Privacy policy | Doctor Care Anywhere

By continuing to use our website and services, you are deemed to agree to our terms and conditions and this Privacy Policy for the collection and processing your personal data. Please note that any consent that is given for the purposes of medical consultation or examination is a separate consent from that granted for the processing of your personal data.

This Privacy Policy sets out our use of any and all data collected by us in relation to your use of our website, www.doctorcareanywhere.com (“Website”). The Website is operated by Doctor Care Anywhere Limited (” Doctor Care Anywhere”, “we”, “us” and “our”). our Registered Office is at Second Floor, Harmsworth House, 13-15 Bouverie Street, London, EC4Y 8DP and our Company Registration Number is 086140224. We operate a different policy for information processed in connection with any account that you might have with us both on our Platform and elsewhere.

For the purposes of the processing your personal data, we are the data controller (as set out under EU General Data Protection Regulation 2016 (GDPR). We are committed to protecting your privacy, both on-line and in the real world. We appreciate that you do not want the personal information you provide to us distributed indiscriminately and here we explain how we collect information, what we do with it and what controls you have over our processing of your information.

This Policy should be read in conjunction with our Terms which can be found here. We may amend or update this Privacy Policy from time to time as set out in clause 4 of the Terms, and will publish revised versions on this website. This Privacy Policy is current from 13th Aug 2018.

Under GDPR we will ensure that your personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights. We will only process your personal data if at least one of the following basis applies:

you have given consent to the processing of your personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which you are a party or in order to take steps at the request of you prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which we are subject;
processing is necessary to protect the vital interests of you or of another natural person;
processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and/or
processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Unless otherwise specified, any processing of personal data under taken by us or by one of our authorised subcontractors including doctors and pharmacists or our call centre operatives, relating to providing our healthcare services to a customer, an Authorised User of our Platform (or their dependants) is processed on the basis of our contractual relationship (or in anticipation of a contractual relationship). Where we do not have, or are not anticipating, a contractual relationship with a data subject (for example where processing personal data relating to a child or other dependant, we will generally be processing that data on the basis of legitimate interests.

In addition, where the personal data that we will be processing is “special data” which should be given additional safeguards, such as health information, we will only process that information if there is a valid special condition for processing (as set out in Article 9 of the GDPR). For the purposes of health data, we will rely on Special Condition Article 10(2)(h) (processing of health data where there are adequate safeguards and confidentiality obligations in place).

If we are processing personal data for the purposes of marketing, we will only do so if we have express consent of the data subject.

1. Information we may collect from you:

We may collect and process the following information about you:

Registration: information (such as your name, date of birth, email address, postal address, telephone number, profile picture and NHS number) that you provide by completing forms on the Platform, including if you register as a user of the Platform, subscribe to any of our services or those of a third party hosted on the Platform, upload or submit any material via the Platform or request information from us;
Account sign-in: in connection with the account sign-in process, your password and log-in details;
Payments and purchases: details of any transactions made by you through the Platform while logged into your account will be recorded;
IP address and URL: your activity on our Website (automatically collected) when you use or log on to any of sites or Platforms and the site you exit to.
When you contact us: communications you send to us, for example to report a problem or to submit queries, concerns or comments regarding the Platform or its content;
Research and surveys: information from surveys that we may, from time to time, run on the Platform for research purposes, if you choose to respond to them;
Use of the Platform: details of your visits to the Platform, the resources you access and any data you download;
Insurance data: insurance policy numbers submitted by you on the Platform, for example where you access the platform via an account provided by an insurance provider;
Health data: medical information about you including your medical history, illnesses, prescriptions, allergies, height, weight and other medical information which you might discuss with a doctor as part of your use of the services made available through the Platform. We also record the notes, video and telephone conversations of your consultations with our doctors on the Platform.

You are under no obligation to provide any such information. However, if you should choose to withhold requested information, we may not be able to provide you with certain services.

2. Uses made of your information

We will use the information you provide to:

enable us to provide you with the services and information offered through the Platform and which you request from us, for example to arrange a consultation. This may include sharing your data with one of our third party service providers such as our consultant doctors or pharmacists, and sharing limited data with our call centre operatives;
provide and administer your access and to our website and your account with us;
verify and carry out financial transactions in relation to payments you make online;
verify your identity and your parental guardianship relationship with any child dependants;
respond to communications from you;
supply you with email, for example newsletters, alerts that you might have subscribed to (you may unsubscribe or opt-out at any time by following our Unsubscribe instructions)

We need to use your personal information for those purposes to provide our services and to perform our contract with you. In some cases, the collection of data may be a statutory or contractual requirement and we will be limited in the services that we can provide you with without your consent to Us to be able to use such data.

We also collect, store and use the personal information listed above to:

audit the downloading of data from the Platform to improve our service;
learn and improve the layout and/or content of the pages of the Platform and better customise them for users;
identify visitors to the Platform;
carry out research on our user demographics; and
tailor the information we send to you on the basis of the health data that you submit using the Platform.

We have a legitimate interest in using your personal information for these purposes, so that we can constantly improve our Platform and our services, and to ensure that we are only sending you information that is going to be useful or relevant to you.

Finally, we use your personal information to:

send you information we think you may find useful or which you have requested from us, including information about our products and services or those of carefully selected third parties (such as information on relevant treatment and care offered by third parties), provided you have consented to being contacted for these purposes;
allow, with your consent, carefully selected third parties to send you information directly which you may find useful regarding their products and services.

You can tell us not to contact you with information regarding our products and services or those of third parties or to share your details with third parties so that they can send you information regarding their products and services, in your profile on the Platform or where you do not wish us to continue to use your information in this way by following the unsubscribe instructions on any communications sent to you. You can also exercise the right at any time by contacting us using the contact details at the end of this privacy policy.

3. Information shared with others

Information that identifies you: We will only share personal information, from which you can be identified, in certain limited circumstances as described below.

Doctors

We may share medical information about you, including your medical history, illnesses and prescriptions, with our doctors (all of whom are registered with the General Medical Council). We share your medical information with doctors in order to enable them to better assess health conditions, advise you and deliver the services that you request (in accordance with our terms and conditions). We may share your medical information with our doctors located outside the European Economic Area ("EEA"), including North America and Australia.

Please be aware that countries which are outside the EEA may not offer the same level of data protection as the United Kingdom, although our collection, storage and use of your personal information will continue to be governed by this privacy policy. We ensure that all data transferred to doctors is protected by proper and appropriate safeguards and our doctors are all bound by contractual obligations, which incorporate the European Commission's Model Clauses, to ensure all doctors keep the personal information they receive safe, confidential and only use it for the purposes for which it is provided to them.

Insurers

Unless the Terms and Conditions relating to your access and use of the Platform expressly state otherwise, we will not share any personal information, including medical records, with your insurer. If this situation changes, we will ask you before we share information in this way, unless you have already indicated your consent directly to your insurer. We may share your medical information related to certain referral pathways directly with your insurer, but only with your consent at the time of the consultation.

Pharmacies

To process a prescription for medication on the Platform (as offered by a doctor or requested by you in accordance with our Terms and Conditions), it may be necessary to share basic identification data (such as your name, postal address, email address and phone number) with our dispensing pharmacy affiliate, taking all reasonable steps to protect your personal information, for the purposes of the pharmacy verifying your identification on collection of your prescription.

If you are outside of the EEA and following a consultation, you have been prescribed medication, the prescription for your medication will be available for your collection through our Platform. You may need to provide your chosen pharmacy with your essential personal information (such as your name, postal address, email and phone number) for the purpose of that pharmacy verifying your information on collection of your prescription. Any personal information provided to the pharmacist will be processed with your express consent and held on the basis of their privacy policy and is outside of our control.

Partner providing you with the Healthcare Scheme

We may share certain basic identification information (such as name, date of birth, email and phone details) with our Partner who provides you with the Healthcare Scheme in order for them to verify your eligibility to use / continue to use the Service, to check you are happy with the Service you are receiving, for analytical purposes and to assist such Partners in improving their products, processes and services.

Call centre

We may share certain basic identification information (such as name, date of birth, email and phone details) with our out-of-hours call centre [operated by a third-party provider], when you contact customer services in order to properly track and deal with whatever issues you have raised.

These call centre operatives may be located outside the UK but will be based within the EEA unless we otherwise inform you.

Messaging providers

Some data from phone or text messaging communications may be temporarily transferred to, and stored on, servers located outside of the EEA.

Twilio our voice and text message provider are based in the United States. Twilio are a GDPR compliant organisation registered with Privacy Shield and ISO 27001 certified. Twilio are bound by contract to Doctor Care Anywhere containing the EU Standard Contractual Clauses for GDPR. More information can be found on Twilio's website.

Identity Checking Services

We will share certain identification information (such as name, date of birth, address, gender, identity document containing biometric data and photograph of data subjects face) with our identity checking partner:

Onfido Limited provides certain ID verification services provided by Doctor Care Anywhere. By accepting this privacy policy, you agree to be bound by the Privacy Policy of Onfido Limited.

Information that does not identify you

We may disclose aggregate statistics about visitors to the Platform, users and sales in order to describe our services to prospective partners, investors, advertisers, sponsors and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifiable information.

We will not disclose, sell or rent your personal information to any third party unless you have consented to this first. If you do consent but later change your mind, you may contact us, and we will cease any such activity. However, in the event that we undergo re-organisation or are sold to a third party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third party.

We may also disclose your personal information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Platform or the rights, property or personal safety of any person.

4. Our use and storage of medical information

All medical and other health information collected and supplied to Doctor Care Anywhere will be treated as strictly confidential and all such data will be held strictly in accordance with, and as long as required, under UK regulatory codes of practice on records management and data privacy laws.

How long we keep your medical data: All health records are retained in digital form by our subsidiary company, Doctor Care Anywhere, in a secure and encrypted environment and are confidentially stored in accordance with the retention periods set out in the NHS code of practice on records management, which may be updated from time-to-time. A copy of the code can be found here. We also maintain our own internal Data Retention Policy, on which our staff are trained, which is regularly reviewed to ensure compliance with industry best practices.

What we do with consultation notes:

Audio and video records: as agreed in our contract with you, Doctor Care Anywhere will make audio and video recordings of your Appointment for training, quality, clinical governance and account management purposes which will be treated as confidential and will be held safely and securely and strictly in accordance with, and as long as required, under UK regulatory codes of practice on records management. These recordings will not be made available to any other party without your prior written consent.

Sharing information with GPs: Whilst in certain circumstances we may strongly encourage you to inform your regular in-person GP of any health concerns you may have discussed with your doctor, we will not share information with your regular GP unless we have your express permission or there is an overriding public interest in disclosing the information without your consent. This is in accordance with the General Medical Council’s guidance which may from time-to-time change. This guidance can be found here.

Security and encryption: Doctor Care Anywhere runs in a HTTPS secure mode - and encrypts all audio, video and text information shared during your consultation. There are clear procedures in place to ensure paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage. Nevertheless, electronic transmissions sent via the internet are never completely private or secure and there is a risk, therefore, that any such electronic communications sent may be intercepted and potentially read by others. You should ensure that any computer or telephone you use to access your online patient record is suitably protected from potential interception.

Doctor Care Anywhere is ISO27001:2013 Certified (Information Security).

5. Additional information

When you visit the Website, we may automatically collect additional information about you, such as the type of internet browser you use, the Website from which you have come to the Website and your IP address (the unique address which identifies your computer on the internet) which is automatically recognised by our web server. You cannot be identified from this information and it is only used to assist us in providing an effective service on the Website and to collect broad demographic information for aggregate use.

We use Hotjar in order to better understand our users’ needs and to optimize this service and experience. Hotjar is a technology service that helps us better understand our users experience (e.g. how much time they spend on which pages, which links they choose to click, what users do and don’t like, etc.) and this enables us to build and maintain our service with user feedback. Hotjar uses cookies and other technologies to collect data on our users’ behavior and their devices (in particular device's IP address (captured and stored only in anonymized form), device screen size, device type (unique device identifiers), browser information, geographic location (country only), preferred language used to display our website). Hotjar stores this information in a pseudonymized user profile. Neither Hotjar nor we will ever use this information to identify individual users or to match it with further data on an individual user.

You can opt-out to the creation of a user profile, Hotjar’s storing of data about your usage of our site and Hotjar’s use of tracking cookies on other websites by following this opt-out link.

6. Cookies

The Website also uses cookies or similar technology to collect information about your access to the Website.

Cookies are pieces of information that include a unique reference code that a website transfers to your device to store and sometimes track information about you. A number of cookies we use last only for the duration of your web session and expire when you close your browser. Other cookies are used to remember you when you return to the Website and will last for longer.

We use cookies to:

remember that you have used the Website before (this means we can identify the number of unique visitors we receive and allows us to make sure that we have enough capacity for the number of Users we get);
allow you to navigate the Website more quickly and easily;
remember your login session so you can move from one page to another within the Website;
store your preferences;
customise elements of the layout and/or content of the pages of the Website for you; and
collect statistical information about how you use the Website so that we can improve the Website.

All cookies used on our Website are set by us.
Most computer and some mobile web browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting www.allaboutcookies.org which includes additional useful information on cookies and how to block cookies using different types of browser. Please note however, that by blocking or deleting cookies you may not be able to take full advantage of the Website.

Our cookies will be used for:

Essential session management
creating a specific log-in session for a visitor to the Website in order that the Website remembers that a visitor is logged in and that their page requests are delivered in an effective, secure and consistent manner;
recognising when a visitor to the Website has visited before allowing us to identify the number of unique visitors we receive to the Website and make sure we have enough capacity for the number of users that we get;
recognising when a visitor to the Website is a registered member;
we may also log information from your computer including the existence of cookies, your IP address and information about your browser program in order to allow us to diagnose problems, administer and track your usage of our services.

Functionality

customising elements of the promotional layout and/or content of the pages of the Website for example by storing a country code and providing users with content relevant to their country.
These essential session management and functionality cookies are necessary in order for us to be able to provide our Platform to you.

Performance and measurement

collecting statistical information about how our visitors use the Website so that we can improve the Website and learn which parts are most popular to visitors.

We have a legitimate interest in using any personal information collected through performance and measurement cookies, so that we can constantly improve our Platform and our services.

7. External links

The Platform may, from time to time, contain links to external sites affiliated to us or run by independent third parties. Please note that this Privacy Policy applies only to the personal information that we collect through this website and we cannot be responsible for personal information that third parties may collect, store and use through their website and we are not responsible for the privacy policies or the content of such sites. You should always read the privacy policy of each website you visit carefully.

8. Payment processing

Payments made on the Platform are made through our payment solutions provider Stripe at www.stripe.com, 3180 18th Street, Suite 100, San Francisco, CA 94110, USA. You will be providing your email address and your credit or debit card information directly to “Stripe”, a company located in the USA and which operates a secure server to process payment details, encrypting your credit/debit card information and authorising payment. Information which you supply to Stripe is not within our control and is subject to Stripe’s own privacy policy and terms and conditions available at Stripe's website.

9. Security

We place great importance on the security of all personally identifiable information associated with our users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control. our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal information. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it from occurring.

You should bear in mind that submission of information over the internet is never entirely secure and whilst we take appropriate technical and organisational measures to safeguard the personal information you provide to use, we cannot guarantee the security of information you submit via the Platform whilst it is in transit over the internet and any such submission is at your own risk.

You should always close your browser when you have finished your user session to help ensure others do not access your personal information, particularly if you use a shared computer or a computer in a public place.

10. Storage of your information

Information that you submit via the Platform is sent to and stored on secure servers located in the EU (except for the specific exceptions set out in this policy, including certain recorded data processed and stored by our communications software provider). This is necessary in order to process the information in accordance with this policy and our internal privacy policy.

11. Your rights

You have a legal right to access the personal information we hold about you at any time.

You also have a right to ask us to: update and correct any out-of-date information or errors in that information free of charge; object to our use of your personal information for certain purposes; erase your personal information; and transfer to you or (where technically possible) another organisation a copy of the personal information about you that has been provided to us.

Where we are processing your personal data on the basis of consent, You may withdraw your consent for Doctor Care Anywhere to use your personal data as set above at any time by contacting Doctor Care Anywhere using the details below, and subject to the regulatory and legal requirements for Doctor Care Anywhere to retain certain information on your medical history and your doctor consultation notes, you can withdraw your consent to our use of any of your personal information at any time, including any data sharing, using the settings in your Doctor Care Anywhere profile or by calling +44 (0)330 088 4980 or emailing contactus@doctorcareanywhere.com.

You also have the right to lodge a complaint at any time about our treatment of your personal information with a relevant supervisory authority (including, the Information Commissioner's Office in the UK).

The different ways to contact the ICO’s office can be found at https://ico.org.uk/global/contact-us/

Automated Decision-Making and Profiling

In the event that Doctor Care Anywhere use personal data for the purposes of automated decision-making and those decisions have a legal (or similarly significant effect) on you, you have the right to challenge to such decisions under GDPR, requesting human intervention, expressing their own point of view, and obtaining an explanation of the decision from Doctor Care Anywhere.

The right described above does not apply in the following circumstances:

The decision is necessary for the entry into, or performance of, a contract between Doctor Care Anywhere and you;
The decision is authorised by law; or
You have given your explicit consent.

Where Doctor Care Anywhere uses your personal data for profiling purposes, the following shall apply:

Clear information explaining the profiling will be provided, including its significance and the likely consequences;
Appropriate mathematical or statistical procedures will be used;
Technical and organisational measures necessary to minimise the risk of errors and to enable such errors to be easily corrected shall be implemented; and
All personal data processed for profiling purposes shall be secured in order to prevent discriminatory effects arising out of profiling.

12. Contacting us

UK and non EU Nationals

If you want to raise a question to us or otherwise exercise your rights in respect of your personal data, you may do so by:

sending an email to DPO@doctorcareanywhere.com, or
mailing your inquiry to Data Protection Officer, Doctor Care Anywhere, Second Floor, Harmsworth House, 13-15 Bouverie Street, London, EC4Y 8DP

We will ask you for proof of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.

EU Nationals

Contacting Doctor Care Anywhere via their Data Protection Representative DataRep

Doctor Care Anywhere Limited, which processes the personal data of individuals in the European Union and European Economic Area, in either the role of 'data controller' or 'data processor', has appointed DataRep as its Data Protection Representative for the purposes of GDPR.

If Doctor Care Anywhere Limited has processed or is processing your personal data, you may be entitled to exercise your rights under GDPR in respect of that personal data. For more details on the rights you have in respect of your personal data, please refer to the European Commission (https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu) or the national Data Protection Authority in your country.

Doctor Care Anywhere Limited takes the protection of personal data seriously and has appointed Data Rep as their Data Protection Representative in the European Union so that you can contact them directly in your home country. DataRep has locations in each of the 27 EU countries and Norway & Iceland in the European Economic Area (EEA), so that Doctor Care Anywhere Limited's customers can always raise the questions they want with them.

If you want to raise a question to Doctor Care Anywhere Limited, or otherwise exercise your rights in respect of your personal data, you may do so by:

sending an email to DataRep at datarequest@datarep.com quoting <Doctor Care Anywhere Limited> in the subject line,
contacting DataRep on their online webform at www.datarep.com/data-request, or
mailing your inquiry to Data Rep at the most convenient of the addresses as set out below*

*PLEASE NOTE: when mailing inquiries. it is ESSENTIAL that you mark your letters for 'DataRep' and not 'Doctor Care Anywhere Limited', or your inquiry may not reach us. Please refer clearly to Doctor Care Anywhere Limited in your correspondence. On receiving your correspondence, Doctor Care Anywhere Limited is likely to request evidence of your identity, to ensure your personal data and information connected with it is not provided to anyone other than you.

If you have any concerns over how Data Rep will handle the personal data they will require to undertake their services, please refer to their privacy notice at www.datarep.com/privacy-policy.

Country	Address
Austria	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Belgium	DataRep, Place de L'Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium
Bulgaria	DataRep, 132 Mimi Balkanska Str., Sofia, 1540, Bulgaria
Croatia	DataRep, Ground & 9th Floor, Hoto Tower, Savska cesta 32, Zagreb, 10000, Croatia
Cyprus	DataRep, Victory House, 205 Archbishop Makarios Avenue, Limassol, 3030, Cyprus
Czech Republic	DataRep, IQ Ostrava Ground floor, 28. rijna 3346/91, Ostrava-mesto, Moravska, Ostrava, Czech Republic
Denmark	DataRep, Lautruphøj 1-3, Ballerup, 2750, Denmark
Estonia	DataRep, 2^nd Floor, Tornimae 5, Tallinn, 10145, Estonia
Finland	DataRep, Luna House, 5.krs, Mannerheimintie 12 B, Helsinki, 00100, Finland
France	DataRep, 72 rue de Lessard, Rouen, 76100, France
Germany	DataRep, 3rd and 4th floor, Altmarkt 10 B/D, Dresden, 01067, Germany
Greece	DataRep, 24 Lagoumitzi str, Athens, 17671, Greece
Hungary	DataRep, President Centre, Kálmán Imre utca 1, Budapest, 1054, Hungary
Iceland	DataRep, Kalkofnsvegur 2, 101 Reykjavík, Iceland
Ireland	DataRep, The Cube, Monahan Road, Cork, T12 H1XY, Republic of Ireland
Italy	DataRep, BPM 335368, Via Roma 12, 10073 , Ciriè TO, Italy
Latvia	DataRep, 4th & 5th floors, 14 Terbatas Street, Riga, LV-1011, Latvia
Liechtenstein	DataRep, City Tower, Brückenkopfgasse 1/6. Stock, Graz, 8020, Austria
Lithuania	DataRep, 44A Gedimino Avenue, 01110 Vilnius, Lithuania
Luxembourg	DataRep, BPM 335368, Banzelt 4 A, 6921, Roodt-sur-Syre, Luxembourg
Malta	DataRep, Tower Business Centre, 2nd floor, Tower Street, Swatar, BKR4013, Malta
Netherlands	DataRep, Cuserstraat 93, Floor 2 and 3, Amsterdam, 1081 CN, Netherlands
Norway	DataRep, C.J. Hambros Plass 2c, Oslo, 0164, Norway
Poland	DataRep, Budynek Fronton ul Kamienna 21, Krakow, 31-403, Poland
Portugal	DataRep, Torre de Monsanto, Rua Afonso Praça 30, 7th floor, Algès, Lisbon, 1495-061, Portugal
Romania	DataRep, 15 Piaţa Charles de Gaulle, nr. 1-T, Bucureşti, Sectorul 1, 011857, Romania
Slovakia	DataRep, Apollo Business Centre II, Block E / 9th floor, 4D Prievozska, Bratislava, 821 09, Slovakia
Slovenia	DataRep, Trg. Republike 3, Floor 3, Ljubljana, 1000, Slovenia
Spain	DataRep, BPM 335368, Avd. Castilla La Mancha Nº 70-1 (Nave A), 45270, Mocejon-Toledo, Spain
Sweden	DataRep, S:t Johannesgatan 2, 4th floor, Malmo, SE - 211 46, Sweden

Privacy Policy archive 130818 to 080621