1. Introduction
This Privacy Policy explains how your personal data is collected, used, and protected when you participate in the pilot of Cedar ("the App"). This is a closed pilot commissioned by the University of Birmingham and is not available to the general public.
Cedar has been developed by HMA Designed Solutions Ltd on behalf of the University of Birmingham. Participation is limited to 20 invited individuals.
If you have any questions about this policy or how your data is handled, please contact:
Data Controller: University of Birmingham
Data Protection Officer: Andrew Stevens
Email: a.stevens@bham.ac.uk
2. Who Is Responsible for Your Data?
The University of Birmingham is the data controller for this pilot. This means the University is responsible for deciding how and why your personal data is processed.
HMA acts as a data processor on behalf of the University — meaning HMA handles data only as instructed by the University and does not use it for any independent purpose.
3. What Data We Collect
3.1 Account and Identity
Before you download Cedar, the researcher will provide you with a Study ID — a purpose-created login credential in the format of an email address (e.g. pilotuser1@hma.co.uk). This is not a real email address and has no inbox. Your password will also be set and given to you directly by the researcher; you will not choose your own.
You use your Study ID and researcher-issued password — not your real name or personal email — to log in to the App. This means HMA does not hold your real name or personal email address.
The researcher at the University of Birmingham holds a secure mapping between your Study ID and your real identity, which allows them to link pseudonymised app data back to you as a participant if required for the research.
During onboarding, Cedar also collects:
- Date of birth
- Gender
- Other demographic information as prompted during setup
3.2 Symptom and Health Data
Cedar collects the following health-related information throughout your participation:
- Concussion symptom scores recorded after a concussion event
- Daily mood diary check-ins
- Exercise participation and feedback
- Articles and resources you access within the Resources section
This information is used to suggest personalised recovery modules and to help the University assess the effectiveness of Cedar.
3.3 Wearable and Health Device Data (Optional)
If you choose to connect a wearable device, Cedar uses a third-party service called Sahha to collect health metrics from those sources. You control which metrics are shared at the point of connection and can withdraw this at any time.
Data collected via Sahha may include activity, sleep, heart rate, and other health metrics depending on your choices. This data is stored by Sahha against a unique identifier (UUID) that links back to your record in the profile management system. Neither HMA nor the University of Birmingham receives your name or Study ID from Sahha — the link is maintained via matching UUIDs only.
Please note: Sahha is an Australian company (Sahha Pty Ltd). Your wearable data is stored and processed on servers located in the United States (us-east-1, Northern Virginia). This constitutes a transfer of personal data outside the UK. The University of Birmingham has reviewed and approved the use of Sahha for this pilot, including the associated international data transfer arrangements. You can review Sahha's End User Privacy Policy at https://docs.sahha.ai/docs/legal/end-user-privacy-policy.
4. How We Use Your Data
We use your data for the following purposes:
Because Cedar processes special category data (health data), we rely on Article 9(2)(a) (explicit consent) and Article 9(2)(j) (scientific research) of the UK GDPR as our additional bases for processing health information.
5. Pseudonymisation
Your data is pseudonymised throughout the system. This means:
- HMA can see your app data (symptoms, scores, activity) but only associated with your Study ID, not your real name.
- The University of Birmingham researcher can match Study IDs to real participants but does not routinely do so unless required for the research.
- Wearable data via Sahha is linked only by UUID, with no name or Study ID attached.
While pseudonymisation significantly reduces privacy risk, it does not make data fully anonymous, as re-identification by the researcher remains possible. Your data is therefore still treated as personal data under UK GDPR.
6. Who We Share Your Data With
We share data only where necessary and with appropriate safeguards in place:
We do not sell your data. We do not use your data for advertising.
7. International Data Transfers
Your primary app data is stored on servers located in the United Kingdom.
Data processed by Sahha is stored in the United States (us-east-1, Northern Virginia). The University of Birmingham has reviewed and approved the use of Sahha for this pilot, including the international data transfer arrangements. Sahha integration remains optional — you can use Cedar fully without enabling it.
Data processed by Google (GA4) and Bugsnag may be processed in the United States or other countries. Both companies participate in recognised data transfer frameworks and maintain appropriate safeguards.
8. Data Retention
Your pseudonymised data will be retained for 10 years from the end of the pilot, held on secure servers maintained by the University of Birmingham. This retention period is in line with the University's research data governance policies.
After 10 years, your data will be securely deleted or further anonymised such that you can no longer be identified.
Data held by third-party processors (such as Sahha, GA4, and Bugsnag) is subject to their own retention policies, details of which can be found in their respective privacy policies.
9. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
- Right of access — you can request a copy of the data held about you.
- Right to rectification — you can ask us to correct inaccurate data.
- Right to erasure — you can ask for your data to be deleted, subject to research retention obligations.
- Right to restrict processing — you can ask us to limit how we use your data.
- Right to withdraw consent — where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.
- Right to object — you can object to processing based on public task or legitimate interests.
To exercise any of these rights, contact Andrew Stevens at a.stevens@bham.ac.uk.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: https://ico.org.uk
Phone: 0303 123 1113
10. Security
We take appropriate technical and organisational measures to protect your data, including:
- Pseudonymisation of all user records
- Study ID-based login (no real name or personal email stored by HMA)
- Researcher-controlled credential issuing (passwords are set and distributed by the researcher, not chosen by participants)
- UUID-based linking for wearable data
- Crash monitoring via Bugsnag to identify and resolve security-relevant errors
- Access controls limiting who can view data within HMA and the University
11. Children
This pilot is open to adults only. No participant under the age of 18 will be enrolled. We do not knowingly collect data from minors.
14. Changes to This Policy
This policy may be updated during the pilot, for example to confirm data retention periods. We will notify participants of any material changes via the App, or by message through the researcher.
15. Contact
For any questions, concerns, or to exercise your rights:
Andrew Stevens
University of Birmingham
a.stevens@bham.ac.uk
For complaints: Information Commissioner's Office — 0303 123 1113
This privacy policy applies to the Cedar pilot only and is not a public-facing commercial privacy policy.