Privacy Policy
V4.0 Effective from 1 June 2024
Previous US version available here
Who we are
Peppy Health Ltd is registered in England and Wales under Company number 11534232 and have our registered office at 2nd Floor 13 Southampton Place, London, United Kingdom, WC1A 2AJ; Peppy Health Corporation is a Delaware corporation with a registered address of 1209 Orange Street, Wilmington, DE 19801 (collectively “Peppy” or “Us”). For the purposes of applicable data protection legislation including the General Data Protection Regulation 2016/679/EU (‘GDPR’), Peppy Health is the data controller for the personal data we process, as described in this privacy policy unless otherwise stated. Our data protection officer (DPO) is Nicole Navarre Girault and can be contacted at dpo.contact@peppy.health.
GDPR Representative for EU/EEA Data Subjects
If you are resident in the EU/EEA, our data protection representative for the purposes of Article 27 GDPR is Data Protection Representative Limited (trading as ‘DataRep’), a company registered in the Republic of Ireland with registered number 616588. You should contact DataRep in the first instance for any requests in relation to your personal data by emailing datarequest@datarep.com or completing a web form at www.datarep.com/data-request. Your request will be forwarded to the DPO as required.
Personal data we collect and process about you
We may collect, use, store and transfer different kinds of personal data about you which we have set out in the table below, together with the legal basis which we rely on for such processing and the purpose for which we process that personal data.
Categories of Personal Data | Legal Basis for processing | Purpose of processing |
---|---|---|
\
Contact Data Includes name, Peppy user name, address, telephone number, personal email address and work email address. Your Peppy user name may constitute personal data if you use identifiable data when choosing this. |
Legitimate interests Peppy communicates with you to deliver our services, and for business development reasons. Consent Necessity for performance of a contract |
|
Health Data (Special category personal data) includes information relating to your health status and wellbeing. This may include health data you share during practitioner sessions, biometric data, test results where you have requested diagnostic test services, photos and images of symptoms that you choose to share, symptoms and pathological conditions, medication history, health content preferences, and any other health information submitted via the application or in practitioner sessions. |
Consent You have given explicit consent for us to process your personal data and special category personal data. Personal health data will primarily be processed on the basis of your explicit consent. Necessity for providing health services In certain scenarios requiring medical professionals bound by obligations of confidentiality, processing your special category personal data may be necessary for the provision of health or social care services and safeguarding. |
|
Ethnicity Data (Special category personal data) including information relating to your ethnicity and/or race. We base this on the ethnicity consensus list provided by the Office of National Statistics and may include information relating to your heritage, place of birth, culture, customs, language etc. |
Consent You have given explicit consent for us to process your personal data and special category personal data. Personal ethnicity data will primarily be processed on the basis of your explicit consent. Necessity for providing health services In certain scenarios requiring medical professionals bound by obligations of confidentiality, processing your ethnicity data may be necessary for the provision of health services. |
|
Identity Data (Special category personal data where the ID document reveals ethnicity or race or contains biometric data) including the collection and processing of copies of passports, drivers licences and other identity documents which we are required to review in order to offer certain services such as prescriptions. |
Consent You have given explicit consent for us to process your personal data and special category personal data. Personal identity data will primarily be processed on the basis of your explicit consent. Necessity for providing health services In certain scenarios requiring medical professionals bound by obligations of confidentiality, processing your special category personal data may be necessary for the provision of health or social care services and safeguarding. |
|
Technical Data includes internet protocol (IP) address, your login data, device type, operating system, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the website or App. |
Legitimate Interests Peppy processes this information on the basis of its legitimate interests as a digital services business |
|
Usage Data Includes information about how you use our website, the App and our services, which pages you visit, traffic and location data. When arranging an initial video call to discuss purchasing Peppy’s Services, we may request to record calls for quality assurance, training and monitoring purposes however you may opt out of such call recording. |
Legitimate Interests Peppy processes such usage data on the basis of its legitimate interests Consent You have given clear consent for us to process your personal data when you register to use our services, make contact with us or provide feedback to us about our services. |
|
Aggregated Data We may use and share aggregated and anonymised data, such as statistical data, for any purpose, including artificial intelligence research. Aggregated data may be derived from your personal data but is not personal data as this data does not directly or indirectly identify you. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific service and this data may be shared with your employer. |
N/A |
|
Please note that in order to ensure continuity of services, your data may be accessible to multiple practitioners who are qualified to provide you with assistance, as well as Peppy employees involved in providing the services, on a need to know basis.
Where we have collected and processed your personal information with your consent, you can withdraw your consent at any time by contacting dpo.contact@peppy.health and providing us with enough information to identify you (e.g., account number, username, registration details). In the event that you withdraw your consent it may not be possible to provide you with access to our service in whole or in part.
Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal.
How your Personal Data is provided to Us
For App or website users, we collect Personal Data through the use of the application or website that you choose to submit. We are not provided with Personal Data by any third party unless such party is specifically instructed by you to do so.
Contact Data of customer account holders may be collected in the course of our marketing and sales activities or through your submission of forms on the Peppy website(s).
Marketing and opting out
We conduct direct marketing activities in accordance with all applicable laws. If you prefer not to receive any direct marketing communications from us, you can opt out at any time by:
- emailing us at hello@peppy.health with subject title ‘Unsubscribe’;
- providing us with enough information to identify you (e.g., account number, username, registration details); and
- If your objection is not to direct marketing in general, but to direct marketing by a particular channel (e.g., email or telephone), please specify the channel you are objecting to.
In each communication you receive from us, there will be an “opt-out” or “unsubscribe” option available.
Information about other individuals
If you give us information on behalf of someone else, whether through the Peppy App or web forms, you confirm that the other person has appointed you to act on his/her behalf and has agreed that you can:
- give consent on his/her behalf to the processing of his/her personal data;
- receive on his/her behalf any data protection notices;
- give consent to the processing of his/her personal data; and
- give explicit consent to the transfer of his/her health data.
You should refer any such individuals to this Privacy Policy.
Processing data of minors
Peppy does not ordinarily process personal data of individuals under the age of 18. There may be occasions where you choose to submit the personal data of your dependents for the purposes of receiving guidance or healthcare services. Where this is the case you may be asked to provide additional explicit parental consent to such processing where such individuals are under the minimum legal age for the use of online services or consent to health services.
How long we keep your personal data
We retain your personal data in our server logs, our databases, and our records for as long as necessary to provide our services to you or until such time as you request erasure of your personal data. We may need to retain some of your information for a longer period, such as in back-up records, or in order to comply with our legal or regulatory obligations, to resolve disputes or defend against legal claims. Medical records, which may include chat data, may be retained for up to ten years after you cease to use the services, in line with established health practices.
Where we anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, we may use this information indefinitely without further notice to you.
How long we retain Personal Data will depend on a number of factors, such as:
- Our purpose for processing the data (such as whether we need to retain the data to provide our services);
- The amount, nature, and sensitivity of the data;
- The potential risk of harm from unauthorised use or disclosure of the data;
- Any legal requirements that we are subject to.
Your rights
You have the following rights in relation to your personal data. The rights available to you depend on our legal basis for processing your data.
Access – You have the right to request access to personal data that we may process about you.
Rectification – You have the right to require us to correct any inaccuracies in your personal data.
Erasure – You have the right to ask us to erase your personal data in certain circumstances. Deletion of personal data will be carried out on the understanding that removal of some information (e.g., addresses) during an active membership term may negatively affect your ability to use the website/ App.
Restriction – You have the right to request that we restrict processing of your personal information in certain circumstances.
Objection – You have the right to object to the processing of your personal data.
Portability – You have the right to ask that we transfer the personal data you have given us to another organisation or give it to you.
You will not have to pay a fee for exercising your rights, save for where such a request is determine to be manifestly unfounded or excessive in which case a reasonable fee may be imposed or we may refuse to act on the request. We have one month to respond to you in relation to a request.
If you wish to exercise any of the rights set out above, please contact dpo.contact@peppy.health and provide us with enough information to identify you (e.g., account number, username, registration details); and to rectify your data specify the information that is incorrect and what it should be replaced with.
Disclosure of your personal data
We use data processors who are third parties who provide elements of services for us. We have contracts in place with our data processors. This means that they cannot do anything with your personal data unless we have instructed them to do it. They may use their own third party data processors, but all of our data processors are subject to legal requirements in line with the GDPR in respect of any processing they carry out on our behalf. They will hold it securely and retain it for the period we instruct.
These types of organisations are:
- Third party care providers such as testing and diagnostic services.
- Email and SMS messaging services (to enable us to communicate with you efficiently).
- Providers of business services such as auditors, consultants, solicitors and/or insurers (to enable us to run Peppy efficiently).
- Providers of IT systems or services (to enable us to run Peppy efficiently)
- IT storage providers (to enable us to secure data efficiently).
- Market research providers (to help us to improve the services we offer).
- Providers of information management services (to help us learn about our customers).
- Organisations that you ask us to share your personal information with (upon request).
- Third party machine learning services to help us to provide a more effective and efficient service to our customers.
If you are a purchaser of Peppy’s services, we may request your consent to monitor and record communications with you (such as telephone conversations, emails and chat) for the purpose of quality assurance, training, detecting, investigating and preventing illegal activities, which may include sharing data with law enforcement agencies. You may opt out of such record keeping where it involves special category personal data, unless such sharing is required by law.
How we use AI
Peppy utilises OpenAI’s API . By using Peppy’s services, you agree to OpenAI’s Privacy Policy and Terms of Service. For more information, please visit OpenAI’s Privacy Policy and Terms of Service.
Using data to train AI
When you use our services for individuals, we may use your content to train our models. You can opt out of training by emailing hello@peppy.health. Once you opt out, new conversations will not be used to train our models.
We use training information only to help our models learn about language and how to understand and respond to it. We do not and will not use any personal information in training information to build profiles about people, to contact them, to advertise to them, to try to sell them anything, or to sell the information itself.
To understand more how OpenAI and their language models are developed, please review details on data usage and policies here.
Keeping your data secure
We will use technical and organisational measures to safeguard your personal data, for example: we store your personal data on secure encrypted servers.
While we will use all reasonable efforts to safeguard your personal data, you acknowledge that the use of the internet is not entirely secure and for this reason we cannot guarantee the security or integrity of any personal data that is transferred from you or to you via the internet.
Transfers of your information out of the EEA
We may need to transfer your personal data outside the European Economic Area (EEA), including the United States, for example, if one of our suppliers or employees is located outside the EEA.
Where we transfer EU personal data to the United Kingdom, such transfers are subject to the European Commission adequacy decision of 28 June 2021 in respect of the United Kingdom.
Where we need to transfer your data outside the EEA to a country that is not considered to adhere to an equivalent standard of data protection, we will ensure that any transfer of your personal data will be subject to appropriate safeguards, such as a European Commission approved contract (if appropriate) that will ensure you have appropriate remedies in the unlikely event of a security breach.
United States Residents
The information that we share to provide some of the Services is Protected Health Information and therefore subject to our HIPAA Notice of Privacy Practices.
Your Privacy Rights and Choices
Depending on your state of residence (including California, Virginia, Colorado, Utah, Connecticut, and potentially other states), you may have certain rights with respect to your PI. We will strive to honor these rights no matter your place of residence, but we reserve our ability to fulfill your requests as legally required.
To exercise any of the following rights (“Data Subject Right”), you or your authorized agent may contact us via the instructions herein.
We may request additional information to verify the authenticity of your request, including confirming PI or other information that you have already provided to us, or potentially requesting additional PI.
- Right to Know and Access. You may request that we confirm whether we are processing your PI and other details about that processing. Furthermore, you may request that we provide you with a copy of your PI, including the specific pieces of PI if applicable.
- Right to Correct. If you believe that your PI is inaccurate or incomplete, you may request that we correct your PI.
- Right to Delete. You may request that we delete the PI that you have provided to us, subject to certain exceptions.
- Right to Opt Out of Targeted Advertising. Targeted advertising is the practice of serving you personalized ads based on information gathered about you across different websites, devices, or applications. We do not engage in targeted advertising.
- Right to Opt Out of Sales. Some U.S. state laws define sales as exchanges of PI for monetary or other valuable consideration. We do not “sell” your PI.
- Right to Restrict Certain Processing. You may have the right to limit the use or disclosure of your “sensitive” PI or opt out of other processing activities, such as those involving automated decision-making, as defined by applicable U.S. state law.
- Right to Nondiscrimination. We will not discriminate against you for exercising these rights. However, where permitted by law, we may charge a reasonable fee in fulfilling certain requests.
- Right to Appeal. If we deny your request to exercise a Data Subject Right, you may have the right to appeal the decision with us. If you would like to appeal a prior decision, please be sure to include information about your prior request so that we may locate our earlier determination.
In addition to these Data Subject Rights, you can always manage your communication preferences. If at any time you would like to unsubscribe from receiving future emails, you can follow the unsubscribe or opt-out instructions included in the email communication.
Notice to Nevada Residents
We do not “sell” PI according to Nevada law. If you would like to request that we not sell your PI in the future, please following the instructions in Contacting Us.
Notice to California Residents
The following statements are made in compliance with the California Consumer Privacy Act (“CCPA”), as amended.
We do not “sell” or “share” PI as defined by CCPA. “Share” as defined by CCPA refers to sharing PI for the purposes of cross-context behavioral advertising, also referred to as online targeted advertising.
We do not process sensitive information for purposes other than those specified in Cal. Code Regs. tit. 11, § 7027(m).
In the past 12 months, we have collected PI described above, under “What Personal Information do we collect?” from the sources listed in “Personal data we request and process about you”. This PI falls into the following categories of PI under the CCPA:
- Identifiers
- Visual information (if you choose to upload a photograph of yourself to your account)
- Categories listed in California Civil Code 1798.80(e)
- Characteristics of protected classifications under California or federal law
- Health information
- Internet or electronic network activity information
- Professional or employment-related information
In the past 12 months, we have disclosed PI to the third parties described above, under “Disclosure of your personal data” for the reasons described in the same section. This includes PI from the following categories of PI under the CCPA:
- Identifiers
- Visual information (if you choose to upload a photograph of yourself to your account)
- Categories listed in California Civil Code 1798.80(e)
- Characteristics of protected classifications under California or federal law
- Health information
- Internet or electronic network activity information
- Professional or employment-related information
Links to Other Sites
Our website does and may contain links to other websites. This privacy policy applies only to our website (www.peppy.health and any website URL starting with www.peppy.health/) so when you visit other websites please read their privacy policies, as we cannot accept any responsibility for breaches or issues you may have in relation to privacy once you leave our website.
How to make a complaint
We would encourage you to contact us at dpo.contact@peppy.health if you think that any collection or use of your personal data by us is unfair, misleading or inappropriate.
If you make a complaint to us and think we have not dealt with it to your satisfaction, you have the right to make a complaint to your local supervisory authority. A full list of supervisory authorities is available here.
Changes to privacy policy
We keep our privacy policy under regular review. If we change our privacy policy we will post the changes on this page, so that you may be aware of the information we collect and how we use it at all times.