Privacy Policy

Content

Introduction

The information we collect and process about you

How we collect your personal information

How we use your information

Sharing your personal information

Sharing information for other contractual or legal reasons

Medical consent

The use of anonymised and aggregated data

Data storing and processing locations

Data security

Data retention

Online services – cookies

Third party links

Identity checking

Your rights

Exercising your rights

Privacy related complaints

Policy changes

 

Introduction

 

Please take a moment to read this privacy policy carefully, as it contains important information about who we are, and how and why we collect, store, use, and share your personal information. It also explains how we handle your data when you contact us or use our services.

For the avoidance of doubt and transparency, please note that all calls, consultations and electronic communications are recorded to protect the interests of all parties.

To help you understand this policy, here’s what we mean when we use certain terms:

“HealthHero”, “we”, “us”

Refers to either HealthHero Solutions Ltd or HealthHero Healthcare Ireland Ltd, depending on which entity is providing the service.

“Partner organisation”

Means any organisation that has arranged for you to access our services. This could include your employer, insurer, or a membership group.

You”, “your”

Refers to the individual whose personal data is being collected, used, or processed—typically the person receiving our services.

This policy applies to all users of HealthHero services, whether:

  • you are paying for the service yourself,
  • you are receiving the service as a benefit through a third-party partner organisation, or
  • you are a beneficiary entitled to access the service through one of the above arrangements.

The information we collect and process about you

We routinely collect and use the following personal information about you including:

  • name and contact information, including home address, telephone number and email address.
  • location at the time of a consultation if different to the home address (for use only in the case of a medical emergency)
  • date of birth; and
  • if necessary, the name of the partner organisation and any access code, policy, or membership number.
  • health data, which can include audio/video recordings, documents and images.

This personal information is required to provide our services. If we do not receive all the personal information we ask for, it may delay or prevent us from providing our services.

Consultation audio or video recordings, images or other health documents provided to us will be stored as part of the HealthHero Electronic Health Record (EHR) we create for service users when they use our services.

How we collect your personal information

We collect personal information directly via:

  • telephone
  • email
  • online Services (Webforms/Progressive Web Apps)
  • mobile applications (e.g. native Apps hosted on App Store/Google Play)
  • third Party Applications via APIs (Application Programming Interfaces)

We may also collect information directly from third parties e.g., insurance companies and other organisations which you are a member of.

How we use your personal information

We collect and process your personal and sensitive information solely for the purpose of providing you with access to our services.

We comply with the data protection laws of the UK or Ireland depending on where we provide care, ensuring that your personal data is processed lawfully, fairly, and securely. Our systems and processes comply with the UK GDPR, and the EU GDPR as enacted through the Data Protection Acts of 2018 in both jurisdictions.

References in this privacy notice to the GDPR shall be interpreted to include both the UK GDPR as defined in section 3(10) of the Data Protection Act 2018 (as amended), and the EU GDPR (Regulation (EU) 2016/679), as applicable, depending on the jurisdiction in which the healthcare is delivered.

Under the GDPR, we can only use your personal information if we have a lawful reason for doing so. For example:

  • where you have given consent, under GDPR Article 6(1)(a).
  • for the performance of a contract with you or a third party or to take steps, at your request, before entering a contract under GDPR Article 6(1)(b).
  • to comply with our legal and regulatory obligations under GDPR Article 6(1)(c).
  • for our legitimate interests or those of a third party under GDPR Article 6(1)(f).

To process your health data, we must also comply with Article 9 of the GDPR because it is classified as a special category of personal data. Article 9(2)(h) of the GDPR permits the processing of special category data, such as health data, when it is necessary for the purposes of preventive or occupational medicine, medical diagnosis, or the provision of health or social care.

Therefore, the lawful basis under which HealthHero ordinarily processes your personal and sensitive category data is provided for under Articles 6(1)(b), 6(1)(f) and 9(2)(h) of the GDPR.

Our Legitimate Interests include, but are not limited to the following purposes:

Legitimate Interest

Purpose

Service Provision & Access Management

Creating and managing user accounts to facilitate access our healthcare services.

Quality Assurance & Service Improvement

Collecting patient feedback and using AVT (ambient voice tech) to improve services, documentation and reduce admin burden.

Employee Safety & Security

Monitoring systems (e.g. call recordings) to protect staff and patients.

Intra-group Data Sharing

Sharing data within the HealthHero Group to deliver integrated services.

Fraud Prevention & IT Security

Detecting misuse of services or unauthorised access to systems.

Contractual Fulfilment with Corporate Clients

Processing data to deliver services to employees or members of partner organisations.

Sharing your personal information

We will not share any personal information with any third parties without your explicit consent or as otherwise set out in this privacy policy. We only allow third parties to handle your personal information if we are satisfied that they take appropriate measures to protect your personal information.

Where we have a lawful basis to do so, we may share personal information with:

  • other companies within the HealthHero Group we use to deliver our services to you.
  • third parties we use to help deliver our services to you.
  • other third parties we work with to provide services to you, e.g. insurance companies.
  • other third parties we use to help us run our business e.g. website hosts.
  • third parties approved by you.

To provide a more focused patient interaction, support accurate documentation and reduce administrative burden, your consultation may be transcribed using secure ambient voice technology (AVT). This captures spoken dialogue and converts it into clinical notes. No audio is stored by the provider, and all data is handled in accordance with this privacy policy. We only use AVT systems approved for use in the territory in which your healthcare is delivered.

A partner organisation may require us to share personally identifiable information to validate your eligibility or confirm that you have used the service.

We may also be asked by a partner organisation who provides you with access to our services to disclose relevant consultation records if you are in the process of making a claim, or to facilitate continuity of care. Where we do not already have a lawful basis to share this information, we will seek your consent to do so.

Sharing information for other contractual or legal reasons

You may have been referred directly to our services by a partner organisation as part of their contractual obligations to you, for the purposes of preventive or occupational medicine, the assessment of your working capacity, medical diagnosis or the provision of healthcare or treatment. Where this is the case, we may be obliged to share special categories of personal data with them in order that they can fulfil their contractual obligations to you.

We will share personal information with other third parties if we have a belief in good faith that access, use, preservation, or disclosure of the information is reasonably necessary to:

  • meet any applicable law, regulation, legal process, or enforceable governmental request.
  • enforce applicable Terms of Service, including investigation of potential violations.
  • detect, prevent, or otherwise address fraud, security, or technical issues; and/or
  • protect against harm to the rights, property, or safety of companies within the HealthHero Group, our partners, users, or the public, as required or permitted by law.

Medical consent

In most circumstances health and care staff will rely upon consent as the basis for accessing and using confidential patient information. This should not be confused with giving consent to process data, as described in Articles 6(1)(a) and 9(2)(a) of the GDPR, which is different.

We may use or share your clinical information in two main ways:

  • For Your Direct Care (Implied Consent)

When we share relevant information with other healthcare professionals directly involved in your care, we rely on implied consent. This means we assume you would reasonably expect your information to be shared to support your treatment, unless you tell us otherwise.

For example, we might share information with another HealthHero clinician for a second opinion or share a private prescription directly with your local pharmacist, as they would also be directly involved in your care by dispensing the medication.

  • For Other Purposes (Explicit Consent)

If the consulting doctor feels it is appropriate, they will ask for your consent to share a copy of the consultation notes, including any Prescriptions, Referral Letters, Medical Certificates or Fit Notes with your normal healthcare provider, e.g., your regular GP Practice.

We would also seek your consent to use your information for anything beyond your individual care—such as research, service planning, or training.

This means you will be clearly informed and asked to agree, either verbally, in writing, or through another form of communication.

The use of anonymised and aggregated data

Anonymised and aggregated data falls outside the scope of the GDPR because it no longer qualifies as "personal data." Under the GDPR, personal data refers to any information that can directly or indirectly identify an individual. Once data has been anonymised—meaning all identifiers have been irreversibly removed—and aggregated so that it cannot be traced back to any individual, it is no longer subject to the GDPR.

Consequently, we may share anonymised or aggregated information publicly and with our partners. For example, we may share information publicly to show trends about the general use of our clinical services.

We may share anonymised or aggregated information with other parties for purposes such as research, service planning, or training. This could also include sharing with potential buyers of some or all our business, or during a re-structuring.

Healthhero will ensure that all anonymisation or aggregation processes are robust and prevent the re-identification of any individual. The recipient of any such information shared by HealthHero will be bound by confidentiality obligations.

Data storing and processing locations

We process and store data at our trading offices at Inspired, Easthampstead Road, Bracknell, Berkshire, RG12 1YQ, UK and at 2 Dublin Landings, North Wall Quay, Dublin 1, D01 V4A3, Republic of Ireland, and (under contract) at the sites of data processors and third parties appointed by us within the UK and the European Economic Area (EEA).

Importantly, clinical data is never stored or processed outside the UK or EEA. All health-related information, including consultation notes and medical records, is securely hosted within UK or EEA -based data centres in accordance with the GDPR, and our internal governance protocols.

However, under limited circumstances, some personal data you provide to us may be processed or stored outside the UK and the EEA. For example, we use Typeform—a trusted third-party service—to help us to collect feedback, survey responses, and provide you with online support. For example, if you need online help when using our Apps, we may ask for basic personal details—such as your name and email address—so we can respond to your request. When Typeform processes this data on our behalf, following our instructions, and in full compliance with GDPR and our internal data protection policies, they may use servers located outside the UK or EEA.

However, when we collect feedback after a consultation, the data is pseudonymised. This means Typeform cannot identify you, as only we hold the additional information required to do so.

The use of any data processors outside of the UK or EEA will always be safeguarded in accordance with Articles 46, 47 or 49 of the GDPR. For further information on these safeguards, contact us at dpo.epc@healthhero.com.

Data security

We take appropriate technical and organisational measures to maintain your personal information in a secure environment to prevent your personal information being accidentally lost or unauthorised access and use. Our partners are bound by contract to do the same. We limit access to your personal information to those who have a genuine business need to access it.

We use Transport Layer Security (TLS) to encrypt and protect data traffic generated as part of our normal operations. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software and you have a responsibility to ensure that any email you send is within the bounds of the law.

We will notify you and the appropriate supervisory authority of any suspected data security breach where we are legally required to do so.

Data retention

Where we have been provided with your personal information to establish your eligibility to use the services, we will only retain this information for as long as you are declared as eligible by any partner organisation.

HealthHero EHRs are retained for a minimum of 10 years after death. Current guidance is that EHRs must not be destroyed or deleted. This includes any video or audio recordings.

Information that is not directly related to your EHR will be retained only for as long as is necessary and in accordance with retention periods set out in our Record of Processing Activities, a copy of which can be provided on request.

Online services – cookies

Our corporate websites and web-based services use cookies. Cookies are small text files that are stored on your device (e.g. computer, smartphone or other electronic device) to allow websites to store information about you in relation to the site. We collect statistics from our online services using Google Analytics, allowing us to record visitor numbers, number of pages viewed and referral source. This data simply helps us to administer and enhance the sites and services provided.

For full information on the cookies we use, please see our HealthHero Group Cookie Policy.

You can manage your cookie preferences in your browser settings.

Third party links

If you are using an online service provided by us, you may have access to links to other web sites. If you follow links to other sites from our hosted services, your data will be subject to the privacy policies of those sites. You should refer to these policies before providing any personal data to them. These other third-party websites may also use cookies or similar technologies in accordance with their own separate cookie policies.

The owners of these sites may be independent from us, and we do not endorse or accept any responsibility for their content or services they may offer.

Identity checking

Depending on the service we provide you, we may need to perform an identity check before you are able to access the services. This is necessary to ensure we can identify the correct service user and provide appropriate care options and safeguard the confidentiality of your care record.

To perform these checks, we use a 3rd party supplier – Yoti Ltd, which you will be directed to a part of the sign-up process. You will need to upload a photograph of a photo ID, passport, driver's license, etc. You will then be asked to take a clear photo of your head and shoulders for comparison.

Yoti will then compare your uploaded information and provide the outcome of the verification check to HealthHero. All uploaded information will be held by Yoti for 28 days before being automatically erased. Please see the Yoti Privacy Policy for more information. HealthHero will also retain a copy of your photo and the last four digits of your ID number so our clinicians can check identification during video appointments.

We encourage you to complete the ID check upon registration with HealthHero as you will not be able to access the services without completing this step. The process is usually completed within 24hrs but may take longer on weekends.

Your rights

Under the GDPR, you have several rights which may apply to the services we provide including the right:

  • to ask us for copies of your personal information (the right of access).
  • to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete (the right to rectification). Whilst we are always happy to rectify incorrect information, we will not make changes to information that was factually correct at the time it was originally processed. e.g. the Date of Onset for a condition as originally stated by a patient.
  • under certain circumstances, to require us to delete your personal information (the right to be forgotten). Please note that the right to erasure does not extend to EHRs.
  • under certain circumstances, to require us to restrict processing of your personal information e.g. if you contest the accuracy of the data (the right to restrict processing).
  • under certain circumstances, to receive the personal information you provided to us, in a structured, commonly used and machine-readable format and/or transmit that data to a third party (the right to data portability).
  • under certain circumstances, to object to our continued processing of your personal information e.g. processing carried out for the purpose of our legitimate interests (the right to object).

You can withdraw your consent to future processing at any time, but this right cannot be applied to data already processed.

Exercising your rights

If you have had a recent consultation and would like to be sent information we hold regarding that appointment or relating to your HealthHero EHR, you can make a Subject Access Request directly to our Customer Service team at gppatient@healthhero.com, or by calling them on the telephone number you have been given to access the service for Customer Service support.

For example, you should contact the Customer Service team directly if you want to get a copy of any consultation notes, referral letters, medical certificates or fit notes. They will also manage any requests to rectify any errors in documents we have provided to you.

Should you wish to have access to other information held about you, exercise any of your other rights, or want further information on each of those rights, including the circumstances in which they apply, please email us at dpo.epc@healthhero.com. Alternatively, you can write to our team at the following locations:

For patients based in the UK:

The Data Protection Officer

HealthHero Solutions Ltd

Inspired,

Easthampstead Road,

Bracknell,

RG12 1YQ

For patients based in Ireland:

The Data Protection Officer

HealthHero Healthcare Ireland Ltd

2 Dublin Landings

North Wall Quay

Dublin 1

D01 V4A3

If we are unable to confirm or have reasonable doubts concerning the identity of the person making a request to exercise the rights above, we will require additional proof of identity (e.g. a copy of your driving licence or passport and a recent utility or credit card bill) and/or evidence of the requester’s authority to exercise these rights.

We will ask for information on the right you wish to exercise and the information to which your request relates.

If you make a request, we will respond to you without undue delay and in any event within one month of your request.

Privacy related complaints

HealthHero Solutions Ltd is regulated by the Information Commissioner’s Office (ICO) in the United Kingdom (UK).

The Data Protection Officer for HealthHero Healthcare Ireland Ltd is registered with the Data Protection Commission in Ireland.

Before a Supervisory Authority becomes involved in a privacy related incident, they will expect the data subject and controller to have tried to resolve it. We hope that we can address any query or concern you may have about our use of your information. However, if you are not happy with how we have processed your personal information, handled your privacy rights, or responded to a privacy related complaint, you can raise a concern with the appropriate supervisory authority:

For service users based in the UK:

The Information Commissioner’s Office

https://ico.org.uk/make-a-complaint/

Tel: +44 (0)303 123 1113

For service users based in Ireland:

The Data Protection Commission

https://forms.dataprotection.ie/contact

Policy changes

If we are involved in a merger, acquisition, or asset sale, we will continue to ensure the confidentiality of any personal information and give notice to you if affected before personal information is transferred or becomes subject to a different entity’s privacy policy.

Changes may be necessary to this privacy policy from time to time to reflect contractual, legal or data processing developments. If we change this privacy policy, we will update them on this web page.

Links checked and policy last updated on 3-Jul-25.