Privacy Policy

Alvie Ltd
Privacy Policy
1st September 2023

1.0 INTRODUCTION

This is the Privacy Policy for the website hosted at https://alviehealth.com (the “website”) and the Alvie health app (the “App”), (together our “Services”). Our Services are operated by Alvie Limited. The Site and App are operated by Alvie Limited trading as “Alvie” (“we”, “us” and “our”). We are a limited company, registered in England. Our registered company number is 11096924, and our registered office is TOG, 24 Greville Street, London, EC1N 8SS.

We are committed to protecting and respecting your privacy and this policy (together with the terms of service) sets out:

1) Introduction
2) Applicable law
3) Information we collect about you
4) How we use your information
5) Where we store your information
6) How we protect your information
7) Legal bases for processing your data
8) How long we keep your information
9) Subject access requests, changing and deleting your personal data
10) Your rights
11) Child safety
12) Marketing


Our data protection officer (DPO) is Martyn Rankin and can be contacted at enquiries@alviehealth.com

By using or engaging our Services you acknowledge that you have read and understood this privacy policy. We reserve the right to change this privacy policy from time to time and any substantive changes will be notified to you by email

This privacy policy was last updated on 1st September 2023.

2.0 APPLICABLE LAW

Data processing by Alvie Limited is subject to English law. Pursuant to UK GDPR, UK DPA 2018, and any other applicable data protection regulations, we work to ensure our users have appropriate protection of their privacy and personal data.

For the purposes of European Economic Area data protection law, (the “Data Protection Law”), the data controller is Alvie Limited. This means we are responsible for deciding how we hold and use personal information about you.

3.0 INFORMATION WE COLLECT ABOUT YOU

We are committed to the GDPR principle of data minimisation, and only collect the personal data we require to be able to provide our Services to you. We will collect and process the following personal data from you:

Information you give us

This is information about you that you give us directly when you interact with us. We will not use your personal data for any purposes that are not set out in this privacy policy, or will update you if we need to use your personal data for another purpose. This information is required to:  

  • Register on our programme and create an account 

  • Build a baseline and ongoing health profile to enable us to deliver a safe, personalised health coaching service

  • If you are a healthcare provider or carer, to enable us to contact you

How we obtain your information

This will be collected in a number of ways including:

  • In an initial telephone call with you following your referral

  • Via SMS when replying to appointment messages

  • In any video, telephone or chat appointments with our customer service teams, coaches or healthcare professionals

  • When you input information into the App or website (including responses to questionnaires)

  • When you report a problem with the App or website

  • Information provided by your referring healthcare professional (e.g. your clinical team) on referral and throughout your use of our Services.

The information you provide may include your name, address, email address, telephone number, date of birth, gender, login and password details.

To interact fully with the Service you will need to provide additional information including information about your existing health conditions, treatment and/or medication, symptoms and referring hospital, and use our chat functionality to let us know how you are progressing with your coaching programme on a regular basis.

You can choose to import metrics on activity, heart rate and sleep via wearable devices (for e.g. Fitbit and Apple Health). You will also be able to journal your mood and symptoms, such as the type, severity and frequency, so you can track your progress over time and share with others where you choose to do so.

NHS Services

We provide some services to the NHS. For NHS patients, we are obliged to collect data on your health and healthcare in order fulfil our contractual obligations. This data may include relevant information about your diagnosis and treatments from your NHS health care records. We use this data to provide health coaching, give feedback to your clinical team, to account for our NHS activity and to evaluate our outcomes in line with our contractual obligations.

4.0 HOW WE USE YOUR INFORMATION

Only employees and agents of Alvie , which are obligated to maintain confidentiality, can access applicable data and only as reasonably necessary to perform their role. Other third parties do not have access to your personal data without your explicit consent.

Your personal data, as well as all data collected via the App or website (e.g. data about activity, symptoms, mood etc., including from connected external apps e.g. Fitbit, Apple HealthKit,) will only be used for rendering Services according to contractual obligations. When Alvie is providing Services to, and on behalf, of the NHS or Private medical Insurers, personal data is exchanged between Alvie and referring healthcare professionals (e.g. your GP practice) for the purposes of caregiving and safeguarding. We also report our activity to referring healthcare organisations.

When Alvie is providing Services to, and on behalf of the NHS or Private Medical Insurers, non-personally identifiable (or anonymised) data on Service users is shared with commissioning bodies and contractually relevant parties for the purposes of evaluating our Services and/or for research. Such data may be used by Alvie and authorised affiliates (i.e. NHS) for research and publication purposes and can be analysed and used to improve our Service (optimisation, further development and research) during the duration of the contract and after the termination of the contractual relationship.

We also record telephone/video calls as needed for optimal customer service and quality management purposes.

You have the right and ability to opt out of certain uses or sharing of your data etc., please see below section titled “Subject Access Requests, Changing & Deleting Your Personal Data”. The reason you cannot opt out of all data sharing with us is that we would be unable to provide you with our Service.

5.0 THIRD PARTY SERVICES

If you decide to allow any third-party wearable devices to connect with our Services, we will receive information about you such as your steps, heart rate and sleep data via Bluetooth.‌

When moving away from the Alvie app to utilise third party websites or devices referred to within the Alvie mobile app, this Privacy Policy will no longer apply and the Privacy Policy of the third party shall apply.

We use third party services for some aspects of our programme. 

6.0 WHERE WE STORE YOUR INFORMATION

All information you provide to Us is stored on secure servers held in both the European Economic Area (EEA) and GDPR-compliant international data processors only. Where international data processors are used, all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA.

Data stored on Alvie systems is hosted with Amazon Web Services (“AWS”) (offered by Amazon Web Services, 60 Holborn Viaduct, London, EC1A 2FD). This data is processed on servers in the UK. Data is encrypted end to end.

For further information, please refer to Amazon’s privacy policy for AWS (https://aws.amazon.com/privacy/). The processing of your data in AWS is based on your consent, the performance of the contract, and/or legitimate interest (legal bases for processing under applicable data protection regulations).

The data we collect from you is stored within the European Economic Area (“EEA”).

7.0 HOW WE PROTECT YOUR INFORMATION

All information you provide to us is stored on our secure servers and is encrypted between your device and any external host storage to keep it safe (i.e. ‘encrypted in transit’ as well as ‘encrypted at rest’). We use the AES 256 encryption standard.

The Microsoft Teams platform is used for our video consultations. Microsoft Teams is compliant with a range of regulatory security standards, including ISO 27001, ISO 27018 and HIPAA Business. All data sent via stored and backed up in Azure cloud storage. Azure is delivered through data centres in 54 global regions, which allows Microsoft to store Teams data based on each organisation’s region. This means that all data is stored in compliance with the data security regulations of the region that each organisation is operating in. Network communications in Teams are encrypted by default. By requiring all servers to use certificates and by using OAUTH, Transport Layer Security (TLS), and Secure Real-Time Transport Protocol (SRTP), all Teams data is protected on the network. For further information around security please consult https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide and for further information around data collection please consult https://privacy.microsoft.com/en-GB/data-collection-teams

The website and App may contain links to external sites. We are not responsible for the privacy policies or the content of such sites. When you leave our website or our App, we encourage you to read the privacy policy of every other website you visit.

8.0 LEGAL BASES FOR PROCESSING YOUR DATA

Any information about your health is classed as sensitive personal data and we ensure that additional safeguarding measures are in place to protect this information. Our legal bases relied upon in processing of your personal data are:

  • Consent;

  • Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems;

  • Performance of a contract;

  • Legitimate interest; and/or

  • Public interest.

Should you have any questions on which may apply to your particular personal data, please e-mail enquiries@alviehealth.com

9.0 HOW LONG WE RETAIN YOUR INFORMATION

Your personal data is retained only for as long as necessary, per contract and in accordance with data protection regulations. In many cases, the retention period is 8 years, to comply with applicable NHS data retention standards.

Should you have any questions on this, please e-mail enquiries@alviehealth.com

10.0 SUBJECT ACCESS REQUESTS, CHANGING AND DELETING YOUR PERSONAL DATA

You can make a Subject Access Request (SAR) to change or delete the personal data entrusted to us at any time if you request same with a copy of your identification (passport, driving license) by e-mail to enquiries@alviehealth.co.uk. We will oblige your request except for any data which might be required for us keep on file for a specified timeframe for compliance with applicable law(s), NHS standards/regulations, etc.

We strive to respond to your requests within 28 days and will let you know if we are unable to meet this timeframe. If your request or concern is not satisfactorily resolved by us, you may approach your local data protection authority (see https://ec.europa.eu/info/law/law-topic/data-protection_en).

The Information Commissioner (ICO) is the supervisory authority in the UK and can provide further information about your rights and our obligations in relation to your personal data, as well as deal with any complaints that you have about our processing of your personal data. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

11.0 YOUR RIGHTS

Under data protection legislation, data subjects have the following rights with regards to their personal information:

  • the right to be informed about the collection and the use of their personal data

  • the right to access personal data and supplementary information

  • the right to have inaccurate personal data rectified, or completed if it is incomplete

  • the right to erasure (to be forgotten) in certain circumstances

  • the right to restrict processing in certain circumstances

  • the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services

  • the right to object to processing in certain circumstances

  • rights in relation to automated decision making and profiling

  • the right to withdraw consent at any time (where relevant)

  • the right to complain to the Information Commissioner

12.0 CHILD SAFETY

The website and the App is intended for use only by persons who are at least 18 years of age. By using our Services, you confirm to us that you meet this requirement. If you suspect that a child under 18 is accessing the App and providing personal data without their parent or guardian’s consent, please contact us at enquiries@alviehealth.com so that we can investigate and remove/delete the data where necessary.

13.0 MARKETING AND EMAIL COMMUNICATIONS

We use mailchimp to provide you with our monthly update email (Monthly Brief). This is a carefully curated update and is part of the Alvie Service delivering you content to help you with your health and wellness goals.

We may use information for marketing services to you in the following ways:

  • Marketing emails relating to our own services and events, only where you have not opted-out of receiving that marketing.

  • Newsletters and marketing emails where you have requested this information from us, or we have obtained your consent to send you marketing.

We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us at any time by emailing enquiries@alviehealth.com

Rest assured with an
accredited service