Menu

Privacy Policy

Last Updated Date: 22 February 2025

 

1. Introduction

 

Health by Science (“we,” “us,” or “our”) is committed to protecting the privacy and security of your personal data. As a data controller, we are responsible for ensuring that your data is processed lawfully, fairly, and transparently. This policy explains how we collect, use, and disclose your information in connection with our services, website, and app. This policy applies to all users of our services within the United Kingdom.

 

2. Information We Collect

We collect information in several ways:

  • Directly from you: When you fill out forms on our website, contact us, or complete surveys. This may include your name, contact details, and specific health information such as your medical history, current symptoms, and lifestyle habits. We collect this information to provide you with personalised services and support.
  • Through Acuity Scheduling: When you book appointments through Acuity Scheduling (a Squarespace company), we collect information like your name, contact details, and appointment history. This information is used to manage your appointments and provide you with appointment reminders. For more information on how Acuity Scheduling processes your data, please refer to their [privacy policy](link to Acuity Scheduling privacy policy).
  • During consultations: We use Google Meet and Heidi AI to conduct video consultations. Google Meet facilitates the video conferencing, while Heidi AI generates automated notes, which may include pseudonymised health information. This information is used to maintain accurate records of your consultations and provide you with personalised care. For more information on how Google Meet and Heidi AI process your data, please refer to [Google’s privacy policy](link to Google’s privacy policy) and [Heidi AI’s privacy policy](link to Heidi AI’s privacy policy).
  • Through our website and app: We use cookies and Uncanny Automator to track user engagement data, such as page visits and content views. This data is anonymised and aggregated to analyse trends and improve our services. For detailed information about the cookies we use, please refer to our [cookie policy](link to cookie policy).

 

3. How We Use Your Information

We use your information for the following purposes:

  • Providing and improving our services: This includes using your health information to provide personalised advice, conducting consultations, generating automated notes, and managing your appointments.
  • Communicating with you: This includes sending you appointment reminders, updates about our services, and responding to your inquiries.
  • Fulfilling our contractual obligations: This includes processing payments and maintaining accurate records.
  • Complying with legal requirements: This includes retaining health records for 8 years in line with HCPC guidelines (link to HCPC guidelines).
  • Analysing user engagement with our website and app: This includes using anonymised and aggregated data to improve our services and website functionality.

Legal Basis for Processing:

We process your personal data based on the following legal bases:

  • Consent: For marketing communications and certain types of data processing, we will obtain your explicit consent.
  • Contract: We process your data to fulfil our contractual obligations when you engage our services.
  • Legal Obligation: We process your data to comply with legal requirements, such as retaining health records.
  • Legitimate Interest: We process your data for our legitimate interests, such as improving our services and website functionality, provided that these interests do not override your fundamental rights and freedoms.

 

4. Data Sharing

We may share your information with:

  • Data processors: We share data with the following data processors:
    • Acuity Scheduling: For managing appointments.
    • Google (for Google Meet and Drive): For conducting video consultations and storing data.
    • Heidi AI: For generating automated notes.
    • Zapier: For automating workflows.
    • Typeform: For collecting information via online forms.
    • MessageBird: For communication purposes.
    • 360 Dialog: For managing communication channels.
    • Intercom: For customer communication and support.
    • Octopods: For managing customer relationships.

We have data processing agreements in place with these providers to ensure GDPR compliance.

  • Authorised Health by Science staff: Only staff members with appropriate data protection training and a need-to-know basis have access to your information. All staff members have signed confidentiality agreements.

 

5. Data Security

We implement appropriate security measures to protect your data, including:

  • Encryption: We use encryption to protect data both in transit and at rest. This includes SSL encryption for our website and end-to-end encryption for video consultations.
  • Access controls: We restrict access to personal data based on roles and responsibilities.
  • Staff training: We provide staff training on data protection and security procedures.
  • Regular security audits: We conduct regular security audits and vulnerability assessments to identify and address potential security risks.
  • Data breach notification: In the event of a data breach, we will notify you and the relevant authorities in accordance with applicable data protection laws.

For a visual representation of our security framework, please see [link to mymap.ai].

 

6. Data Retention

We retain your data for as long as necessary to fulfil the purposes outlined in this policy and to comply with legal obligations. Specific retention periods include:

  • Health records: 8 years in line with HCPC guidelines.
  • Zapier data: Up to 69 days, with backups retained for 4 months.
  • Other data: We will retain other data for as long as necessary for the specific purpose for which it was collected.
  1. International Data Transfers

 

Some of our data processors are based outside the EEA. We ensure that appropriate safeguards are in place for international data transfers, such as:

  • EU-U.S. Data Privacy Framework: For data transfers to the U.S.
  • UK GDPR: For data transfers to the UK.
  • Standard Contractual Clauses: For data transfers to other countries.

 

8. Your Rights

You have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can request that we correct any inaccurate or incomplete data.
  • Right to erasure: You can request that we delete your personal data, subject to certain exceptions. You can submit a data removal request through our online form.
  • Right to restriction of processing: You can request that we restrict the processing of your data in certain circumstances.
  • Right to object: You can object to the processing of your data for direct marketing purposes or on grounds relating to your particular situation.
  • Right to data portability: You can request that we transfer your data to another organisation in a structured, commonly used, and machine-readable format.

To exercise your rights, please contact us at [email protected] We will respond to your request within one month.

 

9. Cookies

We use cookies on our website to track user engagement and improve our services. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

 

9.1 What are cookies?

Cookies are small text files that are placed on your computer or mobile device when you visit a website. They are widely used to make websites work more efficiently, as well as to provide information to the owners of the site.  

9.2 How we use cookies

We use cookies on our website for the following purposes:

  • Essential cookies: These cookies are necessary for the website to function properly. They enable you to navigate the site and use its features, such as accessing secure areas.  
  • Performance cookies: These cookies collect information about how visitors use our website, such as which pages are most popular and if they receive error messages. This information is used to improve the performance and usability of our website.  
  • Functionality cookies: These cookies allow the website to remember choices you make (such as your username, language, or region) and provide enhanced, more personalized features.  
  • Targeting/advertising cookies: These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and to help measure the effectiveness of advertising campaigns. 

 

10. Changes to this Policy

We may update this policy from time to time. Any changes will be posted on our website. We will notify you of significant changes by email or through a prominent notice on our website.

 

11. Contact Us

If you have any questions about this policy or our data processing practices, please contact us at:

Email: [email protected]

Postal Address: 98 Giles Street, Edinburgh, EH6 6BZ

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection authority.

Last Updated Date: 22 February 2025

 

1. Introduction

 

Health by Science (“we,” “us,” or “our”) is committed to protecting the privacy and security of your personal data. As a data controller, we are responsible for ensuring that your data is processed lawfully, fairly, and transparently. This policy explains how we collect, use, and disclose your information in connection with our services, website, and app. This policy applies to all users of our services within the United Kingdom.

 

2. Information We Collect

We collect information in several ways:

  • Directly from you: When you fill out forms on our website, contact us, or complete surveys. This may include your name, contact details, and specific health information such as your medical history, current symptoms, and lifestyle habits. We collect this information to provide you with personalised services and support.
  • Through Acuity Scheduling: When you book appointments through Acuity Scheduling (a Squarespace company), we collect information like your name, contact details, and appointment history. This information is used to manage your appointments and provide you with appointment reminders. For more information on how Acuity Scheduling processes your data, please refer to their [privacy policy](link to Acuity Scheduling privacy policy).
  • During consultations: We use Google Meet and Heidi AI to conduct video consultations. Google Meet facilitates the video conferencing, while Heidi AI generates automated notes, which may include pseudonymised health information. This information is used to maintain accurate records of your consultations and provide you with personalised care. For more information on how Google Meet and Heidi AI process your data, please refer to [Google’s privacy policy](link to Google’s privacy policy) and [Heidi AI’s privacy policy](link to Heidi AI’s privacy policy).
  • Through our website and app: We use cookies and Uncanny Automator to track user engagement data, such as page visits and content views. This data is anonymised and aggregated to analyse trends and improve our services. For detailed information about the cookies we use, please refer to our [cookie policy](link to cookie policy).

 

3. How We Use Your Information

We use your information for the following purposes:

  • Providing and improving our services: This includes using your health information to provide personalised advice, conducting consultations, generating automated notes, and managing your appointments.
  • Communicating with you: This includes sending you appointment reminders, updates about our services, and responding to your inquiries.
  • Fulfilling our contractual obligations: This includes processing payments and maintaining accurate records.
  • Complying with legal requirements: This includes retaining health records for 8 years in line with HCPC guidelines (link to HCPC guidelines).
  • Analysing user engagement with our website and app: This includes using anonymised and aggregated data to improve our services and website functionality.

Legal Basis for Processing:

We process your personal data based on the following legal bases:

  • Consent: For marketing communications and certain types of data processing, we will obtain your explicit consent.
  • Contract: We process your data to fulfil our contractual obligations when you engage our services.
  • Legal Obligation: We process your data to comply with legal requirements, such as retaining health records.
  • Legitimate Interest: We process your data for our legitimate interests, such as improving our services and website functionality, provided that these interests do not override your fundamental rights and freedoms.

 

4. Data Sharing

We may share your information with:

  • Data processors: We share data with the following data processors:
    • Acuity Scheduling: For managing appointments.
    • Google (for Google Meet and Drive): For conducting video consultations and storing data.
    • Heidi AI: For generating automated notes.
    • Zapier: For automating workflows.
    • Typeform: For collecting information via online forms.
    • MessageBird: For communication purposes.
    • 360 Dialog: For managing communication channels.
    • Intercom: For customer communication and support.
    • Octopods: For managing customer relationships.

We have data processing agreements in place with these providers to ensure GDPR compliance.

  • Authorised Health by Science staff: Only staff members with appropriate data protection training and a need-to-know basis have access to your information. All staff members have signed confidentiality agreements.

 

5. Data Security

We implement appropriate security measures to protect your data, including:

  • Encryption: We use encryption to protect data both in transit and at rest. This includes SSL encryption for our website and end-to-end encryption for video consultations.
  • Access controls: We restrict access to personal data based on roles and responsibilities.
  • Staff training: We provide staff training on data protection and security procedures.
  • Regular security audits: We conduct regular security audits and vulnerability assessments to identify and address potential security risks.
  • Data breach notification: In the event of a data breach, we will notify you and the relevant authorities in accordance with applicable data protection laws.

For a visual representation of our security framework, please see [link to mymap.ai].

 

6. Data Retention

We retain your data for as long as necessary to fulfil the purposes outlined in this policy and to comply with legal obligations. Specific retention periods include:

  • Health records: 8 years in line with HCPC guidelines.
  • Zapier data: Up to 69 days, with backups retained for 4 months.
  • Other data: We will retain other data for as long as necessary for the specific purpose for which it was collected.
  1. International Data Transfers

 

Some of our data processors are based outside the EEA. We ensure that appropriate safeguards are in place for international data transfers, such as:

  • EU-U.S. Data Privacy Framework: For data transfers to the U.S.
  • UK GDPR: For data transfers to the UK.
  • Standard Contractual Clauses: For data transfers to other countries.

 

8. Your Rights

You have the following rights regarding your personal data:

  • Right of access: You can request a copy of the personal data we hold about you.
  • Right to rectification: You can request that we correct any inaccurate or incomplete data.
  • Right to erasure: You can request that we delete your personal data, subject to certain exceptions. You can submit a data removal request through our online form.
  • Right to restriction of processing: You can request that we restrict the processing of your data in certain circumstances.
  • Right to object: You can object to the processing of your data for direct marketing purposes or on grounds relating to your particular situation.
  • Right to data portability: You can request that we transfer your data to another organisation in a structured, commonly used, and machine-readable format.

To exercise your rights, please contact us at [email protected] We will respond to your request within one month.

 

9. Cookies

We use cookies on our website to track user engagement and improve our services. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of this website may become inaccessible or not function properly.

 

9.1 What are cookies?

Cookies are small text files that are placed on your computer or mobile device when you visit a website. They are widely used to make websites work more efficiently, as well as to provide information to the owners of the site.  

9.2 How we use cookies

We use cookies on our website for the following purposes:

  • Essential cookies: These cookies are necessary for the website to function properly. They enable you to navigate the site and use its features, such as accessing secure areas.  
  • Performance cookies: These cookies collect information about how visitors use our website, such as which pages are most popular and if they receive error messages. This information is used to improve the performance and usability of our website.  
  • Functionality cookies: These cookies allow the website to remember choices you make (such as your username, language, or region) and provide enhanced, more personalized features.  
  • Targeting/advertising cookies: These cookies are used to deliver adverts more relevant to you and your interests. They are also used to limit the number of times you see an advertisement and to help measure the effectiveness of advertising campaigns. 

 

10. Changes to this Policy

We may update this policy from time to time. Any changes will be posted on our website. We will notify you of significant changes by email or through a prominent notice on our website.

 

11. Contact Us

If you have any questions about this policy or our data processing practices, please contact us at:

Email: [email protected]

Postal Address: 98 Giles Street, Edinburgh, EH6 6BZ

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s data protection authority.