wished to withdraw your consent.
​
Breach notification
​
If the data breach is likely to result in a high risk of adversely affecting your rights and freedom, we will notify you as required by Data Protection Laws.
​
Concerns and Complaints
​
If you have any concerns or grievances about this Privacy Policy you will need to send an email to compliance@embersthedragon.co.uk . We will respond to you within 36 hours and help resolve your concerns or complaints. We will aim for a time-bound resolution not exceeding one month from the date of your complaint.
​
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO). You can do this by contacting them on their helpline on 0303 123 1113 or by visiting their website at https://ico.org.uk .
​
Children as users of the Embers App
​
The animated films and online games included in the App are for use by children of any age, but specifically designed for ages 3-7 years.
​
The App is designed so that use by children remains under the control and supervision of the adult account holder. The account holder sets up both a password and PIN which protect the parent space of the website in which all personally identifiable data is entered and edited. The child profile(s) are created by the adult account holder who can create a ‘child space’ for their child within the App. Navigation controls and the required use of the PIN to return to the adult space, ensures that child users can only see the animated stories and games appropriate to their age.
Embers does not take responsibility for any misrepresentation of age and use.
​
How to contact for additional questions, comments or concerns?
​
For any product, services, subscription, technical or payment-related issues, please contact us including your Google or Apple email ID via our website.
​
Our mail address for all communication is:
​
Unit 24, St Olav’s Court
Lower Road
London, SE16 2XB
England
​
Can Non-English speaking users use the Embers App?
​
The app has been built and is currently provided only for English language users, however our ambition is to expand the programme to provide access in other languages. We will keep you updated on this development.
​
What are some Best Practices to follow to keep your devices secure?
​
You are also responsible for helping to protect the security of your personal data. You are responsible for maintaining the security of any personal computing device on which you utilize the Services.
The NCSC GOV.UK provides guidance on how You can improve Your online security. The ICO provides practical advice for protecting Your personal data online and when using computers and other devices.
These can be found at the links below.
​
Changes to this Privacy Policy
​
We may modify our Privacy Policy from time to time for various reasons including to improve our privacy practices, to ensure our users right to be informed, to reflect changes to our service, and to comply with relevant laws. If and when this policy is changed, we will post the new notice on our Website and the App and notify you through an in-app notification or as otherwise required by relevant law. It is your responsibility to check our Website and our App periodically for updates or changes to the policy. We encourage you to review changes carefully. If the changes to the Privacy Policy include changes to the collection, storing or processing of your personal information in a way that infringe into your privacy, we will notify you clearly about the same where required by the applicable laws and regulations. If you agree to the changes, then please continue to use our service. If you, however, do not agree to any of the changes and you no longer wish to use our service, you may choose to unsubscribe or uninstall our App. Continuing to use our App and services after a notice of change has been communicated to you or published constitutes your acceptance of changes and consent to the modified Privacy Policy.
Severability and Exclusion
​
We have taken every effort to ensure that this Privacy Policy adheres with the applicable Data Protection Laws. The invalidity or unenforceability of any part of this Privacy Policy shall not prejudice or affect the validity or enforceability of the remainder of this Privacy Policy. This Privacy Policy does not apply to any data other than the data collected by Embers while providing the services