Privacy Notice

This privacy notice explains how personal data is collected and used in connection with www.healthhut.org.uk (the “Website”) and related customer journeys on that website.

For the healthhut.org.uk retail website and retail customer account, Health Hut Professionals Ltd. is the controller of the personal data described in this notice, unless we tell you otherwise at the relevant point of collection.

Some services made available through or signposted from this website are provided under separate service arrangements and have their own privacy notice. In particular:

NHS repeat prescription services are subject to the privacy information shown in that service journey.

Where a separate privacy notice applies, that notice explains the additional or different ways in which your personal data is used for that service. We may also provide additional privacy information at the point where you start a particular service, complete a consultation, upload documents or images, place an order, sign up for marketing, or contact customer support.

If you are unsure which notice applies to you, please contact us using the details at the end of this notice.

Health Hut Professionals Ltd. is registered with the Information Commissioner’s Office under registration number ZB147176.

We believe in giving our patients the best possible care, which includes taking care of your privacy so that you feel you can trust us and have confidence in the way we handle your information.

Our Privacy Notice tells you what personal data we collect and why; explains your rights; the types of data we might share about you and how we keep your information secure.

To help you understand how we treat your personal data, please read the following Notice carefully.

We encourage you to only use this service if you are completely happy with the service we offer, and the practices outlined in this Notice.

Please note, our website may contain links to other websites which are provided for your convenience. We are only responsible for the privacy practices and security of this Website. We recommend that you check the privacy and security policies and procedures of each and every other website that you visit.

Changes to this privacy notice

We keep this privacy notice under review and may update it from time to time.

The latest version will always be published on this page. Where appropriate, we will take additional steps to bring material changes to your attention.

The Personal Data We Collect

Depending on how you use the website and services, we may collect the following categories of personal data:

  • Identity data, such as your name, title, date of birth and, where relevant, identity verification details.
  • Contact data, such as your billing address, delivery address, email address and telephone number.
  • Account data, such as your login details, account settings, password reset history and preferences.
  • Transaction and order data, such as the products and services you order, delivery or collection choices, payment status, refunds and order history.
  • Communications data, such as emails, call recordings, webchat messages, contact form submissions, complaints, reviews, survey responses and social media interactions with us.
  • Marketing and preference data, such as your contact preferences, consent choices, marketing responses and whether you have unsubscribed or objected to direct marketing.
  • Technical and usage data, such as your IP address, browser type, device type, operating system, pages viewed, links used, cookie identifiers, search terms and other information about how you use our website.
  • Healthcare and clinical data, where you choose to use a healthcare or online prescribing service linked from this website. Additional details are set out in the privacy notice shown in that service journey.
  • Verification and fraud-prevention data, where relevant, such as information used to verify your identity, age, eligibility, security or to prevent misuse of our services.

We may also collect any other personal data you choose to provide to us.

Some information is mandatory because we need it to provide the relevant service. We will make this clear at the point of collection.

Use of Tracking technologies in emails

Where we send marketing emails, we may use technologies such as tracking pixels or similar tools to understand whether an email has been opened, whether links have been used, what type of device or email client has been used, and how our campaigns perform.

We use this information to measure campaign performance, understand engagement, improve our communications and, where permitted, tailor future marketing.

Where these technologies require consent, we will only use them if you have given that consent.

You can stop receiving marketing emails at any time by clicking the unsubscribe link in any marketing email. You can also change your preferences in your account.

Further information about cookies and similar technologies is available in our Cookie Notice.

Purpose of Using Tracking Pixels

The information collected through tracking pixels is used for the following purposes:

  • Performance Monitoring: To measure the effectiveness of our email campaigns and understand what content resonates with our audience.
  • Personalisation: To provide more relevant content and offers based on your interactions with our emails.
  • User Engagement: To better understand your engagement with our emails and improve our communication strategies.
  • Shared information: Anonymised analytics may be shared internally and externally. We may verify actions performed by email recipients on a case-by-case basis, when required.

Your Control Over Tracking

If you do not wish to have tracking pixels collect this information, you can opt-out by:

  • Unsubscribing: You can unsubscribe from our email list by clicking the unsubscribe link at the bottom of any of our emails.
  • Email Client Settings: Some email clients such as Apple allow you to disable the automatic downloading of images, which will prevent tracking pixels from collecting data.

We may supplement the information that you provide gathered from our communications with you or which we receive from other organisations, such as other companies in our group.

This information may be combined with other information you provide to us, as described above.

Information we receive from other sources

We may receive personal data about you from other sources where this is necessary to provide a service, manage our relationship with you, protect our business, or comply with legal or regulatory obligations.

Depending on the service you use, these sources may include:

  • other companies within our group, where you use more than one of our services;
  • payment, fraud-prevention or identity-check providers;
  • delivery, fulfilment, dispensing, laboratory or other service partners involved in the service you use;
  • analytics, advertising and social media partners, where you have consented to the relevant cookies or similar technologies; and
  • regulators, public authorities or publicly available sources, where this is necessary for legal, compliance or safeguarding reasons.

Where we receive personal data from another source, we will process it only where we have a lawful basis to do so.

Information about other people

If you provide personal data about another person, you must have authority to do so and must make sure that they receive the relevant privacy information, unless an exemption applies.

This may include where you act for a child, dependant, family member or another person you are authorised to represent.

We may ask you for information to confirm your authority where this is appropriate.

Cookies

We use cookies and similar technologies on our website.

Some are strictly necessary to make the website work properly. Others help us measure performance, understand how the website is used, personalise content, or support advertising and marketing.

Where the law requires consent, we will ask for it before using those technologies.

How we use your personal data and our lawful bases

We use your personal data for the following purposes:

  • to create and manage your online account and authenticate you when you sign in;
  • to process, fulfil and administer your orders, payments, deliveries, collections, refunds and returns;
  • to provide customer support, respond to questions, handle complaints and keep records of our communications with you;
  • to provide pharmacy, healthcare or online prescribing services where you use those services, including consultation handling, suitability checks, clinician review, dispensing, delivery, results handling and patient safety processes;
  • to verify identity, eligibility, age or other information where needed to protect patients, prevent fraud or misuse, or comply with legal or regulatory obligations;
  • to send service communications, including order updates, operational messages and important information about the services you use;
  • to improve and develop our website, products and services, including through analytics, service review, staff training and quality assurance;
  • to ask for reviews, feedback or survey responses and to analyse the results;
  • to send marketing communications and personalised offers where we are allowed to do so; and
  • to comply with legal, regulatory, clinical, governance and audit requirements, and to establish, exercise or defend legal claims.

We rely on one or more of the following lawful bases under Article 6 UK GDPR:

  • performance of a contract with you, or taking steps at your request before entering into a contract;
  • compliance with a legal obligation;
  • our legitimate interests in operating, improving and securing our business and services, except where those interests are overridden by your rights and interests; and
  • consent, where consent is required.

Where we process special category data, including health data, we also rely on an Article 9 condition. For healthcare and pharmacy services this will usually be Article 9(2)(h), and where strictly necessary to protect someone’s vital interests it may include Article 9(2)(c). The relevant service-specific notice may give further detail depending on the service you use.

Where we rely on consent, you can withdraw that consent at any time. This will not affect the lawfulness of processing carried out before you withdrew consent.

We share personal data only where this is necessary for the purposes described in this notice.

Depending on the service you use, we may share personal data with:

  • companies within our group, where this is necessary to provide the relevant service, manage the website or administer our relationship with you;
  • payment providers, such as Stripe, who may act as an independent controller for payment, fraud-prevention and related processing they carry out for their own purposes;
  • providers of website hosting, technology, communications, customer support, analytics, marketing, printing and other business services who process personal data on our behalf and under our instructions;
  • delivery, fulfilment, dispensing, laboratory, identity verification or other specialist providers involved in the service you use;
  • professional advisers, auditors, insurers and similar advisers;
  • regulators, courts, law enforcement bodies and public authorities where we are required or permitted to do so by law; and
  • a buyer, investor, successor or other relevant third party in connection with a merger, sale, reorganisation, financing or similar corporate event.

Not all of these recipients will apply to every user or every service.

Where another organisation uses your personal data for its own purposes as a controller, we will explain that in the relevant service-specific notice or at the point of collection.

 

Parties acting as a processor:

  • Technology hosts.
  • Providers of digital advertising services.
  • Providers of marketing and sales software solutions.
  • Printing companies.
  • Our advertising partners who enable us to deliver personalised ads to your devices or similar advertising.
  • Our outsourced service providers or suppliers to facilitate the provision of our products and/or services to you.
  • Subject to your consent, to our marketing partners, who may contact you by post, email, telephone, SMS or by other means. If you do not wish to be contacted, you may unsubscribe by clicking “unsubscribe” in the message concerned.
  • Analytics and search engine providers that assist us in the improvement and optimisation of our website. Your personal data is generally shared in a form that does not directly identify you.
  • Our data centre provider for the safe keeping of your personal data, webhosting provider through which your personal data may be collected.
  • Third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons.
  • Our Group companies who may contact you by email, phone or post about other products and services (including those from other organisations) in which you may be interested (where you have consented to such communication).
  • Another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution, or similar event. In the case of a merger or sale, your personal data will be permanently transferred to a successor company.
  • Public authorities where we are required by law to do so;
  • If required, in order to receive legal advice.
  • Any other third party where you have provided your consent.

In these circumstances, we will ensure that your personal data is properly protected and that it is only used in accordance with this Privacy Notice.

We may also collect, use and share Aggregated/Anonymised Data such as statistical or demographic data for any purpose.

Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature or we may aggregate your data to build marketing personas or lookalikes to help up advertise to our patients better.

However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy notice. Please note, where we aggregate data for marketing purposes, it will not be combined with your personal data, and you will not be able to be directly or indirectly identified as a result.

Offers and opportunities

We may send you marketing about our products and services where we are allowed to do so under data protection law and the Privacy and Electronic Communications Regulations.

This may include offers, discounts, promotions, newsletters, competitions, surveys and updates that we think may be relevant to you.

We will explain at the point of collection whether marketing is optional and how you can change your preferences.

We may tailor marketing based on your previous interactions with us, such as purchases, website activity or preferences, where we are allowed to do so. We do not use special category data for marketing personalisation unless we have a clear lawful basis and tell you about it.

You can unsubscribe from marketing emails at any time by clicking the unsubscribe link in any marketing email, updating your preferences in your account, or contacting us using the details below.

We keep a record of your marketing preferences, including when you unsubscribe or object, so that we can respect your choices.

Reviews, testimonials, photographs and other user content

If you choose to submit a review, testimonial, survey response, photograph or similar content, we will use the information you provide to manage and publish that content in accordance with the explanation given at the point of collection.

Where we use a testimonial, treatment story, photograph or other user-generated content for marketing, we will do so only where we have an appropriate lawful basis, which will normally be your consent where the content includes health information or images used for promotion.

We will tell you where the content may appear, how long we expect to use it, and how you can ask us to stop using it.

How we protect personal data

We use appropriate technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.

These measures include access controls, encryption, network and application security, secure hosting arrangements and staff procedures.

No website, app or email transmission can be guaranteed to be completely secure. You should keep your login details confidential, never use the same password that you are using for any other purpose, use a suitably protected device, and tell us as soon as possible if you think your account has been compromised.

You must not misuse the Services by;

  1. knowingly introducing viruses, trojans, worms, logic bombs or other material that is malicious or technologically harmful.
  2. attempt to gain unauthorised access to the Services, the servers on which they are stored, or any server, computer or database connected to the Services.
  3. attack the Service via a denial-of-service attack or a distributed denial-of service attack.

By breaching this provision, you would commit a criminal offence under the Computer Misuse Act 1990. We will report any such breach to the relevant law enforcement authorities and will co-operate with those authorities by disclosing your identity to them. In the event of such a breach, your right to use the Services will cease immediately.

For your security, we will also keep an encrypted record of your login password.

Transfers of personal data

Some of our suppliers or group companies may process personal data outside the UK.

Where this happens, we will ensure that an appropriate safeguard is in place, such as an adequacy regulation or approved contractual safeguards, unless an exception applies under data protection law.

Depending on the supplier and destination, these safeguards may include the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or reliance on an applicable adequacy regulation.

You can contact us using the details below if you would like more information about the safeguards relevant to your personal data.

Keeping your information up to date

It is important that the personal data we hold about you is accurate and current.

You may be able to update some of your information through your online account. You can also contact us using the details below to ask us to update or correct your personal data.

If you are asking us to update information about another person, we may ask you for information to confirm your authority to do so.

Retention of personal data

We will retain data if regulation specifies or where we have a continued legitimate and lawful purpose to do so. We follow NHS and Private Healthcare Regulations, and therefore keep your health record for a period after the last interaction, depending on the type of medication ordered. The records contain personal and medical data, contact details and messages exchanged with clinicians and patient advisory teams. If you wish for your medical record to be closed before the retention period, we will deactivate your account which means access will be revoked.

If you have registered and not ordered, we will retain this data for one year, or until you notify us and ask for your data to be deleted, whichever is sooner.

We will not retain beyond these periods, any of your personal data that is no longer required for the purposes set out in this Privacy Notice.

The retention of your personal data will be subject to periodic review.

We may keep an anonymised form of your personal data, which will no longer refer to you for statistical purposes without time limits, to the extent that we have a legitimate and lawful interest in doing so.

Your rights

You have the right to:

  • ask for access to your personal data;
  • ask us to correct inaccurate personal data;
  • ask us to erase your personal data in some circumstances;
  • ask us to restrict how we use your personal data in some circumstances;
  • object to certain processing, including direct marketing;
  • ask for data portability where this applies; and
  • withdraw consent at any time where we rely on consent.

These rights are subject to legal conditions and exemptions. For example, we may need to keep certain information to comply with legal, regulatory, clinical or patient-safety obligations.

To exercise your rights, please contact us using the details below. We may ask for information to confirm your identity before we act on your request.

You also have the right to complain to the Information Commissioner’s Office if you think we have handled your personal data unlawfully.

Right to Make Subject Access Request (SAR)

Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, data subjects have the right to request copies of their personal data held by us.

If you would like to make a SAR (i.e., a request for copies of the personal data we hold about you), you may do so by:

Emailing admin@healthhut.org.uk

Or writing to:

Health Hut Professionals Ltd. 4 Abbey Meadows, Morpeth, Northumberland, NE61 2BD

Please ensure that your request clearly states that a SAR is being made. You may also be required to submit proof of your identity to verify your request.

We will respond to your request within one month of receipt. Please note that in some cases, where the request is complex or numerous, we may extend this period by a further two months. If an extension is necessary, we will inform you within the initial one-month period.

Right to rectification.

You may request that we rectify any inaccurate and/or complete any incomplete personal data.

Right to erasure.

You may request that we erase your personal data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your personal data, such as, a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations.

Right to restrict and withdraw consent.

You may, as permitted by applicable law, withdraw your consent to the processing of your personal data at any time. Such withdrawal will not affect the lawfulness of processing based on your previous consent.

Please note that if you withdraw your consent, you may not be able to benefit certain service features for which the processing of your personal data is essential.

Right to data portability.

In certain circumstances, you may request that we provide your personal data to you in a structured, commonly used and machine readable format and have it transferred to another provider of the same or similar services. We will comply with such transfer as far as it is technically feasible. Please note that a transfer to another provider does not imply erasure of your personal data which may still be required for legitimate and lawful purposes.

Right to object to processing,

Including automated processing and profiling. You may, as permitted by applicable law, request that we stop processing your personal data.

In relation to automated processing and profiling, you may object to the processing and you will have the right to obtain human intervention.

Your right to lodge a complaint with the supervisory authority.

Data subjects also have the right to lodge a complaint with the relevant data protection authority if they believe that their personal data is not being processed in accordance with applicable data protection law.

We suggest that you contact us about any questions or if you have a complaint in relation to how we process your personal data.

However, you do have the right to contact the relevant supervisory authority directly. To contact the Information Commissioner’s Office, the supervisory authority in the United Kingdom, please visit the ICO website for instructions.

Changes to the privacy laws and policies

Privacy laws and practice are constantly developing, and we aim to meet high standards. Our policies and procedures are, therefore, under continual review. We may, from time to time, update our security and privacy policies and suggest that you check this page periodically to review our latest policies.

How to contact us

Telephone: 01670 510510

Email: admin@healthhuut.org.uk

Mail: Data Protection Officer, Health Hut Professionals Ltd. 4 Abbey Meadows, Morpeth, NorthumberlandNE61 2BD