Our Privacy Policy

This Privacy Notice is designed to help you understand how CheqUp Health Limited collects, uses, and protects your personal data, and what your legal rights are.

This website is not intended for children under the age of 18. We do not knowingly collect data relating to children and our services require age verification as part of our onboarding process.

If there is anything in this notice you do not understand, or if you wish to ask any questions, please contact us using the details in Section 12.

This notice covers our activities as a Data Controller for data associated with our staff, customers, and patients who choose or are referred to our services. It should be read alongside our Terms and Conditions and any other privacy or fair processing notices we may provide on specific occasions.

1. Who We Are

Full legal name: CheqUp Health Limited

Registered company number: 12570252

Registered pharmacy (GPhC No. 9012707)

Email: [email protected]

Postal address: Turnpike House, Methuen Park, Chippenham, Wiltshire, SN14 0GF

CheqUp Health Limited is the Data Controller responsible for your personal data. We are a registered pharmacy with the General Pharmaceutical Council (GPhC No. 9012707) and are subject to the legal and regulatory obligations that apply to registered pharmacies, including the Human Medicines Regulations 2012 and GPhC standards.

You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would, however, appreciate the opportunity to address your concerns first — please contact us in the first instance.

Definitions

The following definitions apply throughout this notice:

• Controller: The entity that determines the purposes and means of processing personal data. CheqUp Health Limited is the Controller for the data described in this notice.
• Data Protection Laws: The UK GDPR and the Data Protection Act 2018 (DPA 2018), as amended or replaced from time to time.
• UK GDPR: The retained UK law version of the General Data Protection Regulation (EU) 2016/679.
• DPA 2018: The Data Protection Act 2018, as amended.
• Special Category Data: Personal data revealing racial or ethnic origin, health data, biometric data, and other categories afforded heightened protection under UK GDPR Article 9.
• Cookies: Small text files placed on your device when you visit our website. See our Cookie Policy at https://chequp.com/cookie-policy/ for full details.
• UK and EU Cookie Law: The Privacy and Electronic Communications (EC Directive) Regulations 2003, as amended.

2. Why We Collect and Process Personal Data

We collect personal data for the following purposes:

• To manage our business and staff.
• To maintain professional relationships with customers and prospective customers.
• To provide clinical and pharmacy services, including assessing eligibility for prescription-only medication, prescribing, and dispensing.
• To verify the identity of patients accessing prescribing services, using our third-party identity verification provider, Persona Identities, Inc. (“Persona”).
• To fulfil orders for non-prescription products, including food supplements.
• To improve our services and evaluate their effectiveness.
• To comply with our legal and regulatory obligations as a registered pharmacy.

We only collect personal data where it is necessary for these purposes and where we have a lawful basis to do so under the Data Protection Laws.

3. The Data We Collect

We may collect the following categories of personal data:

• Identity Data: first name, last name, username or identifier, title, date of birth, gender.
• Verification Data: information collected during identity verification, including identity document images and details, selfie, photo, video and liveness check data, device and technical identifiers used during verification, and the outcome of the verification process. This may include biometric data (a scan of facial geometry) where you have given explicit consent (see Section 5).
• Contact Data: billing address, delivery address, email address, telephone numbers.
• Financial Data: payment card details (processed securely by our payment provider).
• Transaction Data: details of payments and products or services purchased.
• Technical Data: IP addresses, login data, browser type and version, time zone, browser plug-ins, operating system and platform, and other technology data from devices used to access our website.
• Profile Data: username and password, purchase history, interests, preferences, feedback, and survey responses.
• Usage Data: information about how you use our website, products, and services.
• Marketing and Communications Data: your preferences for receiving marketing from us and your communication preferences.

Special Category Data

Where you engage with our clinical or pharmacy services and have given us consent, we collect the following Special Category Data:

• Health information: including weight, height, BMI, and medical history.
• Ethnicity: we ask about your ethnic background solely to apply the correct clinical eligibility threshold for weight management treatment. NICE clinical guidelines set different qualifying BMI thresholds depending on ethnic background — for example, a lower threshold applies for individuals from South Asian, Chinese, and other non-white ethnic backgrounds. This information is used only to assess your clinical eligibility and for no other purpose.
• Biometric data: a scan of facial geometry, processed by Persona as part of identity verification, where you have provided explicit consent (see Section 5).
• Body measurement data: photographs and video footage collected as part of our onboarding process to support clinical assessment of BMI and physical health. This data is reviewed by qualified healthcare professionals and is stored on our internal systems. It is classified as health data and is subject to the same retention periods as other patient records (see Section 9). We do not currently use automated or algorithmic processing to analyse this data. If we introduce such processing in the future, we will update this notice and seek any additional consents required.

We do not collect information about criminal convictions or offences. We do not require Special Category Data for supplement-only purchases.

Aggregated Data

We may use anonymised or aggregated data for research, analysis, and insight generation to help us improve our services. Aggregated data cannot identify you as an individual. If we combine aggregated data with personal data in a way that could identify you, we will treat the combined data as personal data in accordance with this notice.

If You Fail to Provide Data

Where we are required by law or contract to collect personal data and you do not provide it, we may be unable to deliver the relevant service. We will notify you at the time if this is the case.

4. How We Collect Your Data

Direct Interactions

You may provide data directly when you:

• Enquire about or sign up to our weight loss services.
• Complete our weight loss or clinical questionnaire.
• Create an account or access our online portal.
• Purchase supplements or other non-prescription products.
• Request marketing communications.
• Contact us with feedback or queries.

Automated Technologies

As you interact with our website, we may automatically collect Technical Data using cookies, server logs, and similar technologies. See our Cookie Policy at https://chequp.com/cookie-policy/ for details.

Third Parties

We may receive personal data from:

• Analytics providers and search information providers (Technical Data).
• Payment and delivery service providers (Contact, Financial, and Transaction Data).
• Persona (Verification Data), where you complete identity verification as part of accessing our prescribing and pharmacy services.

5. How We Use Your Personal Data

We use your personal data only where the law permits. Our primary lawful bases are:

• Performance of a Contract (Article 6(1)(b)): to deliver our services, including consultations, prescribing, dispensing, and fulfilment of orders.
• Legal Obligation (Article 6(1)(c)): to comply with pharmacy regulations, including the Human Medicines Regulations 2012 and GPhC requirements.
• Legitimate Interests (Article 6(1)(f)): to improve patient care, service quality, and operational efficiency, where this does not override your fundamental rights and freedoms.
• Consent (Article 6(1)(a) and Article 9(2)(a)): for Special Category Data, including health data and biometric data, where we require your explicit consent.

Legal Basis for Health Data

We rely on the following provisions of UK GDPR to process health data:

• Article 6(1)(c) — Legal Obligation: to retain patient records as required by pharmacy regulations and GPhC standards.
• Article 6(1)(f) — Legitimate Interests: to store and analyse patient data to provide effective healthcare services.
• Article 9(2)(h) — Healthcare Provision: to collect and process medical information to assess suitability for medication and ensure patient safety. This applies only where you engage with our clinical or pharmacy services.

Biometric Data and Identity Verification

Where you are required to complete identity verification in order to access our prescribing services, we use Persona to carry out this verification. Before you are directed to Persona’s platform, we will present you with a separate, explicit consent step explaining:

• That biometric data (a scan of your facial geometry) will be collected as part of the verification process.
• The purpose of that collection (identity verification and fraud prevention).
• That this data will be processed by Persona Identities, Inc. on our behalf as our data processor.
• That you may withdraw your consent at any time by contacting us (see Section 12).

You must provide this consent before we proceed with the verification. The consent is recorded in our systems with a timestamp, your user ID, and the version of this privacy notice in force at the time.

Eligibility Screening

We use a rules-based eligibility screening process to assess whether the information you have provided suggests you may qualify for weight management treatment, based on clinical criteria including BMI thresholds and medical history. This initial screen follows NICE clinical guidelines and regulatory requirements. It is not a final clinical decision — all prescribing decisions are made by qualified healthcare professionals who review your information individually.

Supplements and Non-Prescription Products

When you purchase supplements or other non-prescription products, we process your data on the following bases:

• Article 6(1)(b) — Performance of a Contract: to process and fulfil your order, arrange delivery, process payments, and provide customer support.
• Article 6(1)(f) — Legitimate Interests: to prevent fraud, ensure platform security, manage our business, and improve our products and services.

Supplement purchases do not involve medical consultation, prescribing, or healthcare provision. We do not require or routinely collect Special Category Data for supplement-only purchases. Any health-related information you voluntarily provide in connection with supplement purchases will only be processed where you have given explicit consent for a clearly specified purpose.

Marketing

We will only send you marketing communications where you have explicitly consented to receive them. You can withdraw consent at any time by updating your preferences in your account or clicking “Unsubscribe” in any marketing email.

6. Who We Share Your Data With

We share personal data only where necessary and with appropriate safeguards. We require all third parties to respect the security of your data and to comply with applicable data protection law. We do not permit third-party service providers to use your data for their own purposes.

Service Providers and Partners

• Persona (identity verification): to verify your identity and perform liveness and fraud-prevention checks as part of our prescribing and pharmacy services. Persona acts as our data processor. See Section 8 for information about international transfers.
• Medical practitioners: doctors and clinicians who provide medical oversight and prescribing services.
• Nutrition and physical activity practitioners: who may provide dietary and exercise information to support your care.
• WeightWatchers: where you choose to connect your CheqUp account with the WeightWatchers nutrition app, we will share your CheqUp customer ID, full name, and email address with WeightWatchers to link your accounts. This sharing occurs only at your request and is initiated by you. In return, WeightWatchers will notify us whether you have successfully registered on their platform. We do not share any health, medication, or clinical information with WeightWatchers. This data sharing is conducted under appropriate data processing agreements.
• Payment, delivery, and technical service providers: to process payments and fulfil orders.

Regulatory and Healthcare Authorities

• Regulatory authorities: including the General Pharmaceutical Council, Care Quality Commission, and NHS England, where legally required.
• Healthcare professionals: involved in your care and oversight, where necessary to provide quality healthcare services and only where you are using our clinical or pharmacy services.
• Pharmacy partners: where your medication is dispensed by another licensed pharmacy, we share only the information necessary to fulfil your prescription.

Business Transfers

In the event that we sell or reorganise our business, we may transfer personal data to a new provider. We will ensure your interests are protected and will notify you of any material change in how your data is handled.

Non-Prescription Products

For supplement and non-prescription product orders, we may share limited personal data with suppliers, manufacturers, warehouses, payment providers, and delivery partners solely for the purpose of fulfilling your order. We do not share your data with healthcare professionals in connection with supplement purchases unless you separately engage with our clinical or pharmacy services.

We do not sell personal data or share personal health data with third parties for marketing or commercial purposes.

7. Where Your Data Is Stored

We use DigitalOcean, OVH Cloud, and Google Cloud Platform (GCP) to store data securely. These services store data within the United Kingdom. We are currently migrating our primary database from OVH Cloud to GCP; during and following this migration, all data continues to be held within the UK.

Where you complete identity verification, Verification Data is processed by Persona on our behalf. Persona may store and process this data outside the UK, primarily in the United States and Germany. See Section 8 for details of the safeguards in place for these international transfers.

8. International Transfers

Some of your personal data may be transferred and processed outside the UK where we use service providers that operate internationally. Where this occurs, we ensure that appropriate safeguards are in place.

In particular, Verification Data processed by Persona may be stored and processed in the United States and Germany. For transfers to the United States, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable, to ensure your data receives the same level of protection as it does in the UK.

We will only transfer personal data to countries that have been deemed to provide an adequate level of protection by the UK, or where appropriate contractual safeguards are in place.

Please contact us if you would like further information about the specific transfer mechanisms we use.

9. How Long We Keep Your Data

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods are set out in the table below.

Right to Erasure

You have the right to request deletion of your personal data. Where your data is subject to a mandatory retention period (for example, prescription records retained under the Human Medicines Regulations 2012), we will acknowledge your request and restrict processing of your data for non-essential purposes such as marketing. We will securely delete or anonymise your data once the applicable retention period has expired.

If you wish to exercise your right to erasure, please contact us using the details in Section 12.

10. Data Security

We have implemented appropriate technical and organisational security measures designed to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. Your data is stored in encrypted databases located within the UK, and access is strictly limited to authorised healthcare professionals and staff on a need-to-know basis. We regularly review our security controls to guard against unauthorised access, data breaches, and unlawful processing.

Where we engage third-party service providers who process data on our behalf, we ensure that appropriate data processing agreements and technical and organisational security measures are in place.

In the event of a personal data breach, we will follow our breach response procedures, including notifying the ICO within 72 hours where required by law, and notifying affected individuals where appropriate.

11. Your Rights

Under UK data protection law, you have the following rights in relation to your personal data:

• Right of Access: you may request a copy of the personal data we hold about you. We may ask you to verify your identity before processing your request.
• Right to Rectification: if the data we hold about you is inaccurate or incomplete, you may ask us to correct it. We will make every effort to respond promptly.
• Right to Erasure: you may ask us to delete your personal data, subject to our legal retention obligations (see Section 9).
• Right to Restriction of Processing: you may ask us to restrict how we use your data in certain circumstances, for example while we investigate a rectification request.
• Right to Data Portability: you have the right to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have that data transferred to another provider of your choosing. This right applies to data processed on the basis of consent or contract.
• Right to Object: you have the right to object to processing of your personal data carried out on the basis of legitimate interests, including for direct marketing.
• Right to Withdraw Consent: where we process your data on the basis of consent (including for Special Category Data and biometric data), you may withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before withdrawal.
• Right to Complain: if you are unhappy with how we have handled your data, you have the right to complain to the ICO at www.ico.org.uk or by calling 0303 123 1113. We would appreciate the opportunity to address your concerns before you contact the ICO.

We will not charge a fee for responding to your request unless it is clearly unfounded, repetitive, or excessive, in which case we may charge a reasonable fee or decline to respond. We will aim to respond to all legitimate requests within one month. Where a request is complex or you have made multiple requests, we may take up to three months and will notify you accordingly.

12. Contact Us

If you wish to exercise any of your rights, or if you have any questions about this privacy notice or how we handle your data, please contact us:

CheqUp Health Ltd

Turnpike House, Methuen Park, Chippenham, Wiltshire, SN14 0GF

Email: [email protected]

Data Protection Officer: Toby Nicol

For data protection queries, please email [email protected] with the subject line: “FAO Data Protection Officer”.

We may need to collect some personal data in order to respond to your queries. We will use this information only to respond to your request, provide relevant services, process orders, administer our obligations to you, or resolve issues with services supplied to you. We do not share this information with any other party.

13. Third-Party Websites

This notice applies to CheqUp Health Ltd only. Our website may contain links to third-party websites, plug-ins, and applications. We are not responsible for the privacy practices of those sites. When you leave our website, we encourage you to read the privacy notice of every site you visit.

14. Changes to This Notice

We may update this privacy notice from time to time. Where we make material changes, we will notify you by email or through a prominent notice on our website. The date at the top of this notice reflects when it was last updated.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.