Privacy notice

Back

About Corporation Pop and Pop-able


Pop-able is a platform developed by Corporation Pop that uses augmented reality, gameplay and an avatar-based conversational agent to deliver health education to young patients. It is designed to reduce anxiety around hospital visits and to help children engage with their own care.

The platform has three components: a mobile app for the child, a parent portal, and a management portal for clinical staff and organisation administrators.

Corporation Pop Ltd is registered in England and Wales. Company number: 4869229. Our registered address is 21–23 Shudehill, Manchester, M4 2AF. You can contact us at info@corporationpop.co.uk or 0161 838 0808.

Who is responsible for your data?


The health organisation that invited you to use Pop-able — for example, the hospital or clinic — is the data controller. That means they are responsible for deciding how and why your and your child's personal data is processed.

Corporation Pop acts as a data processor. We process personal data only on the documented instructions of the health organisation, under a formal data processing agreement. Corporation Pop does not access or view personal data held within the app unless instructed or authorised by the data controller.

What data do we collect, and where does it come from?


We collect a small amount of personal data from four groups of people:


  • Parents and guardians. When you accept the invitation to use Pop-able, you provide your email address. Where your child is using the app, you manage their account through the parent portal.
  • Children and young people (patients). The parent or guardian provides the child's first name before the app is downloaded. Within the app, the child can add information voluntarily through features such as questionnaires and a chatbot — see below.
  • Organisation administrators. We store basic account data for the people who set up and manage the platform on behalf of the health organisation.


We do not ask for or store any medical information such as medical records, diagnoses or clinical notes.

In limited cases, users may choose to enter free text (for example in features such as questionnaires and the chatbot) which could include information about other people. This is incidental and not actively collected by Corporation Pop.

How we use the data


Account setup and login


Your email address is used to send you an invitation and login code. Your child's first name is used to create their account. No other personal data is required at login.

Questions asked in the app


The app allows children to ask questions. Some questions are logged — in anonymised, aggregated form — to help improve how the app responds in the future. These logs are not linked to any individual, account or organisation.

Unity (the platform the app is built on)


Pop-able is built using Unity. Unity may collect technical data from the child's device, including device IDs and IP addresses. Corporation Pop cannot access this data; Unity provides us only with anonymised, aggregated analytics about how the app is used. We recommend you read Unity's privacy policy.

Lawful basis for processing


The health organisation, as data controller, relies on consent as its lawful basis under Article 6 UK GDPR. By accepting the invitation to use Pop-able, you are consenting — on your child's behalf — to the processing of personal data as described in this notice.

Where the child is under 13, parental or guardian consent is required. We recommend that parents and guardians remain involved regardless of the child's age, given the nature of the platform.

Where any special category data is recorded — for example, health-related information a child chooses to enter — this is processed only with explicit consent under Article 9 UK GDPR.

Corporation Pop, as data processor, processes personal data solely on the documented instructions of the health organisation.

Storing and sharing data


All personal data is stored securely. We use a combination of technical and organisational measures to protect personal data, including access controls, encryption where appropriate, and defined data handling procedures.

Corporation Pop does not access or view data held within the app without the permission or instruction of the health organisation.

We do not sell, rent or otherwise share personal data with any third party, except where we are legally required to do so — for example, in response to a court order.

Pop-able is used by health organisations in the UK and internationally. Where personal data is transferred outside the UK, Corporation Pop ensures that appropriate safeguards are in place to protect it, such as standard contractual clauses or equivalent mechanisms in line with UK GDPR requirements.

How long we keep your data


Personal data is retained for no longer than one month after the patient's account is closed by the health organisation.

Once the account is closed, the child may continue to use the app on their device until it is deleted. Any data entered locally after account closure is not transmitted to or stored by Corporation Pop or the health organisation. If the app is removed from the device, that local data is also deleted.

We maintain a data retention policy which defines how long different categories of data are kept and ensures that data is reviewed and deleted appropriately.

If you contact us by email, we retain your email address on the basis of legitimate interests — specifically, the need to maintain a record of correspondence.

Your rights


Under UK GDPR you have the following rights in relation to your personal data and your child's personal data:

Under UK GDPR you have the following rights in relation to your personal data and your child's personal data:

  • Access. You can ask for a copy of the personal data we hold about you or your child.
  • Rectification. You can ask us to correct inaccurate data or complete incomplete data.
  • Erasure. You can ask us to delete personal data. Note that some data is necessary to provide the service; full erasure may mean the account can no longer be used.
  • Restriction. You can ask us to suspend processing of personal data without deleting it.
  • Portability. You can ask us to provide your data to you directly in a portable format. We are not currently able to transfer it directly to other organisations.
  • Object. You can object to processing you believe is not lawful or not in keeping with your rights.
  • Withdraw consent. You can withdraw consent at any time. This does not affect the lawfulness of processing that took place before withdrawal.

To exercise any of these rights, email info@corporationpop.co.uk with the name of the request in the subject line. We will acknowledge receipt and may ask you to verify your identity. We have one month to respond.

More information about your rights is available at ico.org.uk.

Complaints

If you are unhappy with how we have handled your data, please contact us in the first instance at info@corporationpop.co.uk and we will work to resolve the issue. If you remain unsatisfied, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Keeping this notice up to date


This notice may be updated from time to time. Please check back periodically. If you have any questions, contact us at info@corporationpop.co.uk or 0161 838 0808, or write to us at Corporation Pop Ltd, 21–23 Shudehill, Manchester, M4 2AF.