Important points to consider before signing up with Noom.com

GraceCourt

Having seen a television advertisement for weight-loss support from Noom Inc., which is incorporated in the United States of America, I was puzzled that there is no mention of any UK-incorporated legal entity, and undertook a little research.

The fine detail is available for anyone who's interested, but the awful truth is that you have no legal rights whatsoever in respect of any personal data that you provide via the noom.com Web site, nor the Noom app, which is of grave concern - not least because you are providing medical information that includes data from which your psychological health can be derived.  Noom Inc. admits in its own "privacy policy" that you have no legal recourse because it is a legal entity incorporated within a "third country" for the purposes of the UK GDPR and the Data Protection Act 2018.  It does not have any contractual arrangements with a UK-registered legal entity that accepts civil or criminal liability for any breach of the data protection rights of UK or EEA citizens.  It also states that "... Noom may obtain your personal health information from your health care provider upon User’s request and prior approval. Noom may collect certain personal health information such as User’s height, weight, blood pressure, blood glucose and gender..." but to do so in the UK would not only be unlawful, it would be illegal.

I have asked Noom's "data privacy" contact to confirm all of the above, and I'll post its response on this thread,  but there is enough information in the terms and conditions on the Web site to support a strong warning that no UK citizen should engage in any way with Noom Inc., based on the fact that the Court of Justice [Grand Chamber] of the European Union in the case of Schrems v Data Protection Commissioner [of Ireland] on 6 October 2015 means that data protection measures in the USA are inadequate for the protection of the personal data of UK and EU citizens.  At best, providing Noom Inc. with your e-mail address [which is regarded by the UK Information Commissioner as being "personal data" for data protection purposes] could lead you to be "spammed" by third parties: at worst, the company can do what it likes with your personal data and your personal health information and there's absolutely nothing that either you or the Information Commissioner can do about it. 

Wanderingpomm

If they are trading in the UK then they cannot just say the rules don’t apply to them. That’s not how the law works. 

So what they are doing is at best skirting on the edge of legality 

Maskface

Wanderingpomm said:

If they are trading in the UK then they cannot just say the rules don’t apply to them. That’s not how the law works. 

So what they are doing is at best skirting on the edge of legality 

It's a little more complex unfortunately. If they aren't registered in the UK then they aren't subject to our rules and regulations. 

GraceCourt

Wanderingpomm said:

If they are trading in the UK then they cannot just say the rules don’t apply to them. That’s not how the law works. 

So what they are doing is at best skirting on the edge of legality 

Yes, they can: the only rules to which they are subject are the Federal laws of the USA and the State laws of the US state in which they are incorporated: and of course we've already established that those are inadequate (and as a UK citizen, you aren't even entitled to the inadequate protection of these laws). 

Noom Incorporated has no address within any of the three legal jurisdictions of the UK at which it can be served with legal process, that's the whole point of the warning.

GraceCourt

Update:  Thus far, despite acknowledgements from Noom Inc.'s support staff to my original enquiry and to a follow-up message, there has been no acknowledgement nor any response from the company's legal advisors.

My original warnings about not providing any personal data to Noom via their app or Web site still stand, but I will wait to see if there is any response to a final follow-up message before drawing any final conclusions.

GraceCourt

GraceCourt said:

Update:  Thus far, despite acknowledgements from Noom Inc.'s support staff to my original enquiry and to a follow-up message, there has been no acknowledgement nor any response from the company's legal advisors.

My original warnings about not providing any personal data to Noom via their app or Web site still stand, but I will wait to see if there is any response to a final follow-up message before drawing any final conclusions.

Still no response whatsoever from Noom's legal representatives to my enquiry, despite the acknowledgement of receipt, and promise by their Support staff that it will be passed on.

I'll add a more detailed message in a day or so, as there is a County Court hearing tomorrow in respect of an application (to strike out a data protection claim) being made by a UK company on behalf of its US parent, which seeks to establish exactly what I'm warning about, i.e. that once you export your data out of the UK and EU, you have no legal protection whatsoever in respect of the data you give away, because there's no data processor or data controller in the UK.

In the meantime, you might want to read here an article about what you can expect to happen to your intimate personal data that you supply to Noom - your height, weight, diet, phone number... every scrap of your personal data can be given away to third parties and there's absolutely nothing whatsoever you can do about it!

No wonder there's no response at all from Noom's lawyers!

GraceCourt

The hearing referred to in my previous post has been adjourned, so here's the brief summary of where things stand with Noom and your personal data...

You have no rights whatsoever in relation to every scrap of personal data that you provide to Noom  Inc., including medical information, whether via the app or otherwise, because Noom Inc. is incorporated in the USA.  Noom Inc. reportedly sells that personal data to third parties, and there's nothing whatsoever you can do about it unless those third parties are incorporated in the UK.

Brie

data protection is an ongoing issue for legitimate companies in the UK so it's not surprising that is a challenge to those incorporated elsewhere.

I do know that many large corporations here require any foreign subsidiaries to maintain at least equivalent to UK standards.  But we all know how well some large entities have handled data within the UK and that large fines have resulted from non compliance to basic DP rules.  (like not dumping old pcs without first wiping all the data!)

Unfortunately many people work from a point of ignorance or oblivion.  "i'm in the UK therefore everyone I deal with is in the UK and subject to UK law".  No.  It's the same thing when someone in the UK orders something via Amazon and then is surprised that it's being shipped from wherever and they have to pay import fees.  

All of which adds up to - thank you Grace for bringing this to our attention.

GraceCourt

Brie said:

I do know that many large corporations here require any foreign subsidiaries to maintain at least equivalent to UK standards.

The good news is that the UK corporations - usually limited companies - to which Brie refers remain responsible for compliance with the UK GDPR and Data Protection Act 2018 if they export your personal data to "third countries". 

The bad news is that the "standard contractual clauses" that are mandated by the Information Commissioner are usually tucked away in the terms and conditions - you do read these, don't you??!  The massive growth of cloud-based IT services means that even the smallest companies are probably exporting your data without you even being aware, because you've agreed to it in the "small print".

Personally, I do read the small print, and never agree to my personal data being exported outside the UK or the EU, simply because once it's exported, you've lost control of it, even if you do have any rights to compensation: when your privacy is gone, it's gone forever.

Admiral_Barbarossa

If you do not want your data splashed all over the internet, leave the internet!

MalMonroe

You say, "You have no rights whatsoever in relation to every scrap of personal data that you provide to Noom  Inc., including medical information, whether via the app or otherwise, because Noom Inc. is incorporated in the USA.  Noom Inc. reportedly sells that personal data to third parties, and there's nothing whatsoever you can do about it unless those third parties are incorporated in the UK." 

And I say -

Noom IS registered in the UK as 'Noom Health UK' and is on the Companies House website - incorporated as from June 2021.

https://find-and-update.company-information.service.gov.uk/company/13453588

A few months ago I looked into Noom as I'd seen it advertised on TV and needed some diet advice. So I looked online and even started to register but when it came to the part where you had to pay large sums of money, I left that site, never to return. That, I believe, was before they even started asking for any personal/health details. 

It's like all the other scams out there. Registered, incorporated, legally allowed or not. But Noom's here in the UK and it's incorporated.