The purpose of this Policy is to relates to your personal information in connection with your use of and access to OX.DH Ltd its subsidiaries (the ‘Company’) across all Company websites and any services provided by The Company.
We are committed to protecting your Information and your right to privacy. If you have any questions or concerns about our policy, or our practices with regards to your personal information, please contact us at firstname.lastname@example.org.
When you use the Company, you trust us with your Information. We take your privacy very seriously. We seek to explain to you in the clearest way possible what information we collect, how we use it and what rights you have in relation to it. We hope you take some time to read through it carefully, as it is important. If you are not happy for your information to be used in the ways described in this Policy, you should stop using the Company immediately.
We review this Policy regularly and it is your responsibility to check regularly and determine whether you still agree to comply with the policy. If you do not agree to any change to this Policy then you must immediately stop using the Company Services. In the event we make any significant changes to this Policy we will use our reasonable endeavours to inform you or such changes in advance in writing.
It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes for example you change your email address.
The Company is owned and operated by OX Management Services Ltd a company registered in England and Wales with company number 10664365 and whose registered office is situated at The Cow Shed, 19 Wharf Road, Shillingford, Oxfordshire, OX10 7EW (“The Company/we/us/our”). The term “you” refers to the user wishing to access and/or use the Company Services.
The Company is not a provider of medical or diagnostic services. Selected Company Platforms can enable healthcare clinicians and individuals seeking medical advice or assistance to connect through these Company Services. Through their use of these Company Services, Patients and Clinicians can schedule appointments, access a virtual waiting room and meet for virtual consultations during which Clinicians can take notes, give medical advice, issue prescriptions and refer Patients for tests or specialist consultations.
The Platform should not be used for support in relation to medical emergencies. If you believe that you or the person you are assisting needs urgent medical care you should immediately dial 999.
For the purpose of Data Protection Laws, we are the data controller for any personal data that you share with us in relation to your account when using the Services. We are the processor, on behalf of your Clinician, in respect of any medical data or information which you provide through the Platform for use by the Clinician providing Clinical Services.
3.1 Personal information you disclose to us
We collect personal information that you provide to us including information such as name, address, contact information and health and medical data.
We collect personal information that you voluntarily provide to us when registering and using the Company Services, or otherwise contacting us. The personal information that we collect depends on the context of your interactions, the choices you make and the products and features you use. When you use the Company Services and/or when you otherwise deal with us, we may collect the following information about you (the Information):
Personal Identifiable Data (PID) which includes first name, last name and gender.
Contact Data which means the data we use to contact you including your billing address, delivery address, email address and contact number.
If you make payments through our Platform, Financial Data which means the payment method and card association used to process your payments for your orders. We do not store or process your card details ourselves, they are processed and stored via one of our contracted third party service providers. We encrypt your payment card details in your browser and securely transfer this data to our relevant third-party payment provider to process a payment.
Transaction Data which means details about transactions you have made using the Company Services including the payments to and from you along with other details of products you have purchased from us.
Profile Data which includes your username (email address), your login data, purchases or orders made by you, your interests, preferences, feedback and survey responses.
Health and Medical Data, such as the information which you provide us when you register to use the Service and when you use the clinical Services. This might include details your NHS number, the clinicians you use, details of the consultations with clinicians including details of your treatment and care (including any diagnosis, medical advice and comments your clinician captures), interactions with our digital services (e.g. chatbots), details of your prescriptions, details on any devices or wearables you use, results of any investigations carried in connection with the clinical service that are uploaded in connection with the Company Services. It may also include information on your next of kin and carers. If you have given consent for us to do so, the clinician we will send the consultation notes that they take during your use of the clinical services to your NHS General Practitioner (GP).
We may retain recordings of our consultations and interactions in connection with the clinical services. This can include your use of our chatbot service, video and audio recordings or audio-only recordings. This is to provide you with an easy way to check your clinical services where you wish to and so that we can ensure high quality care is provided to you. To monitor our service quality, we may retain records of when you contact our support teams via email, phone or interactions with our digital services (e.g. chatbots)
Information about your ethnicity, sexual orientation, sex life, religious beliefs or opinion or genetic data where this has been captured in connection with the clinical services.
Usage Data which includes information about how you use the Company Services. This includes your browsing patterns and information such as how long you might spend on one of our webpages on the Company Platform and what you look at and for, the page that referred you to the Company Platform and the click stream during your visit to our website, page response times and page interaction information (clicks you make on a page).
Marketing and Communications Data which includes your preferences in receiving marketing from us and your communication preferences.
Other information relevant to services, customer surveys and/or offers.
All personal information that you provide to us must be true, complete and accurate, and you must notify us of any changes to your Information.
3.2 Information automatically collected
Some information – such as IP address and/or browser and device characteristics – is collected automatically when you use the Company Platforms.
We automatically collect certain information when you visit, use or navigate the Company Platform. This information does not reveal your specific identity (like your name or contact information) but may include device and usage information, such as your IP address, browser and device characteristics, operating system, language preferences, referring URLs, device name, country, location, information about how and when you use the Company Platform and other technical information. This information is primarily needed to maintain the security and operation of the Company Platform, and for our internal analytics and reporting purposes.
Like many businesses, we also collect information through cookies and similar technologies. You can find out more about this in our Cookies Policy.
We process your information for purposes based on legitimate business interests, the fulfilment of our contract with you, compliance with our legal obligations, and/or your consent.
We use your information collected via the Company Services for a variety of business purposes described below. We process your information for these purposes in reliance on our legitimate business interests (Business Purposes), in order to enter into or perform a contract with you (Contractual), with your consent (Consent), and/or for compliance with our legal obligations (Legal Reasons). We indicate the specific processing grounds we rely on next to each purpose listed below.
We may process your Information for the following purposes:
Fulfil and manage any Company Services (Contractual). We may use your information or pass it onto clinicians in order to do this.
To send administrative information to you for business purposes, legal reasons and/or possibly contractual. We may use your information to send you product, service and new feature information and/or information about changes to our terms and conditions and/or policies.
To send you marketing and promotional communications for business purposes and/or with your consent. We and/or our brand partners may use your Information for our marketing purposes, if this is in accordance with your marketing preferences. You can opt-out of our marketing emails, see below for further details.
To facilitate account creation and logon process with your consent.
Where you have provided your explicit consent, we will use your medical information (always having removed personal identifiers, such as your name, address and contact details) to improve the Company Services, and our artificial intelligence system, so that we can deliver better services to you and other users. This medical information (with your personal identifiers removed in the way described above) may include your medical record (both records received and created by us), transcripts and recordings of your consultations, and your interactions with our digital services. This does not involve making any decisions which would have a significant effect on you – it is only about improving the Company Services so that we can deliver a better experience to you and other users. Strict confidentiality and data security provisions apply at all times. This consent relates to information that can identify you.
Request feedback for our business purposes and/or with your consent. We may use your information to request feedback and to contact you about your use of the Company Platform.
To protect the Company Services for business purposes and/or legal reasons. We may use your information as part of our efforts to keep the Company Services safe and secure (for example, for fraud monitoring and prevention).
To enforce our terms and conditions and/or policies for business purposes, legal reasons and/or possibly contractual.
To respond to legal requests and prevent harm for legal reasons. If we receive a subpoena or other legal request, we may need to inspect the data we hold to determine how to respond.
For other business purposes. We may use your information for other business purposes, such as data analysis, identifying usage trends, determining the effectiveness of our promotional campaigns and to evaluate and improve the Company Services and your experience.
In addition, where the personal data that we will be processing is “special data”, also known as “sensitive data” which should be given additional safeguards, such as health information, we will only process that information if there is a valid special condition for processing (as set out in Article 9 of the GDPR). For the purposes of health data, we will rely on Special Condition Article 10(2)(h) (processing of health data where there are adequate safeguards and confidentiality obligations in place).
We only share information to comply with contractual obligations, fulfil our business purposes, or with your consent.
We only share and disclose your Information in the following situations:
Contractual: to share information with clinicians and other providers such as pharmacy and radiology to enable any services to be fulfilled.
Compliance with Legal Obligations: We may disclose your information where we are legally required to do so in order to comply with applicable law, governmental requests, a judicial proceeding, court order, or legal process, such as in response to a court order or a subpoena (including in response to public authorities to meet national security or law enforcement requirements). Your Information may also be shared with regulators like the General Medical Council or the Health Service Ombudsman. We will use our commercially reasonable endeavours to notify you in advance if your Information is to be disclosed to any regulators (where permitted).
Vital Interests. We may disclose your information where we believe it is necessary to investigate, prevent, or take action regarding potential violations of our policies, suspected fraud, situations involving potential threats to the safety of any person and illegal activities, or as evidence in litigation in which we are involved. For example, we may share information with bodies with public health responsibilities such as local councils and Public Health England to control infectious diseases such as meningitis, tuberculosis (TB) or measles and manage public health incidents.
Third-Party Service Providers: We may share your information with third-party vendors, service providers, contractors or agents who perform services and require access to such information to do that work. Examples include: data analysis, email delivery, hosting services, customer service and marketing efforts. They will only have access to your information to the extent that they need to perform those services. They are required to keep your information confidential and may not use it other than as we ask them to and always in accordance with this Policy.
Business Partners: We may share your information, provided you have given us consent to do with our business partners to offer you certain products, services or promotions.
Information Disclosure: We may disclose, with your consent, your information for any other purpose, for example if you give us consent to share information with your General Practitioner (GP).
We may disclose aggregated, anonymous information (i.e. information from which you cannot be personally identified), or insights based on such anonymous information (for example the number of users of the Company Services, to selected third parties, including (without limitation) analytics and search engine providers to assist us in the improvement and optimisation of the Company Services. In such circumstances we do not disclose any information which can identify you personally.
We may transfer, store, and process your information in countries other than your own but will take all reasonable steps to ensure it is protected.
Whenever we transfer your information outside of the UK, we will take all reasonable measures that we can to protect your Information in accordance with this Policy and applicable law. To the extent that any transfer requires approved safeguards are in place (for example if transferring outside of the European Economic Area that the EU model contract clauses or if to the USA that the entity it is transferred to is EU/US Privacy Shield registered) we will ensure these measures are in place.
We are not responsible for the safety of any information that you share with third-party providers who feature or advertise, but are not affiliated with, the Company Services.
The Company Platform may feature links to third-party websites or contain advertisements from third parties that are not affiliated with us and which may link to other websites, online services or mobile applications. We cannot guarantee the safety and privacy of data you provide to any third parties. Any data collected by third parties is not covered by this Policy. We are not responsible for the content or privacy and security practices and policies of any third parties, including other websites, services or applications that may be linked to or from the Company Platform. You should review the policies of such third parties and contact them directly to respond to your questions.
We keep your information for as long as necessary to fulfil the purposes outlined in this Policy unless otherwise required by law.
We will only keep your information for as long as it is necessary for the purposes set out in this Policy, unless a longer retention period is required or permitted by law (such as tax, accounting or other legal requirements).
When we have no ongoing business purpose to process your Information, we will either delete or anonymize it, or, if this is not possible (for example, because your Information has been stored in backup archives), then we will securely store your Information and isolate it from any further processing until deletion is possible.
We aim to protect your information through a system of organisational and technical security measures.
We have implemented appropriate technical and organizational security measures designed to protect the security of any Information we process. However, please also remember that we cannot guarantee that the internet itself is 100% secure. Although we will do our best to protect your information, transmission of personal information to and from the Company Platform is at your own risk. You should only access our services within a secure environment.
We take steps to ensure that the Company Services are only used by those over 18 years of age and we do not knowingly collect data from or market to children under 18 years of age.
We do not knowingly solicit data from or market to children under 18 years of age. By using the Company Services, you represent that you are at least 18 years of age. If we learn that information from users less than 18 years of age has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we have collected from children under age 18, please contact us at email@example.com.
You will be required to give consent to certain processing activities before we can process your information. Where applicable, we will seek consent from you when you first submit information to or through the Company Services.
If you have previously given your consent you may freely withdraw such consent at any time. You can do this by emailing firstname.lastname@example.org.
If you withdraw your consent, and if we do not have another legal basis for processing your information, then we will stop processing your information. If we do have another legal basis for processing your information, then we may continue to do so subject to your legal rights.
Please note that if we need to process your information in order for you to use the Company Services and you object or do not provide consent to us processing your Information, the Company Services will not be available to you.
If you have given consent to marketing we may contact you about our products, services, promotions and special offers. If you no longer wish to receive such information you can withdraw your consent at any time by sending an email to email@example.com or unsubscribe from the communications.
If you have given consent, we may share your information with carefully selected third-party organisations and business partners and they may contact you directly. If you prefer not to receive direct marketing communications from the third-party please contact them directly to withdraw the consent.
You may at any time review or change your personal account information by logging into your Oxford Virtual Clinic account.
If you wish to terminate your Company account please contact us via firstname.lastname@example.org and we can arrange this for you. Some information may be retained in our files to prevent fraud, troubleshoot problems, assist with any investigations, enforce our Terms and Conditions and/or comply with legal requirements.
You have certain rights in relation to the information that we hold about you. Details of these rights and how to exercise them are set out below. Please note we will require evidence of your identity before we are able to respond to your request. This is a security measure to ensure that your information is not disclosed to a person who does not have the right to receive it. We may also contact you to ask you for further information in relation to your request to speed up your response. To exercise or discuss any of your rights please contact us at email@example.com.
Right of Access: You have the right at any time to ask us for a copy of the information that we hold about you and to check that we are lawfully processing it. Where we have good reason, and where data protection law permits, we can refuse your request for a copy of your information, or certain elements of the request. If we refuse your request or any element of it, we will provide you with our reasons for doing so.
Right of Correction or Completion: If information we hold about you is not accurate or is out of date and requires amendment or correction you have a right to have the data rectified or completed.
Right of Erasure: In certain circumstances, you have the right to request that the information we hold about you is erased e.g. if the information is no longer necessary for the purposes for which it was collected or processed or our processing of the information is based on your consent and there are no other legal grounds on which we may process the information.
Right to Object to or Restrict Processing: In certain circumstances, you have the right to object to our processing of your information. For example, if we are processing your information on the basis of our legitimate interests and there are no compelling legitimate grounds for our processing which override your rights and interests. You may also have the right to restrict our use of your information, such as in circumstances where you have challenged the accuracy of the information and during the period where we are verifying its accuracy.
Right of Data Portability: In certain instances, you have a right to receive your information that we hold about you in a structured, commonly used and machine-readable format. In such circumstances, you can ask us to transmit your Information to you or directly to a third party organisation. While we are happy for such requests to be made, we are not able to guarantee technical compatibility with a third party organisation’s systems. We are also unable to comply with requests that relate to personal information of others without their consent.
If we are relying on consent to process your Information, you have the right to withdraw your consent at any time. Please note however that this will not affect the lawfulness of the processing before its withdrawal.
We welcome your feedback and questions on this Policy. If you wish to contact us about this Policy, about our Information or any other questions, please email us at firstname.lastname@example.org.
You have the right to make a complaint at any time to the Information Commissioner’s Office (the ICO), the UK supervisory authority for data protection issues (https://ico.org.uk/concerns/). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.