Privacy Policy

V3.0 Effective from 10 May 2023

Previous Privacy Policy Available Here

Who we are
Peppy Health Ltd is registered in England and Wales under Company number 11534232 and have our registered office at 128 City Road, London, EC1V 2NX (“Peppy” or “Us”). For the purposes of applicable data protection legislation including the General Data Protection Regulation 2016/679/EU (‘GDPR’), Peppy Health is the data controller for the personal data we process, as described in this privacy policy unless otherwise stated. Our data protection officer is 8foldGovernance Limited (company registration number 12085647) and can be contacted at dpo.contact@peppy.health.

GDPR Representative for EU/EEA Data Subjects

If you are resident in the EU/EEA, our data protection representative for the purposes of Article 27 GDPR is Data Protection Representative Limited (trading as ‘DataRep’), a company registered in the Republic of Ireland with registered number 616588. You should contact DataRep in the first instance for any requests in relation to your personal data by emailing datarequest@datarep.com or completing a web form at www.datarep.com/data-request. Your request will be forwarded to the DPO as required.

Personal data we collect and process about you

We may collect, use, store and transfer different kinds of personal data about you which we have set out in the table below, together with the legal basis which we rely on for such processing and the purpose for which we process that personal data.

Categories of Personal Data

Legal Basis for processing

Purpose of processing

Contact Data

Includes name, Peppy user name, address, telephone number, personal email address and work email address. Your Peppy user name may constitute personal data if you use identifiable data when choosing this.

Legitimate interests

Peppy communicates with you to deliver our services, and for business development reasons.

Consent

Necessity for performance of a contract

 Provision of healthcare and personalised digital content services.

 Providing any required information to third party diagnostic testing services.

 Research, statistical analysis and behavioural analysis to improve our services.

 Customer service improvements and quality management.

 Security, fraud prevention and detection.

 To notify you of any changes to this website or to our services that may affect you.

 Communicating user surveys and marketing, including engagement tracking to ensure that importance communications are received by you.

 Direct marketing and business development activities.

Health Data (Special category personal data)

includes information relating to your health status and wellbeing. This may include health data you share during practitioner sessions, biometric data, test results where you have requested diagnostic test services, photos and images of symptoms that you choose to share, symptoms and pathological conditions, medication history, health content preferences, and any other health information submitted via the application or in practitioner sessions.

Consent

You have given explicit consent for us to process your personal data and special category personal data. Personal health data will primarily be processed on the basis of your explicit consent.

Necessity for providing health services

In certain scenarios requiring medical professionals bound by obligations of confidentiality, processing your special category personal data may be necessary for the provision of health or social care services and safeguarding.

 Provision of health and/or social care, and personalised digital content services.

 Providing any required information to third party diagnostic testing services.

 Customisation to determine your App content preferences.

 Research, statistical analysis and behavioural analysis to improve our services, including temporary processing by AI language models.

 Necessary safeguarding (where explicit consent may not be possible).

Ethnicity Data (Special category personal data)

including information relating to your ethnicity and/or race. We base this on the ethnicity consensus list provided by the Office of National Statistics and may include information relating to your heritage, place of birth, culture, customs, language etc.

Consent

You have given explicit consent for us to process your personal data and special category personal data. Personal ethnicity data will primarily be processed on the basis of your explicit consent.

Necessity for providing health services

In certain scenarios requiring medical professionals bound by obligations of confidentiality, processing your ethnicity data may be necessary for the provision of health services.

 Research, statistical analysis and behavioural analysis to improve clinical outcomes and our services.

 Necessary for the provision of health services.

Identity Data (Special category personal data where the ID document reveals ethnicity or race or contains biometric data)

including the collection and processing of copies of passports, drivers licences and other identity documents which we are required to review in order to offer certain services such as prescriptions.

Consent

You have given explicit consent for us to process your personal data and special category personal data. Personal identity data will primarily be processed on the basis of your explicit consent.

Necessity for providing health services

In certain scenarios requiring medical professionals bound by obligations of confidentiality, processing your special category personal data may be necessary for the provision of health or social care services and safeguarding.

 Provision of health and/or social care, and personalised digital content services.

 Necessary for the provision of prescription services.

 Providing any required information to third party prescription services.

 Necessary safeguarding (where explicit consent may not be possible).

Technical Data

includes internet protocol (IP) address, your login data, device type, operating system, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the website or App.

Legitimate Interests

Peppy processes this information on the basis of its legitimate interests as a digital services business

 Provision of healthcare and personalised digital content services.

 Customisation to determine your App content preferences.

 Research, statistical analysis and behavioural analysis to improve our services.

 Customer service improvements and quality management.

 Security, fraud prevention and detection.

 Customising this website and its content to your particular preferences.

 Improving the functionality of our services.

Usage Data

Includes information about how you use our website, the App and our services, which pages you visit, traffic and location data. When arranging an initial video call to discuss purchasing Peppy’s Services, we may request to record calls for quality assurance, training and monitoring purposes however you may opt out of such call recording.

Legitimate Interests

Peppy processes such usage data on the basis of its legitimate interests

Consent

You have given clear consent for us to process your personal data when you register to use our services, make contact with us or provide feedback to us about our services.

 Provision of healthcare and personalised digital content services.

 User profiling to determine your App content preferences.

 Research, statistical analysis and behavioural analysis to improve our services.

 Customer service improvements and quality management.

 Security, fraud prevention and detection.

 Customising this website and its content to your particular preferences.

 Improving the functionality of our services.

Aggregated Data

We may use and share aggregated and anonymised data, such as statistical data, for any purpose, including artificial intelligence research. Aggregated data may be derived from your personal data but is not personal data as this data does not directly or indirectly identify you. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific service and this data may be shared with your employer.

N/A

 Research, statistical analysis and behavioural analysis to improve our services.

 Customer service improvements and quality management.

 To display on the Peppy website and social media accounts anonymous testimonials you may provide to us.

Please note that in order to ensure continuity of services, your health data submitted during consultations may be accessible to multiple practitioners who are qualified to provide you with assistance.

Where we have collected and processed your personal information with your consent, you can withdraw your consent at any time by contacting dpo.contact@peppy.health and providing us with enough information to identify you (e.g., account number, username, registration details). In the event that you withdraw your consent it may not be possible to provide you with access to our service in whole or in part.

Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal.

How your Personal Data is provided to Us

For App users, we collect Personal Data through the use of the application that you choose to submit. We are not provided with Personal Data by any third party unless such party is specifically instructed by you to do so.

Contact Data of customer account holders may be collected in the course of our marketing and sales activities or through your submission of forms on the Peppy website(s).

Marketing and opting out
We conduct direct marketing activities in accordance with all applicable laws. If you prefer not to receive any direct marketing communications from us, you can opt out at any time by:

 emailing us at hello@peppy.health with subject title ‘Unsubscribe’;

 providing us with enough information to identify you (e.g., account number, username, registration details); and

 If your objection is not to direct marketing in general, but to direct marketing by a particular channel (e.g., email or telephone), please specify the channel you are objecting to.

In each communication you receive from us, there will be an “opt-out” or “unsubscribe” option available.

Information about other individuals
If you give us information on behalf of someone else, whether through the Peppy App or web forms, you confirm that the other person has appointed you to act on his/her behalf and has agreed that you can:

 give consent on his/her behalf to the processing of his/her personal data;

 receive on his/her behalf any data protection notices;

 give consent to the processing of his/her personal data; and

 give explicit consent to the transfer of his/her health data.

You should refer any such individuals to this Privacy Policy.

Processing data of minors

Peppy does not ordinarily process personal data of individuals under the age of 18. There may be occasions where you choose to submit the personal data of your dependents for the purposes of receiving guidance or healthcare services. Where this is the case you may be asked to provide additional explicit parental consent to such processing where such individuals are under the minimum legal age for the use of online services or consent to health services.

How long we keep your personal data

We retain your personal data in our server logs, our databases, and our records for as long as necessary to provide our services to you or until such time as you request erasure of your personal data. We may need to retain some of your information for a longer period, such as in back-up records, or in order to comply with our legal or regulatory obligations, to resolve disputes or defend against legal claims. Medical records, which may include chat data, may be retained for up to ten years after you cease to use the services, in line with established health practices.

Where we anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use this information indefinitely without further notice to you.

Your rights
You have the following rights in relation to your personal data. The rights available to you depend on our legal basis for processing your data.

Access – You have the right to request access to personal data that we may process about you.

Rectification – You have the right to require us to correct any inaccuracies in your personal data.

Erasure – You have the right to ask us to erase your personal data in certain circumstances. Deletion of personal data will be carried out on the understanding that removal of some information (e.g., addresses) during an active membership term may negatively affect your ability to use the website/ App.

Restriction – You have the right to request that we restrict processing of your personal information in certain circumstances.

Objection – You have the right to object to the processing of your personal data.

Portability – You have the right to ask that we transfer the personal data you have given us to another organisation or give it to you.

You will not have to pay a fee for exercising your rights, save for where such a request is determine to be manifestly unfounded or excessive in which case a reasonable fee may be imposed or we may refuse to act on the request. We have one month to respond to you in relation to a request.

If you wish to exercise any of the rights set out above, please contact dpo.contact@peppy.health and provide us with enough information to identify you (e.g., account number, username, registration details); and to rectify your data specify the information that is incorrect and what it should be replaced with.

Disclosure of your personal data

We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. They may use their own third party data processors, but all of our data processors are subject to legal requirements in line with the GDPR in respect of any processing they carry out on our behalf. They will hold it securely and retain it for the period we instruct.

These types of organisations are:

 Third party care providers such as testing and diagnostic services.

 Email and SMS messaging services (to enable us to communicate with you efficiently).

 Providers of business services such as auditors, consultants, solicitors and/or insurers (to enable us to run Peppy efficiently).

 Providers of IT systems or services (to enable us to run Peppy efficiently)

 IT storage providers (to enable us to secure data efficiently).

 Market research providers (to help us to improve the services we offer).

 Providers of information management services (to help us learn about our customers).

 Organisations that you ask us to share your personal information with (upon request).

 Third party machine learning services to help us to provide a more effective and efficient service to our customers.

If you are a purchaser of Peppy’s services, we may request your consent to monitor and record communications with you (such as telephone conversations, emails and chat) for the purpose of quality assurance, training, detecting, investigating and preventing illegal activities, which may include sharing data with law enforcement agencies. You may opt out of such record keeping where it involves special category personal data, unless such sharing is required by law.

Keeping your data secure

We will use technical and organisational measures to safeguard your personal data, for example: we store your personal data on secure encrypted servers.

While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet.

Transfers of your information out of the EEA
We may need to transfer your personal data outside the European Economic Area (EEA), including the United States, for example, if one of our suppliers or employees is located outside the EEA.

Where we transfer EU personal data to the United Kingdom, such transfers are subject to the European Commission adequacy decision of 28 June 2021 in respect of the United Kingdom.

Where we need to transfer your data outside the EEA to a country that is not considered to adhere to an equivalent standard of data protection, we will ensure that any transfer of your personal data will be subject to appropriate safeguards, such as a European Commission approved contract (if appropriate) that will ensure you have appropriate remedies in the unlikely event of a security breach.

Links to Other Sites
Our website does and may contain links to other websites. This privacy policy applies only to our website (www.peppy.health and any website URL starting with www.peppy.health/) so when you visit other websites please read their privacy policies, as we cannot accept any responsibility for breaches or issues you may have in relation to privacy once you leave our website.

How to make a complaint
We would encourage you to contact us at dpo.contact@peppy.health if you think that any collection or use of your personal data by us is unfair, misleading or inappropriate.

If you make a complaint to us and think we have not dealt with it to your satisfaction, you have the right to make a complaint to your local supervisory authority. A full list of supervisory authorities is available here.

Changes to privacy policy
We keep our privacy policy under regular review. If we change our privacy policy we will post the changes on this page, so that you may be aware of the information we collect and how we use it at all times.