Privacy Policy

 

Last updated 12 JUNE, 2024

 

This privacy policy explains how we process your personal data collected through our Stella App, StellaPlus (menopause assessment) or from browsing our website (the “Services”), including how we collect your data, with whom and why we share them with, how we protect your data, how long we retain them and your rights. 


If you have any questions about this privacy policy, including any requests relating to your legal rights, please contact us at privacy@vira.health.

 

WHO WE ARE

We are Vira Health Limited. We are registered in England and Wales under the UK Company Registration Number: 12542209 and our office address is : 22 Highbury Grove, Unit 401, London, United Kingdom N5 2EF.

We are registered with the ICO (Information Commissioner’s Office) under number ZB352110 and our Data Protection Officer can be contacted by email at privacy@vira.health. 

 

 WHAT TYPE OF DATA DO WE HAVE ABOUT YOU?

 

  •  Identity details:

We process information about your identity such as your name, date of birth, ID to help us identify who you are and confirm your identity.

 

  • Contact details: 

We process your email, telephone number and address(es) in order to contact you, respond to your queries, send transactional and marketing communications to you including prescription reminders and reminders when you do not complete your assessment as well as to deliver a medicine or a product or to follow up with you when you attend one of our event in person or online.

 

  •  Financial details

We process your payment details but we are not acting as a payment provider so we do not have access or store all of your payment data. We access partial transaction details such as the last digits of your card, billing address, transaction IDs, the type of card you use and your purchase history with us.

 

  • Technical details

These data include the type of device you use to access our Services, your operating system, IP address or your type of browser.  This allows us to understand bugs with our website and app, adapt the content to you and also help to prevent notably with information such as the IP address. 

 

  • Browsing activity, user/interaction data

This is information collected by us about how and when you are using our Services. This includes what page you are visiting, how long you spend on our website/app, your behaviour on the page ( e.g. clicks, scrolling), where you came from before landing on our properties (link from an article, google search). This helps us to analyse how users interact with our website and app in order to improve them and offer you a better experience.

 

  • Marketing details

This is data about your marketing preferences and the performance of our marketing campaigns (e.g. the emails we send you).

 

  • Research/surveys data

If you participate in our research or respond to our individual surveys, we collect your feedback in order to improve our Services. Some of these surveys or research can be anonymised which mean that it will not be linked to you. 

We are also using aggregated data, which is data no longer associated with you, to perform research or statistical analysis on our Services and how users interact with them. 

 

  • Medical details

We collect your medical information when you complete a menopause assessment and when you have a consultation with our doctors. This includes your medical history, symptoms, medication you are on, treatments prescribed to you.

We need this information in order to provide you with the menopause assessment and in order for our doctors to do a diagnosis and prescribe a treatment or give advice to you.  Our doctors also make detailed notes of your consultation.

 

  • Work and education data 

If you apply to one of our positions, we will collect information about your education and history of work, qualifications, references, right to work, DBS checks (where relevant), results of interviews and assessments. This is in order to assess your suitability for our available roles.  

 

  • Data we received from third parties

We can also receive data from third parties such as:

  •  Data from the pharmacy to follow up on a treatment being sent to you
  • Which employer or organisation you came to us from (voucher code) 
  • Your status after verification of your identity (pass/fail)

We continually review the personal data we collect to ensure we adhere to the principle of data minimisation by only collecting and retaining what is necessary for the provision and improvement of our services. 

 

We do not knowingly collect personal data from individuals under 18 years of age and neither Stella nor Stella Plus are targeted at this demographic. If you become aware that a child has provided us with personal data without parental consent, please contact us. 

 

OUR LEGAL BASIS TO PROCESS YOUR DATA

Under the Data Protection Act 2018, the UK and EU GDPR where applicable, we have to have a particular reason to process your data which includes its collection, use, transfer, storage or retention.

We have indicated in the table below the different purposes for which we process your personal information, what type of information and the lawful basis for processing.

PURPOSETYPE OF DATALAWFUL BASIS
To register you as a new customerIdentity details (e.g. name, surname, date of birth)
Contact details (e.g. email, telephone number)

Performance of a contract
To collect and recover money for the use of our ServicesIdentity details 
Financial data (name, contact details, payment transaction details).
Performance of a contract
Legitimate interests (to prevent fraud)
Note: we do not store card data on our end. The payment process is delegated to a third party supplier certified to process payments.
To provide the medical care service as requested by you. To issue the menopause report, issue a prescription when appropriate, and for the delivery of your treatment or goods. To follow-up on the treatments and advice given by the doctors.Identity details (e.g. name, surname, gender, date of birth)
Contact details (e.g. email, telephone number)
Medical details (e.g.medical history, symptoms).

Performance of a contract and medical diagnosis, provision of health care and treatment pursuant to the contract between the patient and us.
To verify your identityIdentity details (e.g. name, surname, gender, date of birth, ID)
Contact details (e.g. email, telephone number)
Financial data (e.g. payment transaction details: date, amount, name, address, email)
Photo of you,
Video of you

Legitimate interests (to prevent identity or medical fraud).
To book appointment with doctorsIdentity details (e.g. name, surname, gender, date of birth)
Contact details (e.g. email, telephone number)
Financial data (e.g. payment transaction details)

Performance of a contract.
To prevent fraud and maintain security on our website and app . To improve your browsing experience based on your technical device information.Technical details (e.g. technical device information such as type of device used, browser used, IP address, location, device unique identifier, network information, login information).
Legitimate interests.
Analytics from browsing behaviourBrowsing information ( session recording of website pages and app pages: recording of interactions with our platforms)
Note: no personal information is captured.

Legitimate interests.
Research and statistics. To perform research to understand the use of our services on our website and app, in order to improve our services Identity details (e.g. name, age)
Information provided during the surveys, interviews and research sessions.
 Depending on the type of research, legitimate interest or consent.
To provide you with updates about our services, send newsletters and other marketing communicationsIdentity details ( name, age), contact details (email)
Health information
Order history.

Legitimate interests and when health information is used for marketing purposes, explicit consent.
Following up on our events or third party eventsIdentity details ( name)
Contact details (email)
Legitimate interests.
To assess your suitability for a job position Identity details ( name)
Contact details (email)
Work related information (e.g. work experience, right to work, references, interviews notes, DBS checks)
Compliance with legal obligation. 
Legitimate interests.

WHO DO WE SHARE YOUR DATA WITH?

 

Internally:

Your medical information is shared with our clinical staff to provide you with the medical service and our customer service can also access your record to assist our doctors, answer your queries, book your appointments and verify your identity.

In order to assist with bugs in our systems or any technical issues you might encounter, our IT people might need to access your account or the systems where your information is stored, including sensitive information.

Finally, the legal team might need to access some of your sensitive information in order to answer your data subject access requests.

Then access from employees or contractors is based on a need-to-know basis and we will always restrict access to the minimum required for them to perform their duties. 

All staff are required to comply with confidentiality obligations and required to perform an annual training on data protection and security. 

 

Externally 

We’re using the following categories of third parties and therefore share data with the following categories of providers:

  • Business partners, suppliers and subcontractors to provide the Services to you, such as cloud services to store your data, marketing and transactional emails providers, data analytics and research providers. 
  • Promotional events: We may share your data with an event organiser in order to organise your participation in the event.
  • Regulators/ Authorities/ Enforcement Agencies if we are under a duty to disclose or share your personal data in order to meet any legal requirement, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of our clients or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and with medical organisations such as the Care Quality Commission or the General Medical Council.
  • Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.
  • Your GP: if you communicate the contact details of your GP with us, we will share your medical information with them, including any treatment prescribed. You can revoke your consent at any time.
  • Pharmacies: If you use Stella Plus, we will also share your personal data with our pharmacy partner, Chemist4U (UK Company Registration Number: 07262043 (Innox Trading Limited) and GPhC number 9011784 – please see https://www.pharmacyregulation.org/registers/pharmacy/name/chemist4u). You can contact Chemist4U directly by phone on 01695 474433 or by email at support@chemist-4-u.com. Chemist4U’s superintendent pharmacist at the time of drafting this policy is James O’Loan, MRPharmS (GPhC number 2084549). 

 

HOW DO WE PROTECT YOUR DATA?

We are committed to protecting your privacy and your personal information. As such, we put organisational and technical measures in place to protect your information from unauthorised or accidental access, alteration, disclosure or erasure.

We make sure that our staff is trained with an annual training requirement on data protection, information governance and cybersecurity. We also have policies in place that must be complied with by our staff to ensure that your data is protected. We enforce passwords and logins to access our systems as well as two factors authentication where possible. Our offices are secured with access with a badge, locked doors and a clean desk policy. We enforce a right of access policy to limit access to the data on a need-to-know basis.

On a technical side, we encrypt your data, use firewalls to keep your data from unauthorised access and your payment transactions are done though PCI compliant providers. 

 

 WHERE IS MY DATA STORED?

All information you provide to us is end-to-end encrypted between your device and our cloud servers based in the UK and EU. We also work with suppliers or contractors who may store data outside of the UK and EU in which case we will put the appropriate instruments in place to comply with the regulations such as standard contractual clauses if there are no adequacy decisions in place as well as performing a due diligence of the supplier/contractor.

For transfer of data from the UK to the EEA or the EEA to the UK, an adequacy decision is in place which means that both the country sending the data and the country receiving it have a comparable data protection regime. 

 

HOW LONG DO WE KEEP YOUR DATA FOR?

We will only retain your personal data for as long as we need it to fulfil the purposes we collected it for and we will periodically review the personal data in our reviews to ensure we are only holding what is necessary.  

Your medical records are retained for a duration of 8 years from collection as per the NHS Records Management Code of Practice for Health and Social Care 2021 ( guidelines for public and private healthcare providers). 

We keep your account details until you request a deletion of your data or notify us that you want to stop using our services. Unless we have a legal or regulatory reason to keep them for longer.

Our research and product teams will retain your information for 2 years after the research. We might also anonymise data for longer but in this case no information will identify you.

We keep your data about your use of our services and technical data in a pseudonymous format until you request a deletion of your data.

And for marketing purposes, your data is retained as long as you have an active account with us. 

Please note that we may need or be required to keep your data for longer in order to be able to comply with our legal, accounting or regulatory requirements. 

If we are relying on your consent to hold your personal data, you can withdraw this consent at any time and we can remove your data. Personal data that is no longer required is removed using technology designed to prevent the recovery of the personal data.

 

WHAT ARE YOUR RIGHTS UNDER DATA PROTECTION LAW?

 

You have various rights under the Data Protection Act 2-18 and GDPR, which are:

  • access your personal data or request a copy of your data (right of access)
  • correct incomplete or inaccurate information we hold about you (right to rectification);
  • ask us to erase the personal data we hold about you (right to erasure); in certain circumstances, we will not be able to delete your personal data. As a provider of healthcare services, we have to retain your medical records for a set period of time or we might also need to keep your data for longer in order to establish, exercise or defend legal claims.
  • ask us to restrict our handling of your personal data (right to restriction of processing);
  • ask us to transfer your personal data to a third party (right to portability); Please note that this right applies to the personal data you provided us with and only where we process your data based on your consent or performance of a contract and where the processing is automated.
  • object to how we are using your personal data ( right to object to processing).

 

If you want to exercise any of these rights, you can contact us at privacy@vira.health and indicate the subject of your request.

You also have the right to lodge a complaint about our processing with a supervisory authority the ICO in the UK ( https://ico.org.uk/make-a-complaint/). If you are based outside of England and Wales, you can find your relevant supervisory authority here.

  

QUESTIONS, COMMENTS AND MORE DETAIL

Your feedback and suggestions on this policy are welcome.

We’ve worked hard to create a policy that’s easy to read and clear. But if you feel that we have overlooked an important perspective or used language which you think we could improve, please let us know by email at privacy@vira.health.

If you’d prefer, you can always get in touch with us by post to our registered office at 22 Highbury Grove, Unit 401, London, United Kingdom, N5 2EF.

 

 LINKS

Please note, if you follow a link to a third party website or application from Vira, these third parties may have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.

 

 COOKIES AND TRACKING TECHNOLOGIES

 Cookies is a small file of letters and numbers that we store on your browser or the hard drive of your computer. They have several purposes such as distinguishing you from other users of our sites to help us to provide you with a good experience when you browse our sites and to improve your experience.

 

There are different types of cookies and tracking technologies: 

 

  • Strictly necessary cookies.These are used to enable the core functionality of our website such as security, network management and accessibility. Their use is necessary for the website to work properly. 
  • Functional cookies. These cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedback, and other third-party features.
  • Analytics and performance cookies: These are used to understand how visitors interact with the website. These cookies help provide information on the number of visitors, traffic source, how users behave on our pages etc.
  • Advertisement cookies: they are used to provide you with relevant ads and marketing campaigns. across sites and collect information to provide more customised and personalised advertising.

You can manage the cookie directly from your browser:  https://www.aboutcookies.org/how-to-control-cookies/

 

Please note that to remove cookies already set, you will need to go into your browser to de-install them or clear them. 

Also note that, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

COOKIEPURPOSEDURATION
FacebookAdvertising: to display ads3 months
CookieYesEssential: for cookie consent preferences11 months
AkamaiEssential: for security to distinguish between humans and bots2 hours
CloudflareFunctional: for security of our website30 minutes
IntercomFunctional: provide a unique browser identifierUp to 1 week
KlaviyoAnalytics: opening of the website from the email2 years
Google AnalyticsAnalytics2 years
YouTubeAnalytics, AdvertisingUp to 2 years
Scorecard ResearchAnalytics: browser behaviour2 years
HotjarAnalytics: identify new user session30 minutes
MailchimpAdvertising: evaluate UI/UI interactions1 year