Standard data privacy

FEBRUARY 2024

Applicable Law

Data processing by Oviva UK is subject to English law and as applicable, European law i.e. GDPR. Pursuant to applicable data protection regulations (UK GDPR, UK DPA 2018, etc.), we work to ensure Oviva users have appropriate protection of their privacy and personal data.

Categories of Personal Data

With regard to each of your visits to our technology and/or Services, we may collect, store and process the following information about you:

Personal Information such as name, address, date of birth, National Health Service number, email address, and mobile number (in order to provide you with Services), we may also collect optional personal data such as race, sex, ethnicity, etc. to best tailor our Services to you.

Health Data: medical conditions, prescriptions, weight, blood glucose, etc. so that we may provide our Services to you. This may include data collected during a treatment (e.g. data about activity, weight, etc., including from connected external apps, as applicable e.g. Fitbit, Apple HealthKit, Google Fit) will only be used for rendering Services according to contractual obligations and as outlined herein. When Oviva UK is providing NHS Services, personal data is exchanged between Oviva UK and referring NHS healthcare professionals (e.g. your GP practice) for the purposes of caregiving and safeguarding. We also record all calls to ensure a high level of service is provided. During those calls, your personal data may be processed for the purposes of delivering the services, training our staff, fact verification and quality management.

Cookie Data: our technology uses cookies to distinguish you from other users of our services. This helps us to provide you with a good experience when you navigate our technology and also allows us to improve our technology and services.
For detailed information on the cookies we use and the purposes for which We use them see the section “Information about Our use of Cookies” below.as described in our Cookie Policy and above with regard to Freshworks. Cookie data collected is based on your consent and as noted below, you may opt in and out of this as well as tailor what we process in your Privacy Settings; please see Cookie Policy below.

Technical information: including the type of mobile device you use, mobile network information, your mobile operating system, the type of mobile browser you use (Device Information), Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from Our Site(s), (including date and time); product you viewed or search for; page response times, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from the page and any phone number used to call Our customer service number (Other Information).

Location Information: We may also use GPS technology to determine your current location. Some of Our location-enabled Services require your personal data for the feature to work. If you wish to use the particular feature, you will be asked to consent to your data being used for this purpose. You can enable or disable location services when you use our Service at any time through your mobile device settings (Location Information).

Usage & Activity Data: detailing your use of technology and/or your visits to any of platforms and the resources that you access (Log Information);

Psydonymised and Codified Personal Data: which contains personal data, which is subject to de-coding may be shared with NHS commissioning bodies and contractually relevant parties for the purposes of NHS Service administration (including national and regional NHS invoicing), evaluating our Services and/or for research.
Such data may also be used by Oviva and authorised affiliates (i.e. NHS) for research and publication purposes and can be analysed and used to improve our Service (optimisation, further development and research).

Uses made of the information

We use your personal information to:

  • carry out our obligations arising from any contracts entered into with you and to provide you with the information, products and services that you have requested;
  • provide you with NHS-funded services and additional services or offers that we feel may be of interest to you, which are relevant to your circumstances. You can opt out of receiving any communication you receive at any time;
  • contact you by electronic means (e-mail or SMS) with information about services We feel may be of benefit to you. If you are a new customer, We will contact you by electronic means only if you have consented to this;
  • notify you about changes to our Service;
  • ensure that content on our technology is presented in the most effective manner for you and for your computer.
    administer our technology and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes;
  • improve our technology to ensure that content is presented in the most effective manner for you and for your device/computer;
    to allow you to participate in interactive features of Our service, when you choose to do so;
  • as part of our efforts to keep our technology and systems safe and secure;

Disclosure of your information

We may disclose your personal information to business partners, suppliers, sub-contractors and third party services providers to deliver the contracts and services you have requested.

Oviva UK works with certain non-NHS providers to provide Services such as Pulse Healthcare Limited and Ingeus UK Limited which Oviva has contracts to legally share data with to provide Services. Data will only be shared pursuant to applicable laws and contracts with these providers. Should you have any questions regarding how data is shared with respect to such providers, please enquire via email to our Data Protection Officer (DPO): privacy@oviva.com.

Regarding Oviva UK provided digital diabetes prevention services on behalf of Ingeus UK, Ingeus shares the personal information of participants to allow Oviva to initiate the service. Ingeus provides initial contact information to Oviva, when the participant chooses to engage in the digital service rather than face to face delivery option. Ingeus is the data controller of the information provided and Oviva only uses the information to support the delivery of the service. Oviva will provide information to Ingeus on the progress of participants, to support the management and quality assurance of the programme.

If you participate in the Oviva Tier 3 Weight Management programme, your data might be shared with HelloSelf Limited, 9th Floor 107 Cheapside, London, United Kingdom, EC2V 6DN for the psychological support element of our programme. The following data may be shared: your name, date of birth email, phone number, current or past diagnosis and any other information that was included on the referral form or has been shared with your Oviva coach. HelloSelf Limited provides us summary documents from each of your consultations.

We use third-party service providers, such as Freshworks Inc (“Freshworks”) to enable interaction with you on our website and/or our product. As a data processor acting on our behalf, Freshworks automatically receives and records certain information of yours. Freshworks performs analytics on such data on our behalf which helps us improve our Service(s) to you. You can read about the cookies Freshworks sets in their cookie policy here: https://www.freshworks.com/list-of-cookies/.

To support our nutritional advice, we also use the services of Microsoft Azure of Microsoft Ireland Operations Limited, inter alia, to develop nutritional plans and to create other nutritional tips. In this process, personal data is also passed on to Microsoft Ireland Operations Limited. We have therefore concluded a data processing agreement with this company. Microsoft Ireland Operations Limited may transfer personal data to Microsoft Corporation in the USA based on EU standard contractual clauses pursuant to Art. 44, Art. 46 (2) c) GDPR. You can find the EU standard contractual clauses at https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en=. For further details, please enquire via email to our Data Protection Officer (DPO): privacy@oviva.com.

The Privacy Settings (prompted to you as pop-up on our website and/or accessible to you by clicking on the round icon on bottom left corner of our website with fingerprint icon in centre) on our website outlines use of cookies, tags, trackers, and/or analytic tools used on the website which you may opt in and out of as indicated. This gives you further control over how your data will be processed via our website.

You have the right and ability to opt out of certain uses or sharing of your data, please see below section titled “Subject Access Requests, Changing & Deleting Your Personal Data”.

Where we store your Personal Data

All information you provide to Us is stored on secure servers held in both the European Economic Area (EEA) and GDPR-compliant international data processors only. Where international data processors are used, all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA.

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our technology, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

The transmission of information via the internet is not completely secure, however we will do our best to protect your personal data, We cannot guarantee the security of your data transmitted to our technology and any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access.Data Retention Period

Your personal data is retained only for as long as necessary, per contract and in accordance with data protection regulations. We retain the data we collect for different periods of time depending on what type of data it is, how we use it, and the legal basis for processing that data. This is all mapped out by us and actioned internally.

Most data is deleted automatically after a set period of time (time periods vary based on type of data i.e. certain data has to be kept for 8 years per NHS contracts/retention standards). Other data is deleted or anonymised automatically after a set period of time. Some data you can delete whenever you like, such as the personal data you submit which we no longer have an obligation to hold (i.e. obligation to hold for NHS for their reporting purposes). We keep some (limited) data until you delete your account, such as information about how often you use our services. Finally, some data we retain for longer periods of time when necessary for legitimate business or legal purposes, such as security, fraud and abuse prevention, or financial record-keeping.

Should you have any questions on this, please e-mail our DPO: privacy@oviva.com.

Our Legal Bases for Processing

We must have a legal basis to process each bit of your personal data. The type of basis will vary based on the type of data, parties involved, etc. The legal bases relied upon in processing of your personal data are:

  • Consent (Art. 6 (1) a) UK GDPR);
  • Performance of a contract (Art. 6 (1) b) UK GDPR);
  • Legitimate interest (Art. 6 (1) f) UK GDPR);
  • Public interest (Art. 6 (1) e) UK GDPR); or
  • Legal obligation (Art. 6 (1) c) UK GDPR).

For clarity, these legal bases are explained in more detail here:

Consent

In order to deliver your services, we ask for your agreement to process certain data for specific purposes. You have the right to withdraw your consent at any time, however the refusal may not erase all historical personal data processed if there are other legal grounds for the processing. We may ask for additional consents to provide you with extra services which may require your sharing of additional data (not already consented to or covered by a legal basis of processing already), such as to be put in (optional) group chat.

Performance of a contract

This is where we have a contract with you or another party which requires us to process your data to fulfil our contractual obligations. For example, where we have a contract with the NHS to provide our services to you and this might entail us at the direction of the NHS, to process data from a previous or outgoing NHS provider for similar or the same services we will be providing via NHS contract. Thus, the NHS might require us to receive/process information from the previous/outgoing provider to perform our Services to you to fulfil our contractual obligations to the NHS.

Legitimate interest

We may process your information for our legitimate interests and those of third parties while applying appropriate safeguards that protect your privacy. This means that we may process your information for things such as:

  • Providing, maintaining and improving our services to meet the needs of our users
  • Developing new products and features that are useful for our users
  • Understanding how people use our services to ensure and improve the performance of our services
  • Customising our services to provide you with a better user experience
  • Marketing to inform users about our services
  • Providing advertising
  • Detecting, preventing or otherwise addressing fraud, abuse, security or technical issues with our services
  • Protecting against harm to the rights, property or safety of Oviva, our users or the public as required or permitted by law i.e. disclosing information to government authorities
  • Performing research that improves our services for our users and benefits the public – Fulfilling obligations to our partners like developers and rights holders
  • Enforcing legal claims, including investigation of potential violations of applicable Terms.

Public Interest

We process data which in the public interest as we are using your data to improve not only your health, but also the wider public’s in that our processing, analyses, research, etc. goes to improving public health. For example, we are commissioned by the NHS to do such activities on this legal basis.

Legal obligation

Finally, we may process your data when we have a legal obligation to do so. For example, if we’re responding to legal process or an enforceable governmental request. This would be highly unusual in our experience, but nonetheless, it’s possible we could need to process your data on this basis.

Should you have any questions on which may apply to your particular personal data, please e-mail our DPO: privacy@oviva.com.

Measures for Data Security, Mechanism for Data Transfer & Storage

We comply with applicable data protection regulations. We protect your personal data appropriately with firewalls and other technical means (according to industry standards and applicable law). Only employees and agents of Oviva UK (which are obligated to maintain confidentiality) can access applicable data and only as reasonably necessary to perform their role. Other third parties do not have access to your data without your explicit consent or as explicitly noted herein (where the legal basis for same is not consent).

We use Google Cloud Platform (offered by Google Cloud EMEA Ltd, 70 Sir John Rogerson’s Quay, Dublin 2, Ireland) to host the data. Your data is processed on servers in Germany. We have concluded a data processing agreement with Google Cloud EMEA Ltd. It is part of an international company group. Therefore, it cannot be ruled out that Google Cloud EMEA Ltd. will transfer personal data to third countries. Insofar as personal data is transferred by Google Cloud EMEA Ltd. to a third country outside the UK and European Economic Area for which there is no adequacy decision, this is done on the basis of EU standard contractual clauses pursuant to Art. 44, Art. 46 (2) c) GDPR. You can find the EU standard contractual clauses at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=de. Please feel free to contact us for further details.

For further information, please refer to Google’s privacy policy (https://www.google.com/policies/privacy) and the security notices for Google Cloud services (https://cloud.google.com/security/privacy/). The processing of your data in the Google Cloud Platform is based on your consent, the performance of the contract, and/or legitimate interest (legal bases for processing under applicable data protection regulations).

Please note, data is stored within the app “Oviva” on your mobile device, and the encryption depends on your device. If your smartphone is lost or stolen, there is a risk your data can be accessed. The person using the Oviva app is encouraged to password-protect their smartphone and use a device that includes encryption. The individual user of Oviva bears all risks for data loss from lost or stolen devices.

Subject Access Requests, Changing & Deleting Personal Data

You can make a Subject Access Request (SAR) to change or delete the personal data entrusted to us at any time if you request same with a copy of your identification (passport, driving license) by mail to Oviva UK Limited, Runway East, 20 St Thomas Street, London, SE1 9RS, United Kingdom or by e-mail to privacy@oviva.com. We will oblige your request except for any data which might be required for us keep on file for a specified timeframe for compliance with applicable law(s), NHS standards/regulations, etc.

Your Rights Regarding Your Personal Data

Under data protection legislation, data subjects have the following rights with regards to their personal information:

  • the right to be informed about the collection and the use of their personal data – the right to access personal data and supplementary information
  • the right to have inaccurate personal data rectified, or completed if it is incomplete – the right to erasure (to be forgotten) in certain circumstances
  • the right to restrict processing in certain circumstances
  • the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
  • the right to object to processing in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time (where relevant)
  • the right to complain to the Information Commissioner

Contact

Should you have any questions about your rights, please e-mail our DPO: privacy@oviva.com