Privacy notice and cookie policy
Who we are and what we do
SH:24 Community Interest Company (SH:24 C.I.C., company number: 08737119) is the data controller and is responsible for your personal data (collectively referred to as ‘SH:24’, ‘Fettle’, ‘we’, ‘us’ or ‘our’ in this Privacy Notice). SH:24 respects your privacy and is committed to protecting your personal data.
This Privacy Notice will inform you as to how we look after your personal data and sets out the basis on which any personal data we collect from you. This Privacy Notice applies to you if you are:
A service user of this Website (https://fettle.health)
A service user of SH:24 Services;
An employee, contractor or other associated party contracted by SH:24’s Service Providers; or,
Any other individual with whom SH:24 may conduct commercial operations.
This Privacy Notice does not apply to any services offered, or businesses operated by, other companies, legal entities, or individuals. For example, to learn more about how your payment card provider process your Personal Data, you will need to visit the relevant payment card provider’s Privacy Notice(s).
This Privacy Notice may change from time to time. We will post any changes to this Privacy Notice on the ‘Privacy’ section of our website.
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact:
Data Protection Officer, The DPO Centre Ltd, 50 Liverpool Street, London, EC2M 7PY
Email: dpo@sh24.org.ukTelephone: +44 (0)203 797 6340
EU Representative:
The DPO Centre (Europe) Ltd, Alexandra House, 3 Ballsbridge Park, Dublin, D04 C7H2, Ireland
Email: eurep@sh24.org.uk
Information we may collect from you
Personal data, or personal information, means any information about an individual from which that person can be identified, whether directly or indirectly. It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you when you do so which we have grouped together follows:
identity data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth, ethnicity and gender.
contact data includes billing address, delivery address, email address and telephone numbers.
health data includes any information about your physical health including your medical history and/or current health status including but not limited to photographs you may provide, sexual history (including sexual orientation – where relevant) and information regarding test results, diagnoses and medications
financial data (if applicable) includes bank account and payment card details.
transaction data includes details about payments to and from you and other details of products and Services you have purchased from us.
technical data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Site.
usage data includes information about how you use our Site, products and services.
feedback data includes information relating to your use of the Site or services.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose, but only where such data is anonymous. Data is considered to be anonymous where you cannot be identified (whether directly or indirectly). For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.
However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.
We do not collect, use and/or share any of your personal data for marketing purposes.
Keeping your data secure
We know that data security is important to you and it is therefore important to us. We have put in place appropriate security measures to protect against unauthorised or unlawful processing and against accidental loss, destruction or damage of your personal data.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions in accordance with this policy and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We use SMS (text messaging). Most phone handsets provide a preview of incoming SMS on receipt - be aware that this may make your interaction with SH:24 or Fettle visible to people around you. However, it is possible to adjust your phone’s settings to prevent SMS previewing – very easy to change on most handsets. You may also wish to consider periodically deleting your SMS history with us, just in case you lose your handset.
How we will collect your data
In general, we will collect this data directly from you. Where this is the case, you are under no obligation to provide us with your Personal Data. However, a failure to provide Personal Data may result in us being unable to provide you with our Services. There may be instances where we need to collect data from third parties; for instance, we may use the Personal Demographic Service (PDS) to obtain your NHS Number.
We use different methods to collect data from and about you including through:
Direct interactions
You may give us any of the categories of data identified above by filling in forms on our Site or by corresponding with us by phone, email or otherwise. This includes personal data you provide when you:
register to use our Site;
make a request for our products or services;
give us feedback
Automated technologies or interactions
As you interact with our Site, we may automatically collect Technical Data about your equipment, browsing actions and patterns.
We collect this personal data by using cookies, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies. Please see our cookie policy for further details.
No decisions are made about you based solely on automated processing, including profiling, where that decision has a significant or legal effect.
Contact, financial and transaction data (if applicable)
From providers of technical, payment and delivery services such as Stripe (or similar third-party payment processors).
Identity and contact data
From data brokers or aggregators such as Google Analytics (or similar organisations).
Why we will use your data
The lawful basis for processing are set out in Article 6 and 9 of the UK General Data Protection Regulation (UK GDPR).
We may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data.
Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out below. At least one of these must apply whenever we process personal data:
consent: you have given clear consent for us to process your personal data for a specific purpose. You can let us know at any time that you would like to withdraw your consent. Your request will be reviewed. Under certain circumstances if you withdraw your consent, we cannot always delete your data. Where this is the case, we'll inform you before you give your consent (For example, during the order journey on our website). For more information, please see the section on your legal rights below.
contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract;
legal obligation: the processing is necessary for us to comply with the law;
vital interests: the processing is necessary to protect someone’s life;
public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law; or,
legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.
We may use your information for the following purposes:
Handling an initial request for a test kit and/or other services provided by SH:24, where processing of your Personal Data is necessary for the performance of a contract between you and SH:24.
Lawful basis: In order to take steps so that you can enter into a contract with us for the delivery of healthcare.
Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.
Handling an initial request for a test kit and/or other services provided by SH:24, where processing of your Personal Data is in SH:24’s legitimate interest.
Lawful basis: Our legitimate interests in providing our services.
Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.
Processing information about your sexual or medical history, including sensitive photographs for diagnostic purposes, where processing of your Personal Data is necessary for the performance of a contract between you and SH:24.
Lawful basis: In order to take steps so that you can enter into a contract with us for the delivery of healthcare.
Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.
Processing information about your sexual or medical history, including sensitive photographs for diagnostic purposes, where processing of your Personal Data is in SH:24’s legitimate interest.
Lawful basis: Our legitimate interests in providing our services.
Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.
Providing healthcare (or health assessment) and related services, where processing of your Personal Data is necessary for the performance of a contract between you and SH:24.
Lawful basis: Fulfilling our contract with you for the delivery of healthcare.
Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.
Providing healthcare (or health assessment) and related services, where processing of your Personal Data is in SH:24’s legitimate interest.
Lawful basis: Our legitimate interests in providing our services.
Additional legal basis for special categories of personal data: To provide you with a medical diagnosis and/or healthcare treatment.
Seeking and receiving payment of fees.
Lawful basis: The use is necessary to fulfil our contract with you for the provision of health assessment services, care and/or treatment.
Administration and management of healthcare services (Such as maintaining records including patient medical records, receiving professional advice, and sharing your information with your GP where relevant), where processing of your personal data is necessary for the performance of a contract between you and SH:24.
Lawful basis: Fulfilling our contract with you for the delivery of healthcare.
Additional legal basis for special categories of personal data: This is necessary to provide you with a medical diagnosis and/or healthcare treatment.
Administration and management of healthcare services (Such as maintaining records including patient medical records, receiving professional advice, and sharing your information with your GP where relevant), where processing of your Personal Data is in SH:24’s legitimate interest.
Lawful basis: Our legitimate interests in providing our services
Additional legal basis for special categories of personal data: This is necessary to provide
you with a medical diagnosis and/or healthcare treatment.
Retention of your information where a medical record has been created.
Lawful basis: Our legal obligation in retaining medical records according to statutory retention periods.
Additional legal basis for special categories of personal data: this is necessary to provide you with a medical diagnosis and/or healthcare treatment.
Investigating complaints.
Lawful basis: Our legitimate interests in improving our services.
Additional legal basis for special categories of personal data: In order for us to establish, exercise or defend our legal rights.
Communicating with you and resolving any queries or complaints that you might have.
Lawful basis: Our legitimate interest in providing the Fettle service.
Additional legal basis for special categories of personal data: In order for us or a third party to establish, exercise or defend our legal rights.
Provision of feedback to help us improve our services.
Lawful basis: Our legitimate interests in improving our service.
Clinical research and development.
Lawful basis: Our legitimate interest in undertaking research and development.
Additional legal basis for special categories of personal data: Scientific research purposes.
Clinical research and development, where your explicit consent is required.
Lawful basis: Your consent.
Additional legal basis for special categories of personal data: Your explicit consent.
Complying with our legal and regulatory requirements.
Lawful basis: Compliance with a legal obligation.
Additional legal basis for special categories of personal data: In order for us to establish, exercise or defend our legal rights.
Responding to any legal requests, including Data Subject Requests, Court Orders, requests from the Police or other relevant competent authorities and public bodies.
Lawful basis: Compliance with a legal obligation to respond to legal requests, including data subject requests, court orders, requests from the Police or other relevant competent authorities and public bodies.
Additional legal basis for special categories of personal data: In order for us to establish, exercise or defend our legal rights.
Establishing, exercising, or defending our legal rights.
Lawful basis: Our legitimate interests in establishing, exercising, or defending our legal rights.
Additional legal basis for special categories of personal data: In order for us to establish, exercise or defend our legal rights.
Disclosing your personal data
We use Service Providers (“Data Processors”) who are third parties who provide elements of services for us. Examples of these Data Processors include, but are not limited to:
Sub-contractors for the performance of any contract we enter into with them or you (for example, distributors who may deliver test kits); or,
Service providers acting as processors who provide IT and system administration services.
We have Data Processor Agreements in place with our data processors. This means that they cannot do anything with your Personal Data unless we have instructed them to do it. They will not share your Personal Data with any organisation apart from us or further sub-processors who must comply with our instructions. They will hold your Personal Data securely and retain it for the period we instruct.
In addition to the Data Processors indicated above, we may have to share your personal data with third party Data Controllers in order to provide our services to you or otherwise fulfil our legal obligations
Examples of third parties include:
local authorities and public services
NHS bodies, the Police, and other competent authorities
the Courts
accredited pharmacies (the dispensing of the medicines is performed directly by our accredited pharmacies to you)
academic institutions for research purposes
We transfer personal data from the UK to the EEA, which the UK government has recognised as adequate for the purposes of the UK implementation of the GDPR. We may also transfer personal data from the UK to non-adequate countries such as the US on the basis of appropriate safeguards, such as approved standard data protection clauses. You can obtain a copy of these safeguards by contacting our Data Protection Officer using the contact details above.
Cookies
Consider whether you want a digital log of your visit to fettle.health to be recorded in your browser. If you don’t want a record to be kept, you can choose to delete your browser history afterwards or view our pages in incognito mode or private browsing, which won’t store your browser history, cookies, or search history after you’ve closed your browsers.
However, you are not invisible. Using incognito mode or private browsing does not hide your browser history from your internet service provider, SH:24 or your employer (if you are using a company device). You can set your browser to refuse all or some browser cookies or to alert you when websites set or access cookies.
If you disable or refuse cookies, please note that some parts of this Site may become inaccessible or not function properly.
How we use cookies
Cookies are small text files that are downloaded to your computer, tablet or mobile phone when you visit a website or application. The website or application may retrieve these cookies from your web browser (Internet Explorer, Mozilla Firefox or Google Chrome) each time you visit, so they can recognise you, remember your preferences and provide you with a more secure online experience.
Generally, cookies are very useful and are a common method used by almost every website you visit because they help to make your online experience as smooth as possible. For security reasons, many websites will not function at all without the use of cookies (or other similar technologies, such as "web beacons" or "tags").
If you prefer, you can restrict, block or delete cookies by changing your browser settings but that may mean that the website won't work properly.
For more information about cookies and their impact on you and your browsing visit aboutcookies.org.
This explains the cookies that are used on our site and why.
essential cookies: We use cookies to take secure payments when ordering from Fettle, and for load balancing.
Google Analytics: Used to collect information about how visitors use our site. We use the information to compile reports and to help us improve the site. The cookie collects information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. Read more about privacy at Google.
Managing cookies
Most internet browsers allow you to erase cookies from your computer hard drive, block all cookies (or just third-party cookies) or warn you before a cookie is stored on your device.
Please note, if you choose to block all cookies, our site will not function as intended and you will not be able to use or access many of the services we provide. If you have blocked all cookies and wish to make full use of the features and services we offer, you will need to enable your cookies.
Rather than blocking all cookies, you can choose to only block third-party cookies which will still allow our website to function as intended. Another option is Do Not Track, a technology and policy proposal that enables users to opt-out of tracking by websites they do not visit, including analytics services, advertising networks, and social platforms. To set up Do Not Track visit donottrack.us.
To opt-out of being tracked by Google Analytics across all websites use the Google analytics opt-out plug in.
Change of purpose
We will only use your personal data for the purposes for which we collected it unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
How long we will keep your data
We will only retain records in accordance with the minimum periods required by law, NHS directions, orders and guidance, and guidance published by the British Association for Sexual Health and HIV. This means that we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our records management policy which you can request from us by contacting us.
In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
Your legal rights
You have certain rights in respect of your Personal Data. These rights include:
The right to be informed about our collection and use of personal data
You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
The right to access your personal data
You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes called a ‘Data Subject Access Request’. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed. We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data. If you would like to exercise this right, please contact us as set out below.
The right to rectify your personal data
If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
Please note that there may be circumstances where the data we hold about you cannot be rectified for legal reasons, such as insertions onto your medical record. However, where you indicate to us that the data is inaccurate, or you dispute the accuracy, we will add a clear note to the file to indicate that this is the case.
The right to erasure
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data. We would ask for proof of identity in order to process this request. If you would like to exercise this right, please contact us as set out below.
There will be occasions where you ask us to delete your data, but we are unable to do so. For example, when we have a legal obligation to process the data about you for a specific period of time. If this is the case, we will reply and let you know. Please note that if you give us information that forms part of your medical record, we will not be able to delete this information (after the order is placed, this will include your answers to the questions that we ask on our website). Additionally, if we have sent out a testing kit to you, we will be unable to delete your data. This is because once a test kit is sent out, we cannot determine whether or not you go ahead and submit the test to a laboratory. If we delete your data at this point and you decide to go ahead with the test, we would have no way of informing you of the results.
The right to restrict processing
You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
The right to portability
Where we are processing your Personal Data on the lawful bases of consent or contractual obligation, the right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives you the right to request that a controller transmits this data directly to another controller. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
The right to object
You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
Rights related to automated decision-making
You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. At SH:24, no decisions are made about you based solely on automated processing, including profiling, where that decision has a significant or legal effect. If you would like to contact us regarding this right, please contact us as set out below.
The right to withdraw consent
Where the lawful basis for processing your Personal Data is your consent, you can withdraw your consent at any time, and we will no longer process your Personal Data for that purpose going forward. If you would like to exercise this right, please contact us as set out below.
As stated elsewhere in this notice, please note that there may be circumstances where you withdraw your consent, but we will not be able to delete the data that we hold about you. However, if you withdraw your consent, we will provide the next steps to give you the options to remove yourself from any further activity for which you originally gave your consent. The data that we hold will only be kept on file to comply with the legal obligations to which we are subject, such as maintaining your medical record.
The right to object to direct marketing
Where we are processing your Personal Data for the purposes of direct marketing, you can object to this purpose, and we will no longer process your Personal Data for this purpose going forward. If you would like to exercise this right, please contact us as set out below.
The right to complain to the supervisory authority
You can make a complaint to the Information Commissioner’s Office (ICO), or any other supervisory authority, at any time about the way we use your information. You can contact the ICO through their website.
However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
Children’s rights
We do not seek or knowingly collect any personal information about children under 13 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 13, we will make commercially reasonable efforts to delete such information from our database. If you are the parent or guardian of a minor child who has provided us with personal information, you may contact us using the information below to request it be deleted.
More information about your privacy rights
Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. If you are a Data Subject in the EU, find your country’s regulatory body.
If you have any questions about which supervisory authority applies in your jurisdiction, please contact us as set out below.
In the UK, the Information Commissioner's Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website.
Contact us
If you have any questions about this Privacy Notice, or should you need to raise a complaint concerning your Personal Data, please contact us at dpo@sh24.org.uk.