Legal
Contents
1. Our commitment to protecting your personal data
Here at Numan, we are strongly committed to respecting and protecting your privacy. Part of our commitment is being transparent with you about how we process your personal data. This Privacy Notice (the “Notice”) aims to do just that.
Within this notice we explain:
Who we are and how to contact us;
What personal data we collect about you, and how we collect it;
Why we process your personal data (our purposes), and the lawful bases for doing so;
Who we share your data with, how long we retain your data for, and any transfers that take place; and
What you can do (your rights) in relation to how we use your data and who to contact if you have any concerns.
We endeavour to implement and maintain the highest standards regarding data protection and adopt policies in line with the highest level of compliance. As such, we align to the Data Protection Act (“DPA 2018”), the UK General Data Protection Regulation (“UK GDPR”), and the Privacy in Electronic Communication Regulations (“PECR 2003”) to handle your personal data in certain ways.
When we use the term “personal data” we mean, any information that can be used to identify you as an individual, directly, or indirectly.
2. About us
We are Vir Health Limited (“we”/”us”), trading as Numan.com. We are registered in England and Wales under company number 11449267. We are also registered with the Information Commissioner’s Office (“ICO”) under registration number ZA477985.
Our registered office is located at:
Floor 4,
Farringdon Point,
33 Farringdon Road,
London,
EC1M 3JF.
Our services
When you become a customer or patient of Numan, you are likely to use one of our services, each designed to ensure that you enjoy your experience with us. These include, for example:
Our ‘Numan’ website;
Our ‘Numan’ app;
Our clinician consultations; and
Our health coaching and general healthcare services.
3. Our Data Protection Officer and how to contact us
We have appointed a Data Protection Officer (“DPO”) to govern how we use your data and how to protect it.
If you need to contact the DPO, they can be reached directly via email at [email protected].
They can also be reached by post. If you wish to contact the DPO in this way, please label correspondence ‘for the attention of the Data Protection Officer’ using the postal address above.
If you wish to make a telephone call to us, please contact our customer care team on 0808 169 9574.
If you have any concerns regarding how we process your personal data we’d like the opportunity to address them in the first instance. If this is the case, please contact us via [email protected].
Where you feel we cannot address your concerns, you have a legal right to contact the ICO should you wish to obtain further information or raise concerns. The ICO is the regulator in the United Kingdom and can be contacted at https://ico.org.uk/make-a-complaint/.
If you are based outside of the United Kingdom, please contact your local regulatory authority responsible for data protection.
4. Changes to this privacy notice and your right to inform us of changes
This privacy notice was last updated on August 30, 2024. Historical versions can be provided by contacting us at [email protected].
We aim to keep accurate and up-to-date information about you so we can provide an effective service. Please inform us by emailing [email protected], should your personal details change during your relationship with us.
5. Our lawful bases for processing your data
When we process your data, we do it in a lawful manner. Under the UK GDPR, this means we use one or more of the following lawful bases:
Your consent (“Consent”);
When you undertake a contract with us (“Contract”);
When it is necessary for us to comply with a law or regulation (“Legal Obligation”);
When we process information to provide a service or improve our business (“Legitimate Interest”);
In rare cases where we are asked to process information in the public interest (“Public Interest”); or
In extremely rare cases, we may need to process your information in order to protect life (“Vital Interests”).
When we need to process special category data e.g., health information, biometric information, or data revealing racial or ethnic origin, we will only do so if we have a further lawful basis to do so, such as your explicit consent (“Explicit Consent”).
When we use Legitimate Interests as a lawful basis, this means we weigh privacy rights against the Legitimate Interests of the business for a particular activity. If we rely on our (or a third party's) Legitimate Interests, these interests will normally be to:
operate, provide and improve our business, including our website and app;
communicate with you and respond to your questions;
improve our website and app or use the insights to improve or develop marketing activities and promote our products and services; or
detect or prevent illegal activities (for example, fraud); and/or to manage the security of our IT infrastructure, and the safety and security of our employees, customers, vendors and visitors.
Where we require your data to pursue our legitimate interests or the legitimate interests of a third party, it will be in a way which is reasonable for you to expect as part of the running of our business and which does not materially affect your rights and freedoms.
6. Personal data we may collect about you
As a customer or patient of Numan and Numan.com, we may collect and use (“process”) certain information; your “personal data”, and what is called “special category” data.
Personal data is any information that can be used to identify you, this includes your:
Name, surname and username;
Contact information such as your email address, telephone number and correspondence address; or
Demographic information such as your age, date of birth or gender.
When you enter into a contract with us we may use ‘Legal Obligation” as a lawful basis. When we use Legal Obligation, we mean that in order to provide healthcare services, we require certain personal data, for example to:
Confirm your identity (to ensure we are providing healthcare to the right person);
Assess your suitability for medication;
Manage your health; or
Manage side effects.
Our Legal Obligations in relation to the above, include but are not limited to requirements set by the Care Quality Commission (CQC), Medicines and Healthcare Products Regulatory Agency (MHRA), the Health and Social Care Act 2008, or the Human Medicines Regulations 2012 (HMR 2012). Unfortunately, if you do not provide this information you may not be able to use our services.
We also process technical and marketing information when you visit our website or use our app. This information is also classified as personal data and includes:
Technical information, such as your Internet Protocol (“IP”) address (of your computer or device), login data, browser type and version, cookies, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website and any communications we may send to you;
Usage Data, such as how you use our website, information about your visit to our website, including Uniform Resource Locators (URL) to understand clickstream to and through, pages you viewed or searches you made, page response times, download errors, length of visit, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page; and
Marketing data, such as your preferences in receiving marketing from us.
Special category data
Special category data is information about you that is more sensitive. We have further protections in place for this category of personal data.
Special category data we process about you may include:
Health information, such as your physical or mental health, GP or hospital visits, medicines administered (if you have chosen to provide these to us), as well as your responses to our online consultations, blood tests, and any other information you provide to us relating to your health;
Image data, such as CCTV if you visit one of our sites, images of formal identification, or body images;
Information about your care, including details about your continued care by other people, for instance, other health professionals or your GP;
Race/ethnicity Data, details about your race or ethnic background;
Biometric information, such as details contained within formal identification documents, such as your passport;
Disability information, such details regarding any disability you may suffer from;
Your language preferences; and
Sex life information.
We do not knowingly collect the data of children. Please do not access our services, or provide data to us unless you are at least 18 years old.
7. How we collect your information
As a user of our services or as a patient, we may collect information about you in a number of ways, including:
Directly from you when you:
Take one of our online consultations or register to receive communications;
Contact us via email or phone - if you do, we may keep a record of that correspondence and record the phone call;
Choose to participate in surveys that we use for research purposes;
Purchase services or products through our online service;
Use our AI chat bots;
Provide us with formal identification information;
Provide services to us and/or our website users;
Provide feedback to us;
Otherwise contact us, including with queries, comments, or complaints; or
Make a claim under one of our guarantees.
From our website, such as your:
Marketing and communications preferences;
Cookies preferences;
Consent preferences;
Contact data;
Identity data;
Technical data; and
Usage data.
We process all such data in accordance with this notice. Certain data must be provided to us so that we can fulfil your request (for example, to purchase services or products on our website), and we make this clear to you at the point of collecting the data.
Some information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why we use them, and how you can control them, please see our Cookies Policy.
Data we receive from others
We work with third party identification verification providers to confirm your identity, who in turn may use for example credit reference agencies, and the electoral register, to verify identity.
We may also receive data about you from our third party service providers, including our payment service provider and our analytic service providers.
As our business relies on collaboration with third parties such as our prescribers, pharmacies, doctors, and blood testing companies we may also receive information about you from them.
8. The purposes for which we process your personal data
The table below outlines the purposes for which we process your information, together with our lawful bases for doing so.
When you use our website:
| Activity | Purpose of processing | Data we collect | Lawful Basis |
|---|---|---|---|
| When you subscribe with us or buy one of our products or services. | To fulfil a query, request for services; or to administer and manage your account. | - email address; - phone number & contact address. | - Legitimate Interest; - Contract. |
| When you use our website (marketing). | To market our products and services. | - email address; - phone number & contact address. | - Consent (soft opt-in exemption). |
| When you use our website (website analytics). | To improve our website and the way we email you. | - pages visited; - emails opened. | - Consent. |
| When you use our website (website analytics). | To ensure effective customer service and technical support. | - IP Address; - date and time of enquiry and time zone; - page visited previously; - browser type and version; - operating system. | Legitimate Interest. |
| When we ask you to verify your identity. | For pharmacovigilance, accuracy and to protect individuals against fraud. | - date of birth; - contact details; - formal identification | Legal Obligation. |
When you answer our health questionnaire, take part in our consultations or health coaching, provide blood (for blood tests), or choose to take part in research:
| Activity | Purpose of processing | Data we collect | Lawful Basis |
|---|---|---|---|
| When you answer our online health questionnaire. | To ensure the health information we have about you is accurate and complete. | Details about your health, or mental health such as: - weight and height; - Existing health conditions, e.g., heart condition or high blood pressure; - sleep patterns; - mood; - sex life. | - Legal Obligation; - Explicit Consent. |
| When you take part in clinical consultations. | To ensure the health information we have about you is accurate and complete. | - details about your health, or mental health; - responses to our consultations; - current medication, existing conditions and GP details. | - Legal Obligation; - Explicit Consent, and the provision of health and social care. |
| When you provide a sample of your blood. | To undertake diagnostics. | - blood sample; - name and contact details; - postal address. | - Contract; - Explicit Consent, and the provision of health and social care. |
| When you provide weight verification information | To ensure the health information we have about you is accurate and complete. | - name and contact details; - photos; - weight information. | - Legal Obligation; - Explicit Consent, and Provision of health & social care.. |
| When you choose to take part in research | To make new discoveries about diseases and traits. | - name and contact details; - Health information. | - Explicit Consent, and Archiving, research and statistics. |
When you subscribe with us or make a transaction:
| Activity | Purpose of processing | Data we collect | Lawful Basis |
|---|---|---|---|
| When to set up an account with us. | To provide you with our services. | - email address; - name; - phone number; - postal address; - Location data. | - Consent; - Legitimate Interest. |
| When you complete a transaction. | To complete a transaction in order to provide services. | - payment card information (“PCI”); - bank account details. | - Contract; - Legitimate Interest; - Legal Obligation. |
| When we send service related communications to you. | To provide you with important information during your relationship with us. | - email address; - name; - phone number; - postal address. | - Contract; - Legitimate Interest. |
| When we send marketing related communications to you. | To advertise our products and services to you. | - email address; - name; - phone number; - postal address. | - Consent (soft opt-in exemption). |
| When we ask for your feedback. | To improve our products and services. | - email address; - name. | - Legitimate Interest. |
| When we undertake internal research and training. | To improve our products and services. | - details about your health, or mental health; - responses to our consultations; - your feedback; - your interactions with our customer care team. | - Explicit Consent, and Archiving, research and statistics, or; - Legitimate Interest; and - Provision of health and social care. |
When you contact our Customer Care team:
| Activity | Purpose of processing | Data we collect | Lawful Basis |
|---|---|---|---|
| When you call or contact us about a query or complaint. | To manage and resolve any complaints or queries you may have and to improve our services. | - email address; - name; - contact details; - call recordings (where you have called us). | - Contract; - Legitimate Interest. |
| When you submit an individual rights request via our Customer Care team (ID verification) | To ensure we retrieve the correct details (accuracy) and to prevent fraud. | - date of birth; - contact details; - formal identification. | - Legitimate Interest; - Legal Obligation. |
| When we ask you to verify your identity, as part of a query, complaint or the reporting of an incident. | For pharmacovigilance, accuracy and to protect individuals against fraud. | - date of birth; - contact details; - formal identification. | - Legitimate Interest; - Legal Obligation. |
| When you use our interactive chat bots. | To help with your non-medical queries. | - email address; - name; - contact details. | - Legitimate Interest. |
When you use the Numan Digital Healthcare App
We process data based on two broad categories via the Numan Digital Healthcare App for subscribers:
Customer account data - personal information about customers. This is so that we can communicate with you and to administer your account if you subscribe to our services; and
App usage data - information about how you use or interact with our services through our applications. This data provides us with the ability to provide personalised services to you.
We ask for certain customer account data, such as your contact details, when you sign up for an account with us through our application.
When you download our application various categories of data will be requested – further detail regarding this is available at:
Apple Store reference to privacy info on store – https://apps.apple.com/gb/app/numan-digital-healthcare/id1624465181; or
Google Play Store reference to privacy info on store – https://play.google.com/store/apps/datasafety?id=com.numan.healthcare.
We use app usage data to provide services to you and to carry out necessary functions of our business.
As a subscriber to, or when you use the app, we collect some information automatically in order to help us analyse and report information on how you use our services in order to improve the functionality offered for users.
| Activity | Purpose of processing | Data we collect | Lawful Basis |
|---|---|---|---|
| When you use the app to order a product or subscribe to a service. | To fulfil a query, request for services; or to administer and manage your account. | - subscription type; - login information. | - Legitimate Interest; - Contract. |
| When you complete a transaction through the app. | To fulfil a query, request for services or to administer our services. | - payment card information (PCI); - bank account details. | - Contract; - Legitimate Interest; - Legal Obligation. |
| When we send you push notifications or in-app messages. | To inform you of our products and services. | - email address; - mobile phone number; - push notifications (if turned to on). | - Consent. |
| When we send you push notifications or in-app messages. | To provide you with health coaching. | - email address; - mobile phone number; - push notifications (if turned to on). | - Contract; - Explicit Consent. |
| When we send service related communications to you. | To provide you with important information during your relationship with us. | - email address; - name; - phone number; - postal address. | - Contract; - Legitimate Interest. |
| When we undertake internal research, such as app performance. | To improve our products and services, or the app. | - use of services; - preferences; - contact details; - other usage data. | - Consent; - Legitimate Interest. |
| When you no longer subscribe to a treatment but still use the app to make healthier choices. | To maintain a relationship with you. | - health information when interacting with our app. | - Explicit Consent. |
9. Third parties with whom we share your data
Our business relies on collaboration with third parties (e.g., outside companies) to provide our services to you. Each third party provides an element of our services, for example, IT and cloud services, prescription, delivery, diagnostics or marketing services.
For all third parties we use, we undertake data protection and information security due diligence prior to sharing any personal information. We also have in place contracts with specific data processing and sharing clauses to ensure that third parties process shared data strictly for the purposes we have instructed them to, or in lawful ways that we expect, such as privacy by design and default.
When it is necessary for us to transfer personal information to third parties outside of the UK, this is only done in accordance with the UK GDPR (please see below for international transfers).
Third parties we may share your personal information with include, for example:
Provision of healthcare services, including prescriptions;
Address and identification verification companies;
Delivery and courier service providers, for example;
Marketing and analytics service providers;
Technology providers;
Communications providers;
Professional advisors, such as auditors, accountants and lawyers;
Any entity who may acquire us or part of our business or brands; or
Local or foreign regulators, courts, governments and law enforcement authorities, including emergency services.
International transfers
Almost all data we collect about you is stored and processed in the UK or EEA. However, from time to time, it may be necessary to transfer your data outside of these areas to deliver our services.
Where your data is transferred outside the UK or the EEA, it will only be transferred where adequate safeguards can be applied, including:
For transfers between the UK, EEA and countries with adequacy decisions in place, we safeguard transfers through implementing Standard Contractual Clauses (“SCCs”);
For transfers between the UK and US, we safeguard transfers through implementing the UK-US Privacy Framework, or SCCs;
For third country transfers, the mechanism we use to safeguard transfers are SCCs with the UK International Data Transfer Addendum (“IDTA”).
Further information on SCCs + IDTA can be found at:
Further information on the UK-US Privacy Framework can be found at:
When you contact our Customer Care team, this data, including your name, email address and conversations are hosted in the United States. The third party that hosts this data (Intercom) is a signatory in the UK-US Data Privacy Framework.
If you would like to receive a copy of the safeguards we have in place in relation to international transfers, please email [email protected].
10. How long do we keep your information for?
We keep your personal data only as long as:
It is necessary to provide you with our service;
For legitimate business purposes, such as providing you with medical information or prescription, maintaining the performance of our website and app, making data-driven business decisions about new features and offerings, resolving disputes; and
complying with our legal obligations.
We keep your personal data for a set amount of time, after a point where we first collect your data (or another trigger) - this is called a ‘retention period’. Retention periods are set by our retention and records management policy and retention schedule.
We also set our retention periods according to statutory or industry standards. For example:
Retention periods for most health records are set at 10 years (after you unsubscribe with us) in line with Care Quality Commission (CQC), and NHS retention guidelines.
Retention periods associated with our pharmacy practices are typically 2 years (from end of financial year) in line with CQC guidelines.
Once retention periods are met, we destroy, anonymise or archive data according to our schedule. However, there are some exceptions to this, including:
If there is an unresolved issue relating to your account, such as an outstanding credit on your account or an unresolved claim or dispute we will retain the necessary personal data until the issue is resolved;
Where we need to retain the personal data for our legal, tax, audit, and accounting obligations, we will retain the necessary personal data for the period required by applicable law; and/or,
Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users.
11. Your rights in relation to your personal data
We strongly believe in the fair and transparent processing of your personal data and as such, we need to make you aware that you have rights under data protection law. These are called your ‘Individual Rights’, and include:
Your right of access
You have the right to ask us for copies of your personal information. This right always applies. However, there are some exemptions, which means you may not always receive all the information we process, for example, other peoples’ personal information, or information that is commercially sensitive
Your right to rectification
You have the right to ask us to rectify (i.e., correct) information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Sometimes we get it wrong and need to correct things, so please feel free to tell us. However, we would also love to hear from you if your circumstances change, such as when you move house, change your email or phone number, or when you change your name.
Your right to be forgotten (erasure)
You have the right to ask us to erase your personal information in certain circumstances. Whilst we will do our best to erase your personal data where we can, the right to be forgotten is not an absolute right - this is because we may need to keep certain elements of your information for legal obligations or other legitimate purposes. However, we will tell you if this is the case.
Your right to restrict processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your right to object to processing
You have the right to object to the processing of your personal information, in certain circumstances if you believe our processing impacts on your rights and freedoms and where we use either consent or legitimate interests. If we are processing on the basis of consent you can also withdraw your consent at any time.
Your right to data portability
You can request that we transfer your data to another service provider, or to you. Your right applies if you initially provided consent for us to use the data, or were under, or in talks about entering into a contract - and that the processing is automated. Note that your right only applies to information you have given us.
Your right not to be subject to automated decision-making, including profiling
At Numan, we use interactive AI bots to help you interact with our services and provide you with general lifestyle advice which is non-clinical. These are automated decision-making systems and can sometimes make mistakes (called hallucinations). Our clinicians monitor conversations to help mitigate this, however, you are always able to reach out to a human when interacting with our AI bots, if you are unsure of the information provided.
You have a right not to be subject to automated decision-making, including profiling where:
automated individual decision-making has been used (making a decision solely by automated means without any human involvement); and
profiling has been used (automated processing of personal data to evaluate certain things about an individual). Profiling can be part of an automated decision-making process.
Exercising your rights
Please contact us at [email protected], by post or over the phone if you wish to make a request. We will respond to your request without undue delay, and always endeavour to complete requests within one calendar month.
Please note that not all rights are absolute. For example, where we are required to process your data as part of a legal obligation, we may be required to maintain this information.
We won't charge for exercising your rights. However, we do reserve the right to charge an admin fee if your request is deemed to be manifestly unfounded or excessive.
For more information about your rights
To learn more about your Individual Rights, we encourage you to visit the ICO’s relevant site at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/individual-rights/.
12. Other information you may find useful
Clinking on external links? We encourage you to read their privacy notice too
If you click on a link external to our service, please understand that you are leaving our service and we cannot therefore control the privacy practices and content of those third parties.
Any personal data you provide will not be covered by this privacy notice and we strongly encourage you to read their privacy policies to understand how they collect and process your personal data.
When you use passwords to verify and enable access to our services - keep them safe
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our online services, you are responsible for keeping this password (and other personal details) safe.
We encourage you to avoid sharing your password with anyone, or to write it down. When you create a password, our tip is to use three random (but memorable) words, with numbers and symbols included.
For more information on keeping passwords safe, please visit:
https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words.
The legal stuff
If any provision of this notice is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be construed, as nearly as possible, to reflect the intentions of the parties and all other provisions shall remain in full force and effect.