Privacy Policy | MyClusters

Introduction

What is MyClusters?

MyClusters B.V. (MyClusters) is a digital platform for people living with cluster headaches (one of the most severe forms of headache known). Through our website and app, you can track your attacks, log symptoms and medication, gain personal insights, and choose to contribute to medical research. We also work with researchers and pharmaceutical partners who may access data from consenting users via our platform. Further contact details can be found at the bottom of this privacy statement.

What do we do with your data and why does this privacy statement matter?

Because you are a patient, the information you share with us is sensitive. We handle it with care, and this statement explains exactly what we collect, why, and what your rights are, in plain language.

A few things worth knowing from the outset:

"Personal data" means any information that could identify you, directly or indirectly, e.g. your name or email address, but also technical data like your IP address.
We are the data controller, meaning we decide how and why your data is processed. We do this across four areas: your use of our website, your use of the app, your participation in surveys, and the sharing of data with research partners. Where external researchers or pharmaceutical partners access user data through our platform, they may act as joint controllers together with MyClusters or third parties in respect of that specific processing.
Health data is treated differently. It receives extra legal protection, and we will only process it with your explicit consent, which you can withdraw at any time.
Where researchers access your data, they may share responsibility with us under a formal agreement. We explain this in the remaining of this Privacy Statement.

We are committed to processing your personal data lawfully, transparently, and with the care that you may expect from a health-related platform.

For website visitors

1. Processing on our website

1.1 Website analytics

When you visit our website, certain technical data are automatically collected to help us understand how the site is used and to improve its performance and user experience. Our service providers (i.e. sub-processors) may also have access to your personal data. In section 4 (Safeguards) you can find out more about them and what they process.

Data processed	IP address (anonymised), browser type, browser behaviour (pages visited, session duration)
Purpose	Analytics and website improvement. The website can use cookies for this purpose. Find out more in our Cookie policy.
Legal basis	Consent for non-essential analytics cookies; Legitimate interest for strictly necessary technical processing.
Tools used	Google Analytics, Umami, Squarespace Analytics. See section 5 (Sub-processors) for details.
International transfer	Google Analytics: Data are transferred to the United States, Standard Contractual Clauses (SCCs) apply. Umami: Hosted via Fly.io. Fly.io provides us with cloud hosting services for which we have an explicit Data Processing Addendum (DPA). Fly.io's infrastructure runs in the EU but is US-incorporated, SCCs apply. Squarespace: Data are transferred to the United States, SCCs apply.
Retention	2 months

Where we rely on legitimate interest as our legal basis, we have weighed our interests against yours and concluded that our interests are not overridden by your rights or freedoms. This balancing assessment has been documented and is available on request.

1.2 YouTube video embeds

Our website embeds videos hosted on YouTube (operated by Google LLC). When you interact with an embedded video, or, depending on cookie settings, when the page loads, Google may place cookies on your device and collect data about your viewing behaviour.

Data processed	IP address, device and browser data, data about your interaction with the embedded video.
Purpose	Video playback; Google may also use data for analytics and advertising. Find out more in our Cookie policy.
Legal basis	Your consent via our cookie banner
Controller status	Google LLC acts as an independent controller for its own processing purposes.
International transfer	Data are transferred to the United States; Google LLC is certified under the EU–U.S. Data Privacy Framework (adequacy decision).
Retention	2 months

Important: We only allow YouTube to set non-essential cookies after you have given consent via our cookie banner.

1.3 Contact form

When you submit a message via our contact form, we use the information you provide solely to respond to your enquiry.

Data processed	Name, email address, message content, IP address
Purpose	Responding to your enquiry
Legal basis	Legitimate interest: responding to an inbound communication request
Retention	Deleted when no longer necessary for responding to your enquiry, unless a longer statutory retention obligation applies
Processor	Squarespace (email/contact form hosting). See section 5 (Sub-processors).

1.4 MyClusters webshop

Data processed	Name, email address, shipping address, billing address, order history, payment data (processed via the webshop's payment provider).
Purpose	Processing and fulfilling orders placed through the embedded webshop, including payment handling, shipping, and order administration.
Legal basis	Performance of a contract: processing is necessary to fulfil the order placed by the visitor.
Controller & processor	MyClusters acts as controller for the data collected through the webshop. Payment data is processed by the webshop's payment provider, which acts as an independent (data) processor or controller depending on the applicable terms.
International transfer	90 days
Retention	90 days

For MyClusters' users and customers

2. User of our MyClusters App

When you create an account and use the MyClusters app, we process additional personal data, including special categories of data (health information). This section provides transparent information regarding our processing activities.

2.1 Account & app usage

Data processed	Name, email address, password (hashed), app usage data, device/session identifiers
Purpose	Creating and managing your account; providing the MyClusters service
Legal basis	Performance of a contract
Retention	For the duration of your account (plus 90 days after deletion), subject to statutory obligations
Processors	AWS (cloud storage), Fly.io (hosting). See section 5 (Sub-processors).

2.2 Health data & surveys

2.2.1 Surveys from MyClusters

MyClusters publishes its own surveys, for example, quality-of-life questionnaires and product feedback forms. For these surveys, MyClusters acts as controller of the personal data: we determine the purpose of the processing and we carry it out.

Nature of the data: Some of these surveys contain sensitive questions relating to your experience of cluster headache, including questions about your quality of life. Cluster headache is associated with a significantly elevated risk of suicidal crisis. The inclusion of such questions is clinically relevant but means that the data collected constitutes health data.

Data processed	Symptom data (regarding the headaches), diagnosis confirmation, year of diagnosis, medication data, quality-of-life indicators, lifestyle related data, potentially data relating to suicidal ideation.
Purpose	Improving MyClusters services; generating insights into cluster headache
Legal basis	Your explicit consent. You may withdraw consent at any time. In section 3 (Your rights), we provide a complete overview of all your rights related to your data.
Effect of withdrawal	Upon withdrawal, we will cease further processing. Data already processed prior to withdrawal remains lawfully processed. We will [delete / anonymise] your survey responses within 90 days.
Retention	90 days after account deletion
Processors	AWS. See section 5 (Sub-processors).

Signposting to support: Where a survey contains questions about suicidal ideation, the app will display links to crisis support lines (e.g., 113 Zelfmoordpreventie in the Netherlands). This is part of our duty of care to users and does not affect how your data are used.

Without this personal data, we are unable to deliver our services. We therefore require consent to execute our services and it is important that you have verified the information's accuracy. This means that the provision of your personal data is a requirement to become a user of our services and is therefore part of our Terms of Service.

2.2.2 Surveys for medical research

As part of our services, MyClusters offers users the opportunity to contribute to scientific research on cluster headaches. To this end, external researchers and pharmaceutical companies may distribute their own surveys via the MyClusters platform, and receive individual responses from consenting users.

Because these external parties co-determine the purpose of that data collection, they do not act as mere processors — they act as joint controllers together with MyClusters. This means that both MyClusters and the relevant external party bear responsibility for how your personal data is handled in the context of that survey.

If you have consented to filling out a medical research survey, MyClusters has put in place a Joint Controller Agreement with the external party, setting out the respective responsibilities of each. You may request a copy by contacting us at privacy@myclusters.io.

Data processed	Survey responses, which can include: symptom data (regarding the headaches), diagnosis confirmation, year of diagnosis, medication data, quality-of-life indicators, lifestyle-related data, potentially data relating to suicidal ideation. Before any data is shared with a researcher or pharmaceutical partner, it is pseudonymised.
Purpose	Research and/or product development as jointly defined with the external party
Legal basis	Your explicit consent, obtained separately for each researcher-initiated survey, distinct from any other consent you have given.
Who receives your data	The individual researcher or pharmaceutical company that initiated the survey, identified at the point of consent.
Joint Controller Agreement	A Joint Controller Agreement governs the respective responsibilities of MyClusters and the external party. You may request a copy.
International transfer	You will be informed regarding the international transfer of information at the same time as your explicit consent is obtained for the sharing of the surveys.

Patient stratification

MyClusters may make it possible for researchers to target surveys to specific subgroups of users, based on characteristics such as gender, nationality, or symptom profile. Where this feature is used, the external researcher acts as a joint controller with MyClusters. Targeted surveys will only be sent to subgroups that meet our minimum-size threshold. Full details of any such processing, including the identity of the researcher and the applicable transfer safeguards, will be disclosed to you at the point at which your consent is requested.

Data processed	Profile data already held by MyClusters (such as gender, nationality, and symptom profile) used to identify and select eligible users for a targeted survey. Survey responses subsequently collected from users in the selected subgroup who have given their consent.
Purpose	Selection of research participants from a specific subgroup, followed by research or product development as defined by the external researcher or pharmaceutical partner.
Legal basis	We use legitimate interest as the legal basis for the filtering step, because this step is strictly necessary to show you relevant surveys and avoid spam. No new personal data is collected or shared during filtering.
Who receives your data	The researcher or pharmaceutical company that initiated the targeted survey, identified at the point of consent. The filtering step is carried out internally by MyClusters.
Joint Controller Agreement	Because the external researcher co-determines both the selection criteria and the purpose of the data collection, they act as a joint controller together with MyClusters. A Joint Controller Agreement governs the respective responsibilities of each party, including responsibility for the filtering step and the consent mechanism.

3. Your rights

Under the GDPR, you have the following rights regarding the processing of your personal data. You can exercise any of these rights by contacting us using the details at the bottom of this section.

Right to be informed (Art. 13/14 GDPR). You have the right to be informed about how we collect and use your personal data. We fulfil this right through this privacy statement. If you have additional questions about how your data is used, you can contact us directly.
Right of access (Art. 15 GDPR). You can request a copy of the personal data we hold about you, along with information about how and why we process it. We will provide this to you in writing.
Right to rectification (Art. 16 GDPR). If any personal data we hold about you is inaccurate or incomplete, you can ask us to correct or complete it.
Right to erasure (Art. 17 GDPR). You can ask us to delete your personal data. We will do so unless we are required to retain it — for example, because it is necessary to provide our services to you or because we are legally obliged to keep it.
Right to restriction of processing (Art. 18 GDPR). In certain circumstances, for example if you contest the accuracy of your data or have objected to our processing, you can ask us to temporarily limit how we use your personal data while the matter is resolved.
Right to data portability (Art. 20 GDPR). If we process your personal data on the basis of your consent or a contract, and the processing is carried out by automated means, you can request that we provide your data to you in a structured, commonly used and machine-readable format. You may also ask us to transfer it directly to another organisation where technically feasible.
Right to object (Art. 21 GDPR). Where we process your personal data on the basis of a legitimate interest, you have the right to object at any time on grounds relating to your particular situation. We will then stop processing unless we can demonstrate compelling legitimate grounds that override your interests, or unless the processing is necessary for the establishment, exercise or defence of legal claims. If your data is used for direct marketing purposes, you can object at any time without giving any reason, and we will stop immediately.
Rights related to automated decision-making and profiling (Art. 22 GDPR). You have the right not to be subject to a decision based solely on automated processing, including profiling, where that decision produces legal effects or similarly significantly affects you. If such processing does take place, you have the right to request human intervention, to express your point of view and to contest the decision.
Right to withdraw consent (Art. 7 GDPR). Where we rely on your consent as the legal basis for processing, you can withdraw that consent at any time. Withdrawing your consent does not affect the lawfulness of any processing that took place before the withdrawal.
Right to lodge a complaint (Art. 77 GDPR). If you believe we are not handling your personal data in accordance with the law, you have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at any time, via autoriteitpersoonsgegevens.nl. We would appreciate the opportunity to address your concerns directly first, so please consider reaching out to us before doing so.

Do you have questions, comments, requests or complaints about the processing of your personal data or this privacy statement? Please contact us at privacy@myclusters.nl.

4. Safeguards

We take the protection of your personal data seriously and have implemented appropriate technical and organisational measures to protect it against loss, misuse, unauthorised access, alteration, disclosure or destruction. These measures are continuously reviewed and improved in line with technological developments. Access to personal data is strictly limited to employees and third parties, such as research partners and pharmaceutical companies, who are bound by contractual confidentiality obligations. Your personal data is retained only for as long as necessary to fulfil the purposes for which it was collected, unless a longer retention period is required for tax or legal reasons.

In the context of patient stratification research, we apply additional safeguards to mitigate the risk of unauthorised identification. Where data is shared with research or pharmaceutical partners, we apply data masking techniques (replacing direct identifiers such as your name with a pseudonymous reference code) so that your identity is not directly apparent to the recipient. This data remains personal data under the GDPR, and all recipients are required to treat it as such. Additional safeguards include an internal policy governing the pseudonymisation and sharing of research data; mandatory declarations by all researchers prohibiting any attempt to re-identify individuals and confirming compliance with applicable privacy legislation; a review of all questionnaires prior to distribution to assess re-identification risk; and contractual clauses with all research and pharmaceutical partners explicitly prohibiting re-identification and requiring appropriate data protection measures.

5. Sub-processors

5.1 With whom may we share your personal data?

In order to provide and improve our website and services, we may share your personal data with carefully selected sub-processors who process data on our behalf. We only share personal data to the extent necessary for the relevant purpose. All sub-processors are contractually bound to comply with the General Data Protection Regulation (GDPR) and to implement appropriate technical and organisational measures to protect your personal data.

We engage the following categories of sub-processors:

Email services and newsletter distribution: We use Squarespace and Beehiiv to manage email communications and newsletters. These providers process contact details and communication preferences on our behalf.
Data storage and infrastructure: We use Amazon Web Services (AWS) for secure cloud-based data storage.
Cloud hosting: Our application is hosted via Fly.io.
Website analytics: We use Google Analytics, Umami, and Squarespace to analyse the use of our website and services in order to improve performance and user experience.
Error monitoring and user support: We use Sentry for application monitoring and error tracking, and Gleap for user feedback and support functionalities. These services may process technical data, usage data, and communication content where relevant.

5.2 International transfers

Some of our sub-processors are located outside the European Economic Area (EEA), in particular in the United States, or are part of organisations incorporated in the United States. Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. This includes the use of Standard Contractual Clauses (SCCs) approved by the European Commission and, where applicable, reliance on certification under the EU–U.S. Data Privacy Framework.

Changes to this privacy statement

We may update this privacy statement from time to time to reflect changes in our data processing practices, legal requirements or the services we offer. If we make material changes to this statement or the way in which we process your personal data, we will notify you in advance through a prominent notice, for example via email or a notification within our platform, before the changes take effect. The date of the most recent version of this statement is indicated at the top of this page. We encourage you to review this statement periodically to stay informed about how we protect your personal data.

Have more questions or concerns?

We're here to help. Contact us at privacy@myclusters.nl if you have questions about:

Data privacy
Research participation
Your rights
Security measures
Consent modification
Suggestions

Your Privacy Matters