SheMed Privacy Notice
We take your privacy seriously. We want you to know why we need certain information from you, what we are doing with it, and how we keep it secure.
Table of contents
1. What this privacy notice covers
This privacy notice explains how we handle your data when you
- use our SheMed app in the UK including any beta versions (SheMed App or App);
- use our UK website (https://www.shemed.co.uk/) and
- use our Services. This includes our Digital Services and participating in one of our Weight Loss Programmes.
We provide these services through companies in our group (Group Entities):
- Babylon Healthcare Services Limited trading as eMed (BHSL): the company that provides our medical services
- eMed Healthcare UK, Limited (eMed UK): the company that supplies the technology and software for these services and provides all other support services
- eMed LLC (eMed US): the company that supports eMed UK
When we talk about SheMed, us or we in this privacy notice, we mean eMed UK and BHSL. If we mean eMed US, we will specifically mention it.
eMed UK is the data controller of any non-health data collected through the App and the website. eMed UK and BHSL are both data controllers of any health and medical data we collect from you when you use our Services. We may share your data with eMed LLC who acts as data processor on behalf of eMed UK and BHSL. This means that we are responsible for how your personal data is handled and what it is used for through eMed UK and BHSL. If you wish to exercise any of your rights, both companies act as one.
Please read this Privacy Notice along with SheMed Terms and Conditions (SheMed Terms). Any capitalised words that are not defined in this document will have the meaning ascribed to them in SheMed Terms.
2. What data we hold and how we get it
Personal data is any information we have that can identify you, such as your name, medical history or payment card details.
a. Personal details
When you register with us, we ask you for your
- Name
- Date of birth
- Address
- Gender identity and sex at birth
- Contact details
- Any information needed in order to enrol and determine your eligibility on one of our programmes
- A copy of your ID (identity documentation), such as a driving licence or passport
- Your GP details
The information you give us must be accurate. If you give us information about yourself or another person, you are confirming that you are authorised to do so.
b. Health and medical data
When you use our Services, we collect information about your health, including but not limited to
- general health and medical history (including information necessary to determine eligibility on one our Weight Loss Programmes)
- Symptoms, treatments and any medications that may be prescribed to you
- conversations about your health and virtual check-ins including any notes, transcripts and video or audio recordings from them
- Information shared on the refill questionnaires
Some of this information comes directly from you, but it can also come from your GP. If you use our Weight Loss Programmes, we will send your notes to your GP and ask them to notify us if they are aware of any issues concerning your health that we are not.
c. Details of your conversations with us
We also keep a record of your conversations with our teams including our customer support team. This is so we monitor the quality of our service and improve it. This includes
- your emails, calls or live chat conversations with our support team and
- video and/or audio recordings from virtual check-ins and any interactions with our team members
d. Credit and debit card information
If you make a payment on the App or our website, your credit or debit card details as provided by you are processed by a third-party payment processing company. We do not store your full credit or debit card information, but we process the first 6 and last 4 digits of your card details and expiry date to display them back to you. We keep details of the transactions on our secure servers.
e. Technical information and analytics
When you use our App, or visit our website, we may collect the following data, where this is allowed by your device or browser settings:
- the IP address used to connect your mobile phone or other device to the internet;
- your browser information, such as Google Chrome or Apple Safari;
- login and operating system;
- the make and model of your device;
- resettable device identifiers;
- time zone, language and location settings - depending on how you access our Services, we get your location from your phone, internet browser, IP address or postal address;
- your mobile network provider and your location (based on your IP address);
- information about your visit to our website or app or use of our website or app or your navigation on our website or app, for example when you first visited the site or how many times you have visited or the actions you have performed;
- information about the products or services you viewed or used;
- app response times and updates;
- information about your interactions, like what notifications you opened; and
- any phone number used to call our customer service number.
We work with other companies that provide us with analytics and advertising services. This is to:
- help us understand how people interact with our services;
- provide the adverts for our services on the internet and affiliate marketing; and
- measure the performance of our services and our adverts.
f. Cookies
We also use 'cookies'. Cookies are files saved on your phone, tablet or computer when you visit a website. They collect information about how you use the website and the pages you visit.
You can find out more about how we use cookies in our cookie policy.
g. Information from third-party services
It is possible to login through third party identity providers such as apple or google. If you choose to do this, we will receive the following information about you from the third party:
- name
- email address
- username or ID
- Service eligibility when signing up with an employee id.
If you use login details from third parties, they may also process your login data, and they are solely responsible for handling this.
h. Children’s data
Our Services are not intended for anyone under the age of 18 and we do not knowingly collect information from anyone under the age of 18. If you are aware of anyone under the age of 18 using our Services, please contact us and we will take the required steps to delete such information and/or delete the account immediately.
3. What we use your data for and our legal bases
The table below gives information on how we use your data (processing purpose) and our legal reasons (legal bases) for using it. By law, we are required to identify an additional condition if we are using your health data for any purpose.
| Processing purposes | Legal bases |
|---|---|
| To complete pre-contractual formalities or potential contractual processing like assessing your eligibility to participate in Weight Loss Programmes etc. and to enter into a contract with you like creating an account, authenticating etc. | Personal Data - Contract Health Data - Health or social care (the provision of health care or treatment and the management of health care systems or services) |
To provide you with Services. For example (indicative list)
|
Personal Data - Contract Health Data - Health or social care (the provision of health care or treatment and the management of health care systems or services) |
To carry out internal activities in order to provide you with the Services. For example (indicative list),
|
Personal Data - Legitimate Interest Health Data - Health or social care (the provision of health care or treatment and the management of health care systems or services), scientific research purposes |
| To process payments towards your use of Services in line with SheMed Terms | Personal Data - Contract |
| To send essential information to you via email or SMS or App notifications such as OTP, transactional communications, technical notices and updates, security alerts, support and administrative messages. | Personal Data - Legitimate Interest |
| To use your data for scientific research if you are part of the Adherence Weight Loss Programme and meet the inclusion criteria of the registered clinical study. We remove details that could identify you such as your name, address, contact details. | Personal Data - Legitimate Interest Health Data - Scientific research purposes |
| We may show, on our website or App or share with our partners, data that does not personally identify you, but which shows general trends like the number of users of our service or trends in a particular cohort of users or impact of the Weight Loss Programmes on the users. This is aggregated data. We may also use aggregated data as part of statistics that we collect on certain types of illness, symptoms and conditions and publish it. This is so we can improve our medical knowledge and help the users and the general public. | Personal Data - legitimate interest If Health Data is used - statistical purposes with public interest |
To improve your experience and our Services -
|
Personal Data - Legitimate Interest If Health Data is used - Explicit Consent |
To keep you up to date - we will send you updates via email or SMS or the App when
|
Personal Data - Consent If Health Data is used - Explicit Consent |
To process for the purpose of safety or for compliance with law, regulation or government request. For example (indicative list)
|
Personal Data - Legal obligation, Legitimate Interest (depending on the processing purpose) If Health Data is shared - Health or social care (the management of health care systems or services), scientific research purposes, Reasons of substantial public interest (preventing or detecting unlawful acts), legal claims or judicial acts |
| Processing to protect public health - we may process your data to protect public health. Your data could be vital to help research, monitor, track and manage public health emergencies, like pandemics. Your information may be shared in a way that is appropriate and lawful with organisations such as NHS, Public Health England, local authorities, health organisations and GPs. We will limit the use or sharing of data to the period of the emergency and will only share data to the extent necessary. | Personal Data - Public Task Health Data - Public Health |
| To process (including sharing) information in case of merger or acquisition or any reorganisation leading to transfer of our business or part of our business to a third party. In this case, we will notify you before sharing your personal data and obtain your explicit consent before sharing your health data. | Personal Data - Legitimate Interest Health Data - Explicit Consent |
4. How and why we share your data
a. Sharing data with Group Entities
SheMed is based in the UK. We have Group Entities in the UK and USA as mentioned in Section 1. For efficiency, Group Entities support SheMed in delivering the Services to you. Any transfer of data including health data between SheMed and its Group Entities is governed by an intra-group data sharing agreement and is done in line with applicable data protection laws.
b. Sharing data with third parties
To help us deliver our Services we may share your personal data including health data with our partner organisations or service providers who we work jointly or in connection with to provide you with the Services. The table below explains the categories of organisations with whom we share your data along with the purpose.
| Categories of recipient and purpose | Legal bases |
|---|---|
| Service Providers - we share data with our service providers (companies that provide services to us) such as our group companies for administrative or engineering or other support purposes who help us deliver the Services to you or third parties to store data on our behalf or to carry out or support any other processing purpose mentioned in Section 3 like authenticating logins, enabling prescription of medications, hosting our website, optimising processes, sending communications, collecting and analysing data, supporting us with marketing activities and performing other analytics etc. These service providers act in line with data protection laws and contractual terms that specify how they can process data on our behalf. To see the list of our service providers (Data Processors), please click here. | Personal Data - Legitimate Interest If Health Data is shared, depending on the processing purpose for which it is shared the additional condition could be - Health or social care (the management of health care systems or services), scientific research purposes, consent. For specific information on the additional condition, please refer to Section 3. |
| Partners - we share data with our partners who provide services to you or have partnered with us. These include our delivery partner who delivers your purchases or medications to you our partner pharmacies to issue medications that may be prescribed our blood testing lab Our affiliate marketing partners to let them know when you make a purchase (no health data is shared) To see the list of our partners, please click here. | Personal Data - Legitimate interests If Health Data is shared - Health or social care (the provision of health care or treatment) |
| We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information with other healthcare providers. We share information about your participation in Weight Loss Programme and other details with your GP (whose details you provide) Any other healthcare provider in case of emergency | Personal Data - consent, vital interests Health Data - consent, vital interests |
c. International transfers of data
Your personal data is mostly stored on servers in the UK. We work with companies outside the UK like the European Economic Area or other countries like the USA to help us deliver Services to you. These companies could be Group Entities in the USA or third parties. Any data transferred to companies outside the UK will always be in line with applicable data protection laws. Where appropriate (if the country’s level of data protection is not recognised by ICO to be comparable with UK’s data protection), transfer will be after using an appropriate safeguard, such as entering into a contract incorporating standard protection clauses issued in accordance with UK data protection law. For example, when we transfer data to our Group Entities in the USA or to our service providers in the USA we execute the UK International Data Transfer Agreement or International Data Transfer Addendum along with appropriate standard contractual clauses issued by the European Commission and carry out transfer risk assessments. To know more about the data we transfer outside the UK please contact dpo@shemed.com.
5. How we store your data
a. Personal Data including Health Data
We use appropriate technical and organisation measures to try to prevent unauthorised access, disclosures, alteration, destruction, loss, theft and misuse of the information. We take reasonably necessary steps, taking into account the nature of the personal data processed and risks associated with it including risks to your rights and freedoms, to make sure that your data is treated securely. Some measures include:
- i. All your personal data including health data is stored on secure servers.
- ii. We encrypt data in transit to and from the App, our website and the data at rest.
- iii. Data Protection Impact Assessments and Security Impact Assessments are conducted in case of high risk processing activities, legitimate interest impact assessments are done when processing is based on legitimate interests.
- iv. Appropriate training is provided to employees who have access to personal data and we take appropriate disciplinary action if our employees are found responsible for any unauthorised disclosure, access, alteration, destruction, or misuse of your personal data
- v. We adhere to ISO 27001 standards and maintain current certificate of compliance
You are responsible to ensure that any one time passwords shared with you and/or the authentication method to login to your account are kept confidential. Please do not share it with anyone.
b. Credit and debit card information
We do not store your credit or debit card information, but we process the first 6 and last 4 digits of your card details and expiry date to display them back to you to identify your cards. Payments are processed through a third-party payment processing company that follows strict industry data security standards. These are known as Level 1 Payment Card Industry (PCI) data security standards. Any payments you make are encrypted using SSL/TLS technology (which converts the information into code to stop fraud).
6. How long we keep your data
We follow advice from the Department of Health and the British Medical Association on how long to keep information found in your medical records. This is called a 'retention period'. In some circumstances, we might keep data longer if other laws say we have to.
After the completion of the retention period, we follow industry standards to permanently delete your data from our systems or anonymise it so that you will not be identified.
| Your information | How long we keep it (retention period) |
|---|---|
| Medical records including any medical history and health information provided by you | We keep your medical records for 8 years from completion of your health care with us. If you use our Services during the retention period, then the retention period will reset and begin again from the end of the second period of use. |
| Audio or video recordings of virtual check-ins | This has your health information. This is kept in the same way as your medical records. |
| Communications with support teams - phone calls, emails and live chats | It will be kept for 6 years from the date of your communication with us. |
7. Your rights
Under data protection law, you have the right to:
- a. Withdraw or change your consent at any time, if we are using your data in a certain way based on your consent. You can do this by
- Going to your account settings in the App and selecting Preferences
- Clicking on unsubscribe link provided at the bottom of marketing communications sent to you
- By writing to dpo@shemed.com
- b. Ask for a copy of the personal data we hold about you. Your data is stored in line with our legal obligations as detailed in Section 6 above.
- c. Ask us to correct information that is wrong, delete it, or ask that we only use it for certain purposes. There might be times when we are not able to help, like if the law allows us to continue using your data or our legal or medical obligations say we cannot delete the data.
- d. Ask us to restrict any automated (computer-made) decisions made with your data.
- e. Ask for your data to be provided in a portable format that allows you to move, copy or transfer it or ask us to send it in this format to someone else.
To exercise your rights, please contact our support team. We may ask you for proof of identity. Data protection laws give us one month to get back to you.
If you have any queries about how we process your information, please contact us via email at dpo@shemed.com or write to us at
The DPO
SheMed (eMed Healthcare UK, Limited)
184-192 Drummond St
London
NW1 3HP
We are regulated by the Information Commissioner's Office (ICO). If you are not happy with any aspect of our data handling, you can complain to the ICO directly. You can contact them at:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Phone: 0303 123 1113
8. Changes to this privacy notice
We might update this privacy notice from time to time. If we make any important changes, we will let you know, and give you the chance to review them.
If you agree to the changes, you do not need to do anything. Just keep using our services with the updated privacy notice and we will assume you are happy with the way we use your data.
If you do not agree to the changes, then you can stop using our services at any time.