Privacy Policy

Last updated 12 JUNE, 2024

This privacy policy explains how we process your personal data collected through our Stella App, StellaPlus (menopause assessment) or from browsing our website (the “Services”), including how we collect your data, with whom and why we share them with, how we protect your data, how long we retain them and your rights.

If you have any questions about this privacy policy, including any requests relating to your legal rights, please contact us at privacy@vira.health.

WHO WE ARE

We are Vira Health Limited. We are registered in England and Wales under the UK Company Registration Number: 12542209 and our office address is : 22 Highbury Grove, Unit 401, London, United Kingdom N5 2EF.

We are registered with the ICO (Information Commissioner’s Office) under number ZB352110 and our Data Protection Officer can be contacted by email at privacy@vira.health.

WHAT TYPE OF DATA DO WE HAVE ABOUT YOU?

Identity details:

We process information about your identity such as your name, date of birth, ID to help us identify who you are and confirm your identity.

Contact details:

We process your email, telephone number and address(es) in order to contact you, respond to your queries, send transactional and marketing communications to you including prescription reminders and reminders when you do not complete your assessment as well as to deliver a medicine or a product or to follow up with you when you attend one of our event in person or online.

Financial details

We process your payment details but we are not acting as a payment provider so we do not have access or store all of your payment data. We access partial transaction details such as the last digits of your card, billing address, transaction IDs, the type of card you use and your purchase history with us.

Technical details

These data include the type of device you use to access our Services, your operating system, IP address or your type of browser. This allows us to understand bugs with our website and app, adapt the content to you and also help to prevent notably with information such as the IP address.

Browsing activity, user/interaction data

This is information collected by us about how and when you are using our Services. This includes what page you are visiting, how long you spend on our website/app, your behaviour on the page ( e.g. clicks, scrolling), where you came from before landing on our properties (link from an article, google search). This helps us to analyse how users interact with our website and app in order to improve them and offer you a better experience.

Marketing details

This is data about your marketing preferences and the performance of our marketing campaigns (e.g. the emails we send you).

Research/surveys data

If you participate in our research or respond to our individual surveys, we collect your feedback in order to improve our Services. Some of these surveys or research can be anonymised which mean that it will not be linked to you.

We are also using aggregated data, which is data no longer associated with you, to perform research or statistical analysis on our Services and how users interact with them.

Medical details

We collect your medical information when you complete a menopause assessment and when you have a consultation with our doctors. This includes your medical history, symptoms, medication you are on, treatments prescribed to you.

We need this information in order to provide you with the menopause assessment and in order for our doctors to do a diagnosis and prescribe a treatment or give advice to you. Our doctors also make detailed notes of your consultation.

Work and education data

If you apply to one of our positions, we will collect information about your education and history of work, qualifications, references, right to work, DBS checks (where relevant), results of interviews and assessments. This is in order to assess your suitability for our available roles.

Data we received from third parties

We can also receive data from third parties such as:

Data from the pharmacy to follow up on a treatment being sent to you
Which employer or organisation you came to us from (voucher code)
Your status after verification of your identity (pass/fail)

We continually review the personal data we collect to ensure we adhere to the principle of data minimisation by only collecting and retaining what is necessary for the provision and improvement of our services.

We do not knowingly collect personal data from individuals under 18 years of age and neither Stella nor Stella Plus are targeted at this demographic. If you become aware that a child has provided us with personal data without parental consent, please contact us.

OUR LEGAL BASIS TO PROCESS YOUR DATA

Under the Data Protection Act 2018, the UK and EU GDPR where applicable, we have to have a particular reason to process your data which includes its collection, use, transfer, storage or retention.

We have indicated in the table below the different purposes for which we process your personal information, what type of information and the lawful basis for processing.

PURPOSE	TYPE OF DATA	LAWFUL BASIS
To register you as a new customer	Identity details (e.g. name, surname, date of birth) Contact details (e.g. email, telephone number)	Performance of a contract
To collect and recover money for the use of our Services	Identity details Financial data (name, contact details, payment transaction details).	Performance of a contract Legitimate interests (to prevent fraud) Note: we do not store card data on our end. The payment process is delegated to a third party supplier certified to process payments.
To provide the medical care service as requested by you. To issue the menopause report, issue a prescription when appropriate, and for the delivery of your treatment or goods. To follow-up on the treatments and advice given by the doctors.	Identity details (e.g. name, surname, gender, date of birth) Contact details (e.g. email, telephone number) Medical details (e.g.medical history, symptoms).	Performance of a contract and medical diagnosis, provision of health care and treatment pursuant to the contract between the patient and us.
To verify your identity	Identity details (e.g. name, surname, gender, date of birth, ID) Contact details (e.g. email, telephone number) Financial data (e.g. payment transaction details: date, amount, name, address, email) Photo of you, Video of you	Legitimate interests (to prevent identity or medical fraud).
To book appointment with doctors	Identity details (e.g. name, surname, gender, date of birth) Contact details (e.g. email, telephone number) Financial data (e.g. payment transaction details)	Performance of a contract.
To prevent fraud and maintain security on our website and app . To improve your browsing experience based on your technical device information.	Technical details (e.g. technical device information such as type of device used, browser used, IP address, location, device unique identifier, network information, login information).	Legitimate interests.
Analytics from browsing behaviour	Browsing information ( session recording of website pages and app pages: recording of interactions with our platforms) Note: no personal information is captured.	Legitimate interests.
Research and statistics. To perform research to understand the use of our services on our website and app, in order to improve our services	Identity details (e.g. name, age) Information provided during the surveys, interviews and research sessions.	Depending on the type of research, legitimate interest or consent.
To provide you with updates about our services, send newsletters and other marketing communications	Identity details ( name, age), contact details (email) Health information Order history.	Legitimate interests and when health information is used for marketing purposes, explicit consent.
Following up on our events or third party events	Identity details ( name) Contact details (email)	Legitimate interests.
To assess your suitability for a job position	Identity details ( name) Contact details (email) Work related information (e.g. work experience, right to work, references, interviews notes, DBS checks)	Compliance with legal obligation. Legitimate interests.

WHO DO WE SHARE YOUR DATA WITH?

Internally:

Your medical information is shared with our clinical staff to provide you with the medical service and our customer service can also access your record to assist our doctors, answer your queries, book your appointments and verify your identity.

In order to assist with bugs in our systems or any technical issues you might encounter, our IT people might need to access your account or the systems where your information is stored, including sensitive information.

Finally, the legal team might need to access some of your sensitive information in order to answer your data subject access requests.

Then access from employees or contractors is based on a need-to-know basis and we will always restrict access to the minimum required for them to perform their duties.

All staff are required to comply with confidentiality obligations and required to perform an annual training on data protection and security.

Externally

We’re using the following categories of third parties and therefore share data with the following categories of providers:

Business partners, suppliers and subcontractors to provide the Services to you, such as cloud services to store your data, marketing and transactional emails providers, data analytics and research providers.
Promotional events: We may share your data with an event organiser in order to organise your participation in the event.
Regulators/ Authorities/ Enforcement Agencies if we are under a duty to disclose or share your personal data in order to meet any legal requirement, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of our clients or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and with medical organisations such as the Care Quality Commission or the General Medical Council.
Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.
Your GP: if you communicate the contact details of your GP with us, we will share your medical information with them, including any treatment prescribed. You can revoke your consent at any time.
Pharmacies: If you use Stella Plus, we will also share your personal data with our pharmacy partner, Chemist4U (UK Company Registration Number: 07262043 (Innox Trading Limited) and GPhC number 9011784 – please see https://www.pharmacyregulation.org/registers/pharmacy/name/chemist4u). You can contact Chemist4U directly by phone on 01695 474433 or by email at support@chemist-4-u.com. Chemist4U’s superintendent pharmacist at the time of drafting this policy is James O’Loan, MRPharmS (GPhC number 2084549).

HOW DO WE PROTECT YOUR DATA?

We are committed to protecting your privacy and your personal information. As such, we put organisational and technical measures in place to protect your information from unauthorised or accidental access, alteration, disclosure or erasure.

We make sure that our staff is trained with an annual training requirement on data protection, information governance and cybersecurity. We also have policies in place that must be complied with by our staff to ensure that your data is protected. We enforce passwords and logins to access our systems as well as two factors authentication where possible. Our offices are secured with access with a badge, locked doors and a clean desk policy. We enforce a right of access policy to limit access to the data on a need-to-know basis.

On a technical side, we encrypt your data, use firewalls to keep your data from unauthorised access and your payment transactions are done though PCI compliant providers.

WHERE IS MY DATA STORED?

All information you provide to us is end-to-end encrypted between your device and our cloud servers based in the UK and EU. We also work with suppliers or contractors who may store data outside of the UK and EU in which case we will put the appropriate instruments in place to comply with the regulations such as standard contractual clauses if there are no adequacy decisions in place as well as performing a due diligence of the supplier/contractor.

For transfer of data from the UK to the EEA or the EEA to the UK, an adequacy decision is in place which means that both the country sending the data and the country receiving it have a comparable data protection regime.

HOW LONG DO WE KEEP YOUR DATA FOR?

We will only retain your personal data for as long as we need it to fulfil the purposes we collected it for and we will periodically review the personal data in our reviews to ensure we are only holding what is necessary.

Your medical records are retained for a duration of 8 years from collection as per the NHS Records Management Code of Practice for Health and Social Care 2021 ( guidelines for public and private healthcare providers).

We keep your account details until you request a deletion of your data or notify us that you want to stop using our services. Unless we have a legal or regulatory reason to keep them for longer.

Our research and product teams will retain your information for 2 years after the research. We might also anonymise data for longer but in this case no information will identify you.

We keep your data about your use of our services and technical data in a pseudonymous format until you request a deletion of your data.

And for marketing purposes, your data is retained as long as you have an active account with us.

Please note that we may need or be required to keep your data for longer in order to be able to comply with our legal, accounting or regulatory requirements.

If we are relying on your consent to hold your personal data, you can withdraw this consent at any time and we can remove your data. Personal data that is no longer required is removed using technology designed to prevent the recovery of the personal data.

WHAT ARE YOUR RIGHTS UNDER DATA PROTECTION LAW?

You have various rights under the Data Protection Act 2-18 and GDPR, which are:

access your personal data or request a copy of your data (right of access)
correct incomplete or inaccurate information we hold about you (right to rectification);
ask us to erase the personal data we hold about you (right to erasure); in certain circumstances, we will not be able to delete your personal data. As a provider of healthcare services, we have to retain your medical records for a set period of time or we might also need to keep your data for longer in order to establish, exercise or defend legal claims.
ask us to restrict our handling of your personal data (right to restriction of processing);
ask us to transfer your personal data to a third party (right to portability); Please note that this right applies to the personal data you provided us with and only where we process your data based on your consent or performance of a contract and where the processing is automated.
object to how we are using your personal data ( right to object to processing).

If you want to exercise any of these rights, you can contact us at privacy@vira.health and indicate the subject of your request.

You also have the right to lodge a complaint about our processing with a supervisory authority the ICO in the UK ( https://ico.org.uk/make-a-complaint/). If you are based outside of England and Wales, you can find your relevant supervisory authority here.

QUESTIONS, COMMENTS AND MORE DETAIL

Your feedback and suggestions on this policy are welcome.

We’ve worked hard to create a policy that’s easy to read and clear. But if you feel that we have overlooked an important perspective or used language which you think we could improve, please let us know by email at privacy@vira.health.

If you’d prefer, you can always get in touch with us by post to our registered office at 22 Highbury Grove, Unit 401, London, United Kingdom, N5 2EF.

LINKS

Please note, if you follow a link to a third party website or application from Vira, these third parties may have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.

COOKIES AND TRACKING TECHNOLOGIES

Cookies is a small file of letters and numbers that we store on your browser or the hard drive of your computer. They have several purposes such as distinguishing you from other users of our sites to help us to provide you with a good experience when you browse our sites and to improve your experience.

There are different types of cookies and tracking technologies:

Strictly necessary cookies.These are used to enable the core functionality of our website such as security, network management and accessibility. Their use is necessary for the website to work properly.
Functional cookies. These cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedback, and other third-party features.
Analytics and performance cookies: These are used to understand how visitors interact with the website. These cookies help provide information on the number of visitors, traffic source, how users behave on our pages etc.
Advertisement cookies: they are used to provide you with relevant ads and marketing campaigns. across sites and collect information to provide more customised and personalised advertising.

You can manage the cookie directly from your browser: https://www.aboutcookies.org/how-to-control-cookies/

Please note that to remove cookies already set, you will need to go into your browser to de-install them or clear them.

Also note that, if you use your browser settings to block all cookies (including essential cookies) you may not be able to access all or parts of our site.

COOKIE	PURPOSE	DURATION
Facebook	Advertising: to display ads	3 months
CookieYes	Essential: for cookie consent preferences	11 months
Akamai	Essential: for security to distinguish between humans and bots	2 hours
Cloudflare	Functional: for security of our website	30 minutes
Intercom	Functional: provide a unique browser identifier	Up to 1 week
Klaviyo	Analytics: opening of the website from the email	2 years
Google Analytics	Analytics	2 years
YouTube	Analytics, Advertising	Up to 2 years
Scorecard Research	Analytics: browser behaviour	2 years
Hotjar	Analytics: identify new user session	30 minutes
Mailchimp	Advertising: evaluate UI/UI interactions	1 year

Cookie	Duration	Description
_abck	1 year	This cookie is used to detect and defend when a client attempt to replay a cookie.This cookie manages the interaction with online bots and takes the appropriate actions.
ak_bmsc	2 hours	This cookie is used by Akamai to optimize site security by distinguishing between humans and bots
bm_sz	4 hours	This cookie is set by the provider Akamai Bot Manager. This cookie is used to manage the interaction with the online bots. It also helps in fraud preventions
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
intercom-device-id-*	8 months 26 days 1 hour	Intercom sets this cookie that allows visitors to see any conversations they've had on Intercom websites.
intercom-id-*	8 months 26 days 1 hour	Intercom sets this cookie that allows visitors to see any conversations they've had on Intercom websites.
intercom-session-*	7 days	Intercom sets this cookie that allows visitors to see any conversations they've had on Intercom websites.
JSESSIONID	session	It is essential to ensure that any information you enter or routes you take are remembered by the website. Without this cookie, every page you visited would treat you as a completely new visitor. This cookie does not identify you personally and is not linked to any other information we store about you.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
wordpress_sec_[hash]	7 days	To provide protection against hackers, store account details.
wordpress_test_cookie	session	To check if the cookies are enabled on the browser to provide appropriate user experience to the users.
wp-settings-{time}-[UID]	1 year
wpEmojiSettingsSupports	session	WordPress sets this cookie when a user interacts with emojis on a WordPress site. It helps determine if the user's browser can display emojis properly.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
intercom-id-[app_id]	9 months	Anonymous visitor identifier cookie. As people visit your site they get this cookie.
intercom-session-[app_id]	1 week	Identifier for each unique browser session. This session cookie is refreshed on each successful logged-in ping, extending it to 1 week from that moment. The user can access their conversations and have data communicated on logged out pages for 1 week, as long as the session isn't intentionally terminated with `Intercom('shutdown')`;, which usually happens on logout.
loglevel	never	Maintains settings and outputs when using the Developer Tools Console on current session.

Cookie	Duration	Description
__kla_id	2 years	Cookie set to track when someone clicks through a Klaviyo email to a website.
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_TK0CGNEKE8	2 years	This cookie is installed by Google Analytics.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjSession_*	1 hour	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjSessionUser_*	1 year	Hotjar sets this cookie to ensure data from subsequent visits to the same site is attributed to the same user ID, which persists in the Hotjar User ID, which is unique to that site.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
attribution_user_id	1 year	This cookie is set by Typeform for usage statistics and is used in context with the website's pop-up questionnaires and messengering.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
UID	2 years	Scorecard Research sets this cookie for browser behaviour research.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_mcid	1 year	This is a Mailchimp functionality cookie used to evaluate the UI/UX interaction with its platform
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
rl_anonymous_id	never	RudderStack set this cookie to store statistical data of users' behaviour on the website, which can be used for internal analytics by the website operator.
rl_group_id	never	RudderStack sets this cookie to collect user activity on the web.
rl_group_trait	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_page_init_referrer	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_page_init_referring_domain	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_trait	never	Rudderstack sets this cookie, which is used to store performed actions on the website.
rl_user_id	never	RudderStack set this cookie to store a unique user ID for the Marketing/Tracking purpose.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.

Cookie	Duration	Description
_cfuvid	session	Description is currently not available.
_hjSession_3235660	30 minutes	No description
_hjSessionUser_3235660	1 year	No description
AWSALBTG	7 days	No description available.
AWSALBTGCORS	7 days	No description available.
cookie_site_switch	1 month	Description is currently not available.
intercom-device-id-i1uxzwak	8 months 26 days 1 hour	No description
intercom-id-i1uxzwak	8 months 26 days 1 hour	No description
intercom-session-i1uxzwak	7 days	No description
tf_respondent_cc	6 months	Description is currently not available.
visitor-id	1 year	No description available.

Want to switch locations?

Privacy Policy