Standard data privacy

Applicable Law

Data processing by Oviva UK is subject to English law and as applicable, European law i.e. GDPR. Pursuant to applicable data protection regulations (UK GDPR, UK DPA 2018, etc.), we work to ensure Oviva users have appropriate protection of their privacy and personal data.

Measures for Data Security, Mechanism for Data Transfer & Storage

We comply with applicable data protection regulations. We protect your personal data appropriately with firewalls and other technical means (according to industry standards and applicable law). Only employees and agents of Oviva UK (which are obligated to maintain confidentiality) can access applicable data and only as reasonably necessary to perform their role. Other third parties do not have access to your data without your explicit consent or as explicitly noted herein (where the legal basis for same is not consent).

We use Google Cloud Platform (offered by Google Cloud EMEA Ltd, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland) to host the data. Your data is processed on servers in Germany. Google is an international organisation which is why we have a data processing contract with Google, including EU standard contractual clauses, according to which Google must comply with European data protection standards to guarantee a level of data protection that corresponds to that of the UK.

For further information, please refer to Google’s privacy policy ( and the security notices for Google Cloud services ( The processing of your data in the Google Cloud Platform is based on your consent, the performance of the contract, and/or legitimate interest (legal bases for processing under applicable data protection regulations).

Please note, data is stored within the app “Oviva” on your mobile device, and the encryption depends on your device. If your smartphone is lost or stolen, there is a risk your data can be accessed. The person using the Oviva app is encouraged to password-protect their smartphone and use a device that includes encryption. The individual user of Oviva bears all risks for data loss from lost or stolen devices.

Use of the Data

Your personal data, as well as all data collected during a treatment (e.g. data about activity, weight, etc., including from connected external apps, as applicable e.g. Fitbit, Apple HealthKit, Google Fit) will only be used for rendering Services according to contractual obligations and as outlined herein. When Oviva UK is providing NHS Services, personal data is exchanged between Oviva UK and referring NHS healthcare professionals (e.g. your GP practice) for the purposes of caregiving and safeguarding. We also record telephone calls as needed for optimal caregiving, safeguarding, customer service, and quality management purposes.

Non-personally identifiable (or anonymised) data on Service users is shared with NHS commissioning bodies and contractually relevant parties for the purposes of evaluating our Services and/or for research. Such data may be used by Oviva and authorised affiliates (i.e. NHS) for research and publication purposes and can be analysed and used to improve our Service (optimisation, further development and research).

Oviva UK works with certain non-NHS providers to provide Services such as Pulse Healthcare Limited and Ingeus UK Limited which Oviva has contracts to legally share data with to provide Services. Data will only be shared pursuant to applicable laws and contracts with these providers. Should you have any questions regarding how data is shared with respect to such providers, please enquire via email to our Data Protection Officer (DPO):

Regarding Oviva UK provided digital diabetes prevention services on behalf of Ingeus UK, Ingeus shares the personal information of participants to allow Oviva to initiate the service. Ingeus provides initial contact information to Oviva, when the participant chooses to engage in the digital service rather than face to face delivery option. Ingeus is the data controller of the information provided and Oviva only uses the information to support the delivery of the service. Oviva will provide information to Ingeus on the progress of participants, to support the management and quality assurance of the programme.

We use third-party service providers, such as Freshworks Inc (“Freshworks”) to enable interaction with you on our website and/or our product. As a data processor acting on our behalf, Freshworks automatically receives and records certain information of yours. Freshworks performs analytics on such data on our behalf which helps us improve our Service(s) to you. You can read about the cookies Freshworks sets in their cookie policy here:

The Privacy Settings (prompted to you as pop-up on our website and/or accessible to you by clicking on round icon on bottom left corner of website with fingerprint icon in centre) on our website outlines use of cookies, tags, trackers, and/or analytic tools used on the website which you may opt in and out of as indicated. This gives you further control over how your data will be processed via our website.

Furthermore, you have the right and ability to opt out of certain uses or sharing of your data, please see below section titled “Subject Access Requests, Changing & Deleting Your Personal Data”. The reason you cannot opt out of all data sharing with us is that we would be unable to provide you with Service(s).

Categories of Personal Data Processed

Personal information such as: name, date of birth, email address, and mobile number (these preceding items are necessary for us to provide you Services), we also may collect optional personal data such as race, sex, ethnicity, etc. to best tailor our Services to you.

Health data such as: medical conditions, prescriptions, weight, blood glucose, etc. so that we may provide our Services to you.

Cookie data, as noted below in our Cookie Policy and above with regard to Freshworks. Cookie data collected is based on your consent and as noted below, you may opt in and out of this as well as tailor what we process in your Privacy Settings; please see Cookie Policy below.

Data Retention Period

Your personal data is retained only for as long as necessary, per contract and in accordance with data protection regulations. We retain the data we collect for different periods of time depending on what type of data it is, how we use it, and the legal basis for processing that data. This is all mapped out by us and actioned internally.

Most data is deleted automatically after a set period of time (time periods vary based on type of data i.e. certain data has to be kept for 8 years per NHS contracts/retention standards). Other data is deleted or anonymised automatically after a set period of time. Some data you can delete whenever you like, such as the personal data you submit which we no longer have an obligation to hold (i.e. obligation to hold for NHS for their reporting purposes). We keep some (limited) data until you delete your account, such as information about how often you use our services. Finally, some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention, or financial record-keeping.

Should you have any questions on this, please e-mail our DPO:

Legal Bases for Processing

We must have a legal basis to process each bit of your personal data. The type of basis will vary based on the type of data, parties involved, etc. The legal bases relied upon in processing of your personal data are:

  • Consent;
  • Performance of a contract;
  • Legitimate interest;
  • Public interest; or
  • Legal obligation.

For clarity, these legal bases are explained in more detail here:


We ask for your agreement to process applicable data for specific purposes and you have the right to withdraw your consent at any time. For example, we may ask for your consent to provide you with extra services which may require your sharing of additional data (not already consented to or covered by a legal basis of processing already), such as to be put in (optional) group chat.

Performance of a contract

This is where we have a contract with you or another party which requires us to process your data to fulfil our contractual obligations. For example, where we have a contract with the NHS to provide our Services to you and this might entail us at the direction of the NHS, to process data from a previous
or outgoing NHS provider for similar or the same services we will be providing via NHS contract. Thus, the NHS might require us to receive/process information from the previous/outgoing provider to perform our Services to you to fulfil our contractual obligations to the NHS.

Legitimate interest

We may process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we may process your information for things such as:

  • Providing, maintaining and improving our services to meet the needs of our users
  • Developing new products and features that are useful for our users
  • Understanding how people use our services to ensure and improve the performance of our services
  • Customising our services to provide you with a better user experience
  • Marketing to inform users about our services
  • Providing advertising
  • Detecting, preventing or otherwise addressing fraud, abuse, security or technical issues with our services
  • Protecting against harm to the rights, property or safety of Oviva, our users or the public as required or permitted by law i.e. disclosing information to government authorities
  • Performing research that improves our services for our users and benefits the public – Fulfilling obligations to our partners like developers and rights holders
  • Enforcing legal claims, including investigation of potential violations of applicable Terms.

Public Interest

We process data which in the public interest as we are using your data to improve not only your health, but also the wider public’s in that our processing, analyses, research, etc. goes to improving public health. For example, we are commissioned by the NHS to do such activities on this legal basis.

Legal obligation

Finally, we may process your data when we have a legal obligation to do so. For example, if we’re responding to legal process or an enforceable governmental request . This would be highly unusual in our experience, but nonetheless, it’s possible we could need to process your data on this basis.

Should you have any questions on which may apply to your particular personal data, please e-mail our DPO:

Subject Access Requests, Changing & Deleting Personal Data

You can make a Subject Access Request (SAR) to change or delete the personal data entrusted to us at any time if you request same with a copy of your identification (passport, driving license) by mail to Oviva UK Limited, Runway East, 20 St Thomas Street, London, SE1 9RS, United Kingdom or by e-mail to We will oblige your request except for any data which might be required for us keep on file for a specified timeframe for compliance with applicable law(s), NHS standards/regulations, etc.

Your Rights Regarding Your Personal Data

Under data protection legislation, data subjects have the following rights with regards to their personal information:

  • the right to be informed about the collection and the use of their personal data – the right to access personal data and supplementary information
  • the right to have inaccurate personal data rectified, or completed if it is incomplete – the right to erasure (to be forgotten) in certain circumstances
  • the right to restrict processing in certain circumstances
  • the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
  • the right to object to processing in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time (where relevant)
  • the right to complain to the Information Commissioner

Should you have any questions about your rights, please e-mail our DPO: