Information Security Policy

Effective August 2017
Certificate of Approval

Policy Statement for Information Security

MYZONE has committed to implementing and maintaining an Information Security Management System, in accordance with the requirements of ISO 27001:2013, covering the security of processed and stored information concerning distributors, facilities and consumers associated with the provision of heart rate belts and related products and services.

MYZONE handles information assets which can take various forms including data printed or written on paper, stored electronically, transmitted by electronic means, stored on electronic media and spoken in conversations. Information will be protected from loss of confidentiality, integrity, and availability. Information assets may include personally identifiable information (PII).

Information relating to the registration of MYZONE belts and PII data is sensitive and must have adequate safeguards in place to protect it, and to ensure compliance with various regulations, along with guarding the future of the organisation.

MYZONE commits to respecting the privacy of all its customers, protecting any customer data from outside parties, and ensuring that their customer (consumer and facilities) requirements are met. To this end, management are committed to maintaining a secure environment in which to process sensitive information so that we can meet these promises. MYZONE are also committed to the overall continual improvement of the Information Security Management System, including senior management setting and reviewing security objectives.

This policy will be reviewed and updated by management on an annual basis or when relevant to include newly developed security standards into the policy and re-distributed to all employees and contractors where applicable.

This policy is communicated to all employees and is displayed on the MYZONE website, for external interested parties to access.

Access Control

Information for Belt Users:

Belt users can access the following information about themselves, through the application, which can be downloaded from the App Store or Google Play, or by logging in to the website:

  • Workout data (“Moves”)
  • Biometric data
  • Challenges
  • Communicate with their friends (“Connections”)
  • Likes and Comments on their Moves
  • Overall Stats
  • Heart Rate

They can also access information regarding their Connection’s Moves. Belt users have the ability of managing their privacy settings through the App:

  • Allow their Connections to see their Moves;
  • Allow their Connections to see their photos;
  • Allow their Connections to see all of their other Connections;
  • Allow them to be viewed as Connections of Connections.

Information for Facilities:

Facilities can access the following information, through MYZONE software:

  • Name, email address, gender, and date of birth of belt users connected to their facility;
  • The belt ID of belt users connected to their facility;
  • The maximum and resting heart rates of belt users connected to their facility;
  • Data showing when belt users have participated in any class activity, the duration ofsuch activity, and the number of calories burnt;
  • The names of belt users’ social connections linked with their facility;
  • The number of “likes” and the number of comments their users have made againstactivities of other belt users;

Facilities do not have access to personal biometric data unless the user has permitted them to have such access.

Responsibilities

MYZONE are ISO 27001 certified, and therefore have a responsibility to ensure that customer information is kept confidential.

Customers are responsible for any and all activities that occur under their account. User identification codes (username) and passwords must remain confidential and not be disclosed to any third party.

The services provided by MYZONE do not fall within the scope of the Health Insurance Portability and Accountability Act of 1996 (HIPAA), an Act of the United States. However, MYZONE applies stringent privacy and security rules which are certified as complying with ISO 27001 standards.

Network and Server Security

Domicilium (Isle of Man) is MYZONE’s network and server hosting provider. They are ISO 27001 certified and have all controls in place to ensure that MYZONE’s network and servers are protected from unauthorised access or malicious attack. They are audited by a third party to retain such accreditation.

Payments Security/Online Shop

The information collected by MYZONE within the online shop is a customer’s name, postal address, email address, and telephone number. Transactions are undertaken by a payment processor, who will collect information about the customer’s payment card. This information is not transmitted to MYZONE and payment details are not retained by MYZONE.

User Identification and Authentication

Belt and Facility Users must provide a user login and password which protects their data. This is completed upon purchasing the belt/accessory. MYZONE cannot access or amend this information. It is the customer’s responsibility to ensure that this authentication information is kept confidential.