Ground Me: Privacy Policy

Ground Me Privacy Policy

Data Controller: Ground Me Limited

Address: Flat 33, New Malden House, 1 Blagdon Road, New Malden, London

Last updated: June 5, 2025

1.Introduction

Welcome to Ground Me. This Privacy Policy explains how Ground Me Limited ("we," "us," or "our") collects, uses, shares, and protects your personal data when you use our app and website. It also describes your rights and how you can exercise them.

2.What Data We Collect and Why

We collect various categories of personal data when you interact with our app and website. Below is a breakdown of each type, why we collect it, and the legal basis for processing under the UK GDPR.

Data Category	Details Collected	Purpose	Legal Basis
Dissociation Test Scores (DSS‑B)	Your responses and resulting scores after completing the DSS‑B dissociation assessment.	To provide dissociation insights and tailor grounding exercises based on your score.	Performance of a contract
Grounding Exercise Details	Types of exercises you complete (e.g., breathing, sensory), frequency, and completion timestamps.	To track progress, personalise recommendations, and ensure core app functionality.	Performance of a contract
Symptom Tracker Responses	Tick‑box answers to symptom questions (e.g., anxiety, detachment).	To monitor symptom patterns over time and offer relevant grounding content.	Performance of a contract
Reminder Settings	Your chosen days, times, and notification preferences for reminders.	To send timely prompts that support your grounding practice.	Performance of a contract
General Usage Data	Aggregate feature usage metrics (e.g., time of day you use features, session lengths)	To maintain and optimise core features; to perform anonymised analysis for product improvement and stability.	Performance of a contract;Legitimate interests (analytics, product improvement)
Crash and Error Reports	Technical logs, error messages, and diagnostic metadata generated when the app fails or crashes.	To identify and resolve bugs, ensure smooth operation, and improve reliability.	Legitimate interests (app stability and security)
Regional Location	Your city (based on IP) or device time zone.	To schedule reminders at appropriate local times and ensure correct time‑zone functionality.	Performance of a contract
Optional Demographic Information	Age range (dropdown) and, if provided, additional details (e.g., profession).	Age: to confirm appropriateness of the DSS‑B scale; Other demographics: to understand our user base and inform improvements.	Age: Performance of a contract;Other demographics: Legitimate interests (service enhancement)
Newsletter & Research Sharing	Your email address for newsletter delivery and your explicit consent for sharing anonymised data for research.	Newsletters: to send you updates, tips, and relevant content; Research: to contribute anonymised data to scientific studies.	Consent (you may withdraw at any time)

Cookies and Website Tracking

When you visit our website, we use cookies and similar tracking tools to understand and improve site performance. Specifically, we use Google Analytics (and potentially other analytics providers) to collect aggregate information about website visits and user interactions. We only deploy analytics and performance cookies after obtaining your explicit consent. These help us analyse site traffic, identify trends, and optimise the web experience.

You may review, amend, or withdraw any optional consents at any time in the app’s settings or by contacting us (see Section 6).

3.How We Use Your Data

We process your personal data for the following purposes, on the legal grounds stated:

Purpose	Details	Legal Basis
Deliver app and website features	Enabling core functionality (e.g., assessments, exercises, reminders).	Performance of a contract
Track symptoms and grounding progress	Analysing DSS‑B scores, exercise details, and symptom responses over time.	Performance of a contract
Send personalised reminders and content	Using your reminder settings and usage patterns to provide timely notifications.	Performance of a contract
Improve our product through anonymised analysis	Aggregating and analysing usage data and crash reports for feature optimisation.	Legitimate interests (product improvement, analytics)
Send newsletter updates	Emailing tips, news, and promotional content when you’ve opted in.	Consent
Contribute to anonymised academic research	Sharing fully anonymised datasets with researchers if you’ve consented.	Consent

4.Sharing Your Data

We do not sell your personal data. We only share it in the following limited circumstances:

Trusted Service Providers: We work with carefully selected third‑party vendors who support our app and website operations (e.g., hosting providers, email delivery services, analytics platforms such as Google Analytics). These providers are bound by confidentiality obligations and may only process data as instructed by us.
Legal Obligations: We may disclose personal data to comply with applicable laws, regulations, legal processes, or enforceable governmental requests (e.g., court orders, subpoenas). We will object to overbroad or inappropriate requests where lawful and possible.
Academic Researchers: With your explicit consent, we may share fully anonymised and aggregated data with reputable research institutions for scientific studies aimed at improving our understanding of dissociation and mental health interventions. Any such data will be stripped of direct identifiers and assessed to prevent re‑identification.
Business Transfers: In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of the transaction, provided the receiving entity agrees to uphold this Privacy Policy or a substantially similar standard of data protection.

We require all recipients to handle your data securely and only for the purposes we have specified. If you withdraw consent for any optional sharing (e.g., research), we will stop processing your data for that purpose as soon as administratively feasible.

5.Security and Storage

We take the security of your personal data seriously and implement a range of technical and organisational measures to protect it, including:

Data Hosting: All data is stored on secure, GDPR-compliant servers hosted in the United States under the service provider’s standard contractual terms. These terms include robust privacy and security commitments to protect your information.
Encryption: Personal data is encrypted both at rest and in transit using industry-standard encryption protocols (e.g., AES-256, TLS 1.2+).
Access Controls: Access to your data is restricted to authorised Ground Me staff and vetted service providers. Role-based access permissions and multi-factor authentication help prevent unauthorised access.
Regular Audits & Testing: We conduct periodic security audits and vulnerability scans to identify and remediate potential risks.
Incident Response: In the unlikely event of a data breach, we have an incident response plan in place to contain, investigate, and notify users and relevant supervisory authorities within 72 hours, where required by law.

We continuously review and update our security practices to adapt to evolving threats and maintain compliance with applicable data protection regulations.

6.Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

Right of Access: You can request a copy of the personal data we hold about you.
Right to Rectification: You may ask us to correct any inaccurate or incomplete data.
Right to Erasure (Right to be Forgotten): You can request deletion of your personal data where there is no compelling reason to continue processing.
Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability: You can ask for a machine-readable copy of the data you have provided to us and transfer it to another controller.
Right to Object: You may object to processing based on legitimate interests, including profiling, unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent: Where we rely on consent (e.g., newsletters, academic research), you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at contact@groundme.app. If you are dissatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk.

For United Kingdom Residents (UK GDPR)

You have the rights set out above under ‘Under the UK GDPR’, enforced by the UK Information Commissioner’s Office (ICO). You may lodge a complaint at https://ico.org.uk.

For European Union Residents (EU GDPR)

If you are an EU resident, you have rights very similar to (and in some cases identical to) those under UK GDPR, including the right to access, rectify, erase, restrict, port, object, and withdraw consent. You may lodge a complaint with your local EU supervisory authority.

For United States Residents

We adopt the following rights for U.S. residents under applicable state privacy laws:

California Residents (CCPA/CPRA): As described above, you have the rights to know, delete, opt-out of sale or sharing, and non‑discrimination. To submit a verifiable request, contact us at contact@groundme.app.
Other U.S. State Laws: Residents of other states (e.g., Virginia CDPA, Colorado CPA, Connecticut DPA) may have additional rights such as access, correction, deletion, data portability, and the right to opt-out of targeted advertising. To exercise any applicable rights, please contact us at contact@groundme.app.

For Canadian Residents

Under PIPEDA, you can access and correct personal information we hold about you, withdraw consent, and complain to the Office of the Privacy Commissioner of Canada (OPC).

For Australian Residents (Privacy Act)

Australian residents have the right to access and correct personal information we hold about you. You may complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have mishandled your personal data.

For Turkish Residents (KVKK)

Under Turkey’s Law on the Protection of Personal Data (KVKK), you have the right to: be informed, access, rectify, erase or anonymise personal data, object to processing, and lodge a complaint with the Personal Data Protection Authority (KDPA).

7.Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or as required by law. Approximate retention periods are as follows:

Account & Profile Data (DSS‑B scores, exercise details, tracker responses, reminder settings, usage data, regional location): Retained for the duration of your active account plus 30 days after account deletion.
Crash & Error Reports: Retained for 12 months to allow for trend analysis and resolution of underlying issues.
Optional Demographic Data: Retained until you withdraw consent or request deletion, plus 30 days to ensure complete removal.
Newsletter & Research Consents: Consent records are kept for as long as necessary to demonstrate compliance; anonymised research data (once stripped of identifiers) may be retained indefinitely for academic purposes.
Cookies & Tracking Data: Retained according to your cookie preference settings or until you withdraw consent; most analytics cookies expire after 13 months.

After these periods, data is either securely deleted or anonymised so that it can no longer be associated with you.

8.International Transfers

We store and process your personal data on servers located in the United States. We rely on our service providers’ standard contractual terms, which include robust privacy and security commitments, to ensure adequate protection for any cross-border transfers.

If we engage additional providers or transfer data to new jurisdictions in the future, we will implement appropriate safeguards (e.g., contractual clauses) and update this policy accordingly.

9.Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, or new features. When we make material changes, we will:

Update the “Last updated” date at the top of this policy.
Notify you via in-app notifications or email, at least 30 days before changes take effect.

Your continued use of our app or website following notification constitutes acceptance of those changes.

10.Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Ground Me LimitedFlat 33, New Malden House, 1 Blagdon Road, New Malden, LondonEmail: contact@groundme.app

For privacy complaints, UK residents may also contact the UK Information Commissioner’s Office at https://ico.org.uk, EU residents their local supervisory authority, or Turkish residents the KDPA.