For the purposes of the processing your personal data, we are the data controller (as set out under EU General Data Protection Regulation 2016 - GDPR). We are committed to protecting your privacy, both on-line and in the real world. We appreciate that you do not want the personal information you provide to us distributed indiscriminately and here we explain how we collect information, what we do with it and what controls you have over our processing of your information.
This Policy should be read in conjunction with our Terms and Conditions which can be found here.
Under GDPR, we will ensure that your personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights. We will only process your personal data if at least one of the following bases applies:
you have given consent to the processing of your personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which you are a party or in order to take steps at the request of you prior to entering into a contract processing is necessary for compliance with a legal obligation to which we are subject;
processing is necessary to protect the vital interests of you or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or
processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Unless otherwise specified, any processing of personal data undertaken by us or by one of our authorised subcontractors including health care professionals and pharmacists, relating to providing our healthcare services to a customer, an Authorised User of our Platform (or their dependants) is processed on the basis of our contractual relationship (or in anticipation of a contractual relationship). Where we do not have, or are not anticipating, a contractual relationship with a data subject (for example where processing personal data relating to a child or other dependant), we will generally be processing that data on the basis of legitimate interests.
In addition, where the personal data that we will be processing is “special data” which should be given additional safeguards, such as health information, we will only process that information if there is a valid special condition for processing (as set out in Article 9 of the GDPR). For the purposes of health data, we will rely on Special Condition Article 10(2)(h) (processing of health data where there are adequate safeguards and confidentiality obligations in place).
If we are processing personal data for the purposes of marketing, we will only do so if we have express consent of the data subject.
1. Information we may collect from you
We may collect and process the following information about you:
Registration: information (such as your name, date of birth, email address, postal address, telephone number) that you provide by completing forms on the Platform, including if you register as a user of the Platform, subscribe to any of our services or those of a third party hosted on the Platform, upload or submit any material via the Platform or request information from us;
Payments and purchases: details of any transactions made by you through the Platform while logged into your account will be recorded;
IP address and URL: your activity on our Website (automatically collected) when you use or log on to any of our sites or Platforms.
When you contact us: communications you send to us, for example to report a problem or to submit queries, concerns or comments regarding the Platform or its content;
Research and surveys: information from surveys that we may, from time to time, run on the Platform for research purposes, if you choose to respond to them;
Use of the Platform: details of your visits to the Platform, the resources you access and any data you download;
Health data: medical information about you including your medical history, illnesses, prescriptions, allergies, height, weight and other medical information which you might discuss with a health care professional as part of your use of the services made available through the Platform. We also record the notes, video and telephone conversations of your consultations with our health care professionals on the Platform. You are under no obligation to provide any such information. However, if you should choose to withhold requested information, we may not be able to provide you with certain services and may refer you to a more appropriate health service.
2. Uses made of your information
We will use the information you provide to:
enable us to provide you with the services and information offered through the Platform and which you request from us, for example to arrange a consultation. This may include sharing your data with one of our third-party service providers such as our health care professionals, pharmacists or technology partners
provide and administer your access and to our website and your account with us;
verify and carry out financial transactions in relation to payments you make online;
verify your identity;
respond to communications from you;
supply you with email, for example newsletters, alerts that you might have subscribed to.
We need to use your personal information for those purposes to provide our services to you. In some cases, the collection of data may be a requirement and we will be limited in the services that we can provide to you without your consent to be able to use such data.
We also collect, store and use the personal information listed above to:
audit the downloading of data from the Platform to improve our service;
learn and improve the layout and/or content of the pages of the Platform and better customise them for users;
identify visitors to the Platform
carry out research on our user demographics; and tailor the information we send to you on the basis of the health data that you submit using the Platform.
We have a legitimate interest in using your personal information for these purposes, so that we can constantly improve our Platform and our services, and to ensure that we are only sending you information that is going to be useful or relevant to you.
Finally, we use your personal information to:
send you information we think you may find useful or which you have requested from us, including information about our products and services or those of carefully
selected third parties (such as information on relevant treatment and care offered by third parties), provided you have consented to being contacted for these purposes;
Note that as a fully digital service, Leva will be using emails to share and collect personal information. All communications sent from Leva are secure. However, we cannot guarantee that your email service provider has implemented the necessary measures to keep your emails safe. The following risks must also be taken into account when using email:
Email may be forwarded, printed and stored in paper and electronic forms and be received by unintended recipients.
Email may be sent to the wrong address by any sender or receiver.
Email service providers have a right to store and inspect emails.
Copies of email may exist even after the sender or the receiver has deleted his or her copy.
Email may be intercepted, altered, or used without detection or authorisation.
Email may spread computer viruses.
Email delivery is not guaranteed.
3. Information shared with others
Information that identifies you
We will only share personal information, from which you can be identified, in certain limited circumstances as described below.
Our Medical staff
We may share medical information about you, including your medical history, illnesses and prescriptions, with our medical staff. All our health care professionals are registered with the appropriate body. We share your medical information with our medical staff in order to enable them to better assess health conditions, advise you and deliver our services.
We ensure that all data transferred to our health care professionals is protected by proper and appropriate safeguards and our medical staff are all bound by contractual obligations, which incorporate the European Commission's Model Clauses, to ensure all staff keep the personal information they receive safe, confidential and only use it for the purposes for which it is provided to them.
In order to process a prescription for medication on the Platform (as offered by a health care professional or requested by you in accordance with our Terms and Conditions), it may be necessary to share basic identification data (such as your name, postal address, email address and phone number) with our dispensing pharmacy affiliate, taking all reasonable steps to protect your personal information, for the purposes of the pharmacy verifying your identification on collection of your prescription.
Partner providing you with the Healthcare Scheme
We may share certain basic identification information (such as name, date of birth, email and phone details) with our Partner who provides you with the Healthcare Scheme in order for them to verify your eligibility to use / continue to use the Service, to check you are happy with the Service you are receiving, for analytical purposes and to assist such Partners in improving their products, processes and services.
HeyDoc, our clinical system provider, is based in the United Kingdom. HeyDoc is a GDPR compliant organisation that follows the highest security standards (data encryption at rest and in transit, MFA, disaster recovery back up). More information can be found on Heydoc website. All data saved on HeyDoc are stored in the UK.
Our clinical team utilises the Microsoft O365 apps to take notes and create the necessary documents to operate the clinic. They are also using Microsoft Teams to organise and run online consultations. All data added to Leva Clinic's Microsoft O365 environment are stored in the EEA, fully encrypted and only available to staff involved in patients care.
Identity Checking Services
Information that does not identify you
We may disclose aggregate statistics about visitors to the Platform, users and sales in order to describe our services to prospective partners, investors, advertisers, sponsors and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifiable information.
We will not disclose, sell or rent your personal information to any third party unless you have consented to this first. If you do consent but later change your mind, you may contact us, and we will cease any such activity. However, in the event that we undergo re-organisation or are sold to a third party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third-party.
We may also disclose your personal information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Platform or the rights, property or personal safety of any person.
4. Our use and storage of medical information
All medical and other health information collected and supplied to Leva will be treated as strictly confidential and all such data will be held strictly in accordance with, and as long as required, under UK regulatory codes of practice on records management and data privacy laws.
How long we keep your medical data
All health records are retained in digital form by Leva in a secure and encrypted environment and are confidentially stored in accordance with the retention periods set out in the NHS code of practice on records management, which may be updated from time-to-time.
A copy of the code can be found here. We also maintain our own internal Data Retention Policy, on which our staff are trained, which is regularly reviewed to ensure compliance with industry best practices.
What we do with consultation notes
Audio and video records
as agreed in our contract with you, Leva will make audio and video recordings of your Appointment for training, quality, clinical governance and account management purposes which will be treated as confidential and will be held safely and securely and strictly in accordance with, and as long as required, under UK regulatory codes of practice on records management. These recordings will not be made available to any other party without your prior written consent.
Sharing information with GPs:
as stipulated in our terms and conditions, we will be sharing information with your GPs or other healthcare professionals involved in your care after collecting your consent. We will refer you to another more appropriate health service if you fail to do so.
Security and encryption:
Leva runs in a HTTPS secure mode - and encrypts all audio, video and text information shared during your consultation. There are clear procedures in place to ensure paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage. Nevertheless, electronic transmissions sent via the internet are never completely private or secure and there is a risk, therefore, that any such electronic communications sent may be intercepted and potentially read by others. You should ensure that any computer or telephone you use to access your online patient record is suitably protected from potential interception.
5. Additional information
When you visit the Website, we may automatically collect additional information about you, such as the type of internet browser you use, the Website from which you have come to the Website and your IP address (the unique address which identifies your computer on the internet) which is automatically recognised by our web server. You cannot be identified from this information and it is only used to assist us in providing an effective service on the Website and to collect broad demographic information for aggregate use.
remember that you have used the Website before (this means we can identify the number of unique visitors we receive and allows us to make sure that we have enough capacity for the number of Users we get);
allow you to navigate the Website more quickly and easily;
remember your login session so you can move from one page to another within the Website;
store your preferences;
customise elements of the layout and/or content of the pages of the Website for you; and
collect statistical information about how you use the Website so that we can improve the Website.
You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the Website.
Our cookies will be used for:
Essential session management
recognising when a visitor to the Website has visited before allowing us to identify the number of unique visitors we receive to the Website and make sure we have enough capacity for the number of users that we get;
we may also log information from your computer including the existence of cookies, your IP address and information about your browser program in order to allow us to diagnose problems, administer and track your usage of our services.
Performance and measurement
collecting statistical information about how our visitors use the Website so that we can improve the Website and learn which parts are most popular to visitors. We have a legitimate interest in using any personal information collected through performance and measurement cookies, so that we can constantly improve our Platform and our services.
7. External links
8. Payment processing
We place great importance on the security of all personally identifiable information associated with our users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control. Our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal information.
Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it from occurring.
You should bear in mind that submission of information over the internet is never entirely secure and whilst we take appropriate technical and organisational measures to safeguard the personal information you provide to use, we cannot guarantee the security of information you submit via the Platform whilst it is in transit over the internet and any such submission is at your own risk.
You should always close your browser when you have finished your user session to help ensure others do not access your personal information, particularly if you use a shared computer or a computer in a public place.
10. Storage of your information
11. Your rights
You have a legal right to access the personal information we hold about you at any time.
You also have a right to ask us to:
update and correct any out-of-date information or errors in that information free of charge
object to our use of your personal information for certain purposes; erase your personal information
transfer to you or (where technically possible) another organisation a copy of the personal information about you that has been provided to us.
Where we are processing your personal data on the basis of consent, you may withdraw your consent for Leva to use your personal data as set above at any time by contacting Leva using the details below. Subject to the regulatory and legal requirements for Leva to retain certain information on your medical history and your consultation notes, you can withdraw your consent to our use of any of your personal information at any time by emailing firstname.lastname@example.org.
You also have the right to lodge a complaint at any time about our treatment of your personal information with a relevant supervisory authority (including, the Information Commissioner's Office in the UK). The different ways to contact the ICO’s office can be found on the ICO's website.
12. Contacting us
IASO Ltd, 1 Shorrolds Road, SW67TR, London, UK
You can also contact Arnaud Moline, our Data Protection Officer by emailing