Ground Me: Privacy Policy

Ground Me Privacy Policy

Data Controller: Ground Me Limited

Address: Flat 33, New Malden House, 1 Blagdon Road, New Malden, London

Last updated: July 3, 2025

1.Introduction

Welcome to Ground Me. This Privacy Policy explains how Ground Me Limited ("we," "us," or "our") collects, uses, shares, and protects your personal data when you use our app and website. It also describes your rights and how you can exercise them.

2.What Data We Collect and Why

We collect data necessary for core app functions and optional data only with your consent:

Assessment & Activity Data: Your DSS‑B test responses and scores, grounding exercise types/frequency, symptom tracker answers, reminder settings, regional location (city or time zone), and basic profile details (e.g., age range). This information ensures personalised assessments, progress tracking, and timely notifications.
Usage & Diagnostics: Aggregate usage metrics (feature use, session times) and crash/error reports. These help maintain, optimise, and secure the app through anonymised analysis and bug fixes.
Optional Demographics, Newsletter & Research: If you choose, you may provide additional demographic details, sign up for our newsletter, or consent to share anonymised data for research. We use demographics to understand our user base; newsletters to send updates; research consents to advance mental health science.
Cookies & Tracking: With your consent, our website uses cookies and tools like Google Analytics to analyse traffic and improve your browsing experience.

You can manage or withdraw optional consents at any time via app settings or by contacting us (see Section 6).

3.How We Use Your Data

We use your personal data to provide and improve our services, based on the legal grounds set out under the Data Protection Act 2018 or other applicable laws:

- Deliver App and Website Features

We process your DSS‑B scores, exercise details, symptom responses, reminder settings, regional location, and basic profile information to enable core functionality such as personalised assessments, grounding exercises, and notifications. Legal basis: Performance of a contract.

- Track Symptoms and Grounding Progress

We analyse your dissociation assessment results, exercise activity, and symptom tracker responses over time to monitor progress and adapt content to your needs. Legal basis: Performance of a contract.

- Send Personalised Reminders and Content

Using your reminder preferences and usage patterns, we deliver timely prompts and relevant in‑app messages or emails to support your grounding practice. Legal basis: Performance of a contract.

- Improve Our Product through Anonymised Analysis

We aggregate and anonymise usage data (including feature interactions, session metrics, and crash reports) to identify trends, optimise performance, and inform future enhancements. Legal basis: Legitimate interests (product improvement and analytics).

- Send Newsletter Updates

If you have opted in, we will email you educational content, news, and promotional material related to Ground Me. Legal basis: Consent (you may withdraw consent at any time).

4.Sharing Your Data

We do not sell your personal data. We only share it in the following limited circumstances:

Trusted Service Providers: We work with carefully selected third‑party vendors who support our app and website operations (e.g., hosting providers, email delivery services, analytics platforms such as Google Analytics). These providers are bound by confidentiality obligations and may only process data as instructed by us.
Legal Obligations: We may disclose personal data to comply with applicable laws, regulations, legal processes, or enforceable governmental requests (e.g., court orders, subpoenas). We will object to overbroad or inappropriate requests where lawful and possible.
Academic Researchers: We may share fully anonymised and aggregated data with reputable research institutions for scientific studies aimed at improving our understanding of dissociation and mental health interventions. Any such data will be stripped of direct identifiers and assessed to prevent re‑identification.
Business Transfers: In the event of a merger, acquisition, reorganisation, or sale of assets, your personal data may be transferred as part of the transaction, provided the receiving entity agrees to uphold this Privacy Policy or a substantially similar standard of data protection.

We require all recipients to handle your data securely and only for the purposes we have specified. If you withdraw consent for any optional sharing (e.g., research), we will stop processing your data for that purpose as soon as administratively feasible.

5.Security and Storage

We take the security of your personal data seriously and implement a range of technical and organisational measures to protect it, including:

Data Hosting: All data is stored on secure, GDPR-compliant servers hosted in the United States under the service provider’s standard contractual terms. These terms include robust privacy and security commitments to protect your information.
Encryption: Personal data is encrypted both at rest and in transit using industry-standard encryption protocols (e.g., AES-256, TLS 1.2+).
Access Controls: Access to your data is restricted to authorised Ground Me staff and vetted service providers. Role-based access permissions and multi-factor authentication help prevent unauthorised access.
Regular Audits & Testing: We conduct periodic security audits and vulnerability scans to identify and remediate potential risks.
Incident Response: In the unlikely event of a data breach, we have an incident response plan in place to contain, investigate, and notify users and relevant supervisory authorities within 72 hours, where required by law.

We continuously review and update our security practices to adapt to evolving threats and maintain compliance with applicable data protection regulations.

6.Your Rights

Under the Data Protection Act 2018, you have the following rights regarding your personal data:

Right of Access: You can request a copy of the personal data we hold about you.
Right to Rectification: You may ask us to correct any inaccurate or incomplete data.
Right to Erasure (Right to be Forgotten): You can request deletion of your personal data where there is no compelling reason to continue processing.
Right to Restrict Processing: You may request that we restrict the processing of your personal data in certain circumstances.
Right to Data Portability: You can ask for a machine-readable copy of the data you have provided to us and transfer it to another controller.
Right to Object: You may object to processing based on legitimate interests, including profiling, unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent: Where we rely on consent (e.g., newsletters, academic research), you may withdraw your consent at any time without affecting the lawfulness of processing prior to withdrawal.

To exercise any of these rights, please contact us at contact@groundme.app. If you are dissatisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) at https://ico.org.uk.

For United Kingdom residents and anyone whose data is processed in the UK Data Protection Act 2018 Data

You have the rights set out above under ‘Under the UK GDPR’, enforced by the UK Information Commissioner’s Office (ICO). You may lodge a complaint at https://ico.org.uk.

For European Union residents and anyone whose data is processed in the EU (GDPR) If you are an EU resident, you have rights very similar to (and in some cases identical to) those under UK GDPR, including the right to access, rectify, erase, restrict, port, object, and withdraw consent. You may lodge a complaint with your local EU supervisory authority.

For United States residents and anyone whose data is processed in the US

We adopt the following rights for U.S. residents under applicable state privacy laws:

California Residents (CCPA/CPRA): As described above, you have the rights to know, delete, opt-out of sale or sharing, and non‑discrimination. To submit a verifiable request, contact us at contact@groundme.app.
Other U.S. State Laws: Residents of other states (e.g., Virginia CDPA, Colorado CPA, Connecticut DPA) may have additional rights such as access, correction, deletion, data portability, and the right to opt-out of targeted advertising. To exercise any applicable rights, please contact us at contact@groundme.app.

For Canadian residents and anyone whose data is processed in Canada (Personal Information Protection and Electronic Documents Act (PIPEDA))

Under PIPEDA, you can access and correct personal information we hold about you, withdraw consent, and complain to the Office of the Privacy Commissioner of Canada (OPC).

For Australian residents and anyone whose data is processed in Australia (Privacy Act) and anyone whose data is processed in Australia (Privacy Act)

Australian residents have the right to access and correct personal information we hold about you. You may complain to the Office of the Australian Information Commissioner (OAIC) if you believe we have mishandled your personal data.

For Turkish residents and anyone whose data is processed in Turkey (KVKK)

Under Turkey’s Law on the Protection of Personal Data (KVKK), you have the right to: be informed, access, rectify, erase or anonymise personal data, object to processing, and lodge a complaint with the Personal Data Protection Authority (KDPA).

Children's Privacy

Ground Me is available to users of all ages. For users under 18, we only collect and retain the email address required to log in. We do not record or store any other personal information or usage data (including assessments, exercise activity, symptom responses, or personalised insights). As a result, under‑18 users have limited functionality, such as basic login and reminder delivery. If you believe we have inadvertently collected additional personal data from a minor, please contact us at contact@groundme.app, and we will promptly delete it.

7.Data Retention

We retain personal data only for as long as necessary to fulfil the purposes described in this policy or as required by law. Approximate retention periods are as follows:

Account & Profile Data (DSS‑B scores, exercise details, tracker responses, reminder settings, usage data, regional location): Retained for the duration of your active account plus 30 days after account deletion.
Crash & Error Reports: Retained for 12 months to allow for trend analysis and resolution of underlying issues.
Optional Demographic Data: Retained until you withdraw consent or request deletion, plus 30 days to ensure complete removal.
Newsletter & Research Consents: Consent records are kept for as long as necessary to demonstrate compliance; anonymised research data (once stripped of identifiers) may be retained indefinitely for academic purposes.
Cookies & Tracking Data: Retained according to your cookie preference settings or until you withdraw consent; most analytics cookies expire after 13 months.

After these periods, data is either securely deleted or anonymised so that it can no longer be associated with you.

8.International Transfers

We store and process your personal data on servers located in the United States. We rely on our service providers’ standard contractual terms, which include robust privacy and security commitments, to ensure adequate protection for any cross-border transfers.

If we engage additional providers or transfer data to new jurisdictions in the future, we will implement appropriate safeguards (e.g., contractual clauses) and update this policy accordingly.

9.Policy Updates

We may update this Privacy Policy from time to time to reflect changes in our practices, applicable laws, or new features. When we make material changes, we will:

Update the “Last updated” date at the top of this policy.
Notify you via in-app notifications or email, at least 30 days before changes take effect.

Your continued use of our app or website following notification constitutes acceptance of those changes.

10.Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Ground Me Limited Flat 33, New Malden House, 1 Blagdon Road, New Malden, London Email: contact@groundme.app

For privacy complaints, UK residents may also contact the UK Information Commissioner’s Office at https://ico.org.uk, EU residents their local supervisory authority, or Turkish residents the KDPA.