Table of contents

• What this policy covers
• What data we hold and how we get it
• What we use your data for
• How we store and move your data
• How and why we share your data
• How long we keep your data
• Your rights
• Changes to this policy

1. What this policy covers

This policy explains how we use your data to deliver our healthcare app, websites and services. This includes:

• Our private service, including the enrollment and use of one of our programmes;
• Our NHS service, GP at Hand;
• Our app, including any beta versions;
• Our websites (www.babylonhealth.com and www.gpathand.nhs.uk);
• Some of our services we offer with our partners, or on behalf of them, and
• The technology we use to support our partners' services

We provide these services through 2 companies in our group:

1. Babylon Healthcare Services Limited (BHSL): the company that provides our medical services
2. eMed Healthcare UK Limited (eMed UK): the company that supplies the technology and software for these services

When we talk about eMed, us or we in this policy, we mean these 2 companies.

BHSL is the controller of any health and medical data we may collect from you when you use our services, and may share this data with eMed UK as a processor on behalf of BHSL (for more information on this, see how and why we share your data below).

This means that we're responsible for how your personal data is handled and what it's used for through these 2 companies. If you wish to exercise any of your rights, both companies act as one.

Our NHS service is called GP at Hand. GP at Hand offers a digital-first primary care service to its registered patients.

These services are provided by BHSL under a subcontract arrangement with the NHS.

Read more about GP at Hand.

‍See more about our registered companies.

2. What data we hold and how we get it

Personal data is any information we have that can identify you, such as your name, medical history or credit card details.

Personal Details

When you register with us, we'll ask you for your:

• Name
• Date of birth
• Address
• Contact details
• Any information needed in order to enrol and determine your eligibility on one of our programmes
• A copy of your ID (identity documentation), such as a driving licence

The information you give us must be accurate. If you give us information about yourself or another person, you're confirming that you're authorised to do so.

Health and medical data

When you use our services, we collect information about your health, including:

• General health (including information necessary to determine eligibility on one our programmes)
• Symptoms, treatments, participation in our programmes and medications
• Consultations, such as notes and recordings
• Procedures, such as surgery, scans or X-rays
• Interactions with our services, like using our Symptom Checker or other digital services. These interactions may be shared with our clinical staff so that we can provide you with healthcare, and so that we can provide a better experience

Some of this information comes directly from you, but it can also come from third parties, such as your GP.

If you use GP at Hand, we'll get your medical history from your previous GP.

If you use our private service, we'll send your appointment notes to your NHS GP, if you give us your consent.

We share children's appointment notes with their NHS GP, in line with current medical guidelines.

Details of your conversations with us

We also keep a record of your consultations and your conversations with us. This is so we have an easy way to access your consultations to monitor the quality of our service and healthcare.

And, if you have consented, so that we can use them to improve our services. This includes:

• Your conversations with our Symptom Checker
• Your emails, calls or live chat conversations with our support team
• video and/or audio recordings from consultations, including your participation on our programmes

We keep your health and medical data secure by applying technical and organisational measures to protect it.

Find out how long we keep your data.

Data from other sources

We might also receive some data about you and your health from other apps, devices and services.

This will only happen if you've agreed to sharing that data with us. For example, if you decided to share information collected from a smartwatch with our app.

Credit and debit card information

If you make a payment on the app, your credit and debit card details are processed by a third-party payment provider.
‍
We don't store any of your credit or debit card information and we only keep details of the transactions on our secure servers.

Technical information and analytics

When you use our app, or visit our website, we may collect the following data, where this is allowed by your device or browser settings:

• The IP address used to connect your mobile phone or other device to the internet
• Your browser information, such as Google Chrome or Apple Safari
• Login and operating system
• The make and model of your device
• Resettable device identifiers
• Time zone, language and location settings
• Your mobile network provider and your location (based on your IP address)
• Information about your visit to our website or use of our app, for example when you first visited the site or how many times you've visited
• Information about the products or services you viewed or used
• App response times and updates
• Information about your interactions, like what notifications you opened
• Any phone number used to call our customer service number

We work with other companies that provide us with analytics and advertising services. This is to:

• Help us understand how people interact with our services
• Provide the adverts for our services on the internet
• Measure the performance of our services and our adverts

Cookies

We also use 'cookies'. Cookies are files saved on your phone, tablet or computer when you visit a website. They collect information about how you use the website and the pages you visit.

You can find out more about how we use cookies in our cookie policy.

Information from third-party services

It's possible to connect your social media accounts, or your wearable device (like a smartwatch) with our services. For example, you can sign up for eMed using your Facebook login details. If you choose to do this, we'll receive the following information about you from the third party:

• Name
• Email address
• Username or ID
• Health and lifestyle habits and information

If you use login details from third parties, they will also process your login data, and they are solely responsible for handling this.

We may also get information from other sources, such as companies who offer information on consumer trends.

We use this information to help us make our services better. We comply with data protection laws when we do this. If this information is used alongside your personal data, we will make sure that our interests never come before your rights.

3. What we use your data for

This is how we use your data and the legal reasons for using it.

Providing you with a service

We need your personal information to enter into a contract with you and deliver services.

We use your financial details to charge you if you use our paid service or buy our products.

We use your health and medical information to provide you with a healthcare service. This includes:

• Providing you with a health advice
• Diagnosis and treatments if you use our clinical services (our video and audio consultations, where you can talk with one of our medical professionals)
• Providing you with a service as part of one of our programmes

This information is based on:

• Providing you or planning for healthcare services in our 'legitimate interest'
• Performing tasks in the public's interest (for example, our NHS services)
• When it is in your vital interests
• Your consent (for example, when you use our private service and agree to sharing information with your NHS GP)
• To fulfil a contract with us (as a healthcare professional) as part of one of our programmes

The health and medical information we use includes information from your:

• Consultations, like notes, recordings, and transcripts
• Use of products like Symptom Checker and Healthcheck
• Your previous NHS GP, if you use Babylon GP at Hand

We might share this information with other health services. This is so we can give you the right care, including when it's in your vital interests. These services include:

• Your GP, if you use our private service
• Our NHS or clinical service partners
• Referral services like therapists, pharmacists and hospitals

We use your location to recommend services near you, like pharmacies and hospitals.

Depending on how you access our services, we get your location from your phone, internet browser, IP address or postal address.

Providing you with a service

If you've given explicit consent, we use your health and medical information to improve our services. This helps us deliver better healthcare to you and other eMed users.

We remove details that could identify you from this information, such as your name, address and contact details. These are called 'personal identifiers'.

The health and medical information we collect (with your personal identifiers removed) includes information from your:

• Medical records
• Consultations, like notes, recordings and transcripts
• Use of products like Symptom Checker and Healthcheck

This doesn't involve making any decisions which would have a big effect on you. We only use this information to deliver a better experience to you and other eMed users. This explicit consent relates to when we use your personal data.

Providing you with a service

As part of our work with the NHS we occasionally partner with universities, academic institutions and research organisations, to further medical science and ultimately improve healthcare for all.

As part of these partnerships, we may use your contact details to invite you to take part in clinical trials. You are not under any obligation to partake and can opt out of receiving information by contacting our support team via our contact us page.

More information can be found on the NHS GP at hand FAQ website.

Using your data when it's in our 'legitimate interest'

We sometimes analyse your data and how you use our products to help us manage our business better.

This could be things like fixing bugs in our app, understanding current user trends, or working out what users might want in the future.

This doesn't involve making any decisions which would have a big effect on you. If this information is used alongside your personal data, we will make sure that our interests never come before your rights.

Keeping you up to date

We may contact you when marketing our service. This includes sending you product updates, surveys and marketing information. You can opt in or out at any time by going to 'Me', 'Settings' and 'Privacy Controls' in the app. You can also choose if you want to get app notifications in your device settings.

As part of providing you with a healthcare service or public service, we may send you health information by text message, email or in other ways. For example, we may send you public health messages or invite you to book an appointment for a free screening programme, such as cervical cancer screenings.

Keeping you up to date

We use your health and medical information for safety, training, regulatory, and compliance purposes.This means that:

• If we're legally required to, or asked by a regulator, we may need to share your information with regulatory bodies like the General Medical Council, Medicines and Healthcare Products Regulatory Agency or Care Quality Commission
• We may audit how you use our services, for example to review the quality of results provided by our products

To detect and prevent fraud, we may need to share your personal and financial information with banks, financial institutions and fraud prevention services.

4. How we store and move your data

Keeping you up to date

Your personal health and medical information is stored on secure servers. This includes information like:

• Your primary care information
• Information about your medications
• Any information about a diagnosis of illness or other problems

We don't store any of this information on your mobile device.

If you've chosen a password or authentication method to access the app, you're responsible for keeping this password and/or authentication method confidential. Please don't share it with anyone.

We encrypt data transmitted to and from the app. Once we have your information, we use strict procedures and security features to try to prevent unauthorised access. We will take all steps reasonably necessary to make sure that your data is treated securely.

Credit and debit card information

We don't store any of your credit or debit card information. Payments are processed through a third-party payment provider that follows strict industry data security standards. These are known as Level 1 Payment Card Industry (PCI) data security standards.

Any payments you make are encrypted using SSL technology (which converts the information into code to stop fraud).

Where we store and process your health data

Your health data will be stored and processed in the UK only. We may sometimes need to work with companies outside of the UK or European Economic Area (EEA), including eMed affiliate companies, to help us deliver services to you.

This will always be in line with applicable data protection laws and will include using appropriate safeguards such as the execution of appropriate data transfer agreements incorporating European Commission approved Standard Contractual Clauses along with other safeguards where appropriate or confirming other controls to comply with UK data protection requirements.

5. How and why we share your data

To help us deliver our services we may share your personal data with other parts of eMed, such as GP at Hand, eMed affiliate companies or partner organisations (including our NHS partners) who we work jointly or in connection with to provide you a service.

Service providers

Some companies provide services to you on our behalf, such as the live chat. We may share your personal data with them so that they can process it to provide these services.

These companies can only use your data based on our instructions and they cannot use the data for their own purposes.

They also have to act in line with data protection laws and contractual terms that specify how they can process data on our behalf.

Partners

If you use our services through your health insurer or one of our partners, which may be your employer, we may share some of your information with them. This could include your:

• Name
• Date of birth
• Email address
• Policy number
• Location

We may also share with them the fact that you have registered with us and used our services. But we will not share any details about your consultations or medical records, unless you consent to this.

Other healthcare providers

If it's needed for your treatment or care, we will share your data with your other health and social care providers. These include:

• Our clinical partners (including our NHS partners) who we work jointly or in connection with to provide you a service
• Your NHS GP
• Specialist referral services
• Therapists
• Pharmacists
• Hospitals
• Accident and emergency services
• Testing service providers
• Diagnosis centres chosen by you for things like X-rays and other imaging
• Other health and care bodies and providers

By law, we may need to share information with these services to safeguard either you or others, or conduct a public task (in the case of our NHS services). We may need your consent, or to rely on our legitimate interests to provide you with healthcare before we can share this information.

Protecting public health

We might process your health data to protect public health. Your data could be vital to help research, monitor, track and manage public health emergencies, like pandemics.

In a public health emergency, your information may be shared in a way that is appropriate and lawful with organisations such as:

• NHS Digital
• NHS England and Improvement
• Public Health England
• Local authorities
• Health organisations
• GPs

We will limit the use or sharing of data to the period of the emergency and will only share data to the extent necessary.

Aggregated or anonymous data

We may show on our website or share with our commercial partners data that does not personally identify you, but which shows general trends. This is 'aggregated' data and is not personal data.

This might include, for example, the number of users of our service or trends in a particular location.

Statistical data in the public's interest

We may also use data that does not identify you personally as part of statistics that we collect on certain types of illness, symptoms and conditions. This might include us contributing medical data and participating in the Royal College of General Practitioners Research and Surveillance Scheme.

‍We may show these summarised statistics to our partners. They will always be anonymised. This is so we can improve our medical knowledge and help our members and the general public.

If you use our GP at hand service

We may need to share your personal data to help the NHS manage their medicines. This is because clinical commissioning groups (CCGs) use pharmacists and prescribing advice services to support local GP practices. And they may need information that identifies you to be shared.

These pharmacists work with GP at Hand to provide advice on medicines, and to make sure that medicines are right for your needs, safe, and cost-effective.

Where we need to ask for specialist prescribing support as part of your care, the CCG medicines management team may help us to get medications on behalf of GP at Hand.

We collect your information to make sure you get the best possible care and treatment. The information we collect when you use our GP at Hand services can also be used for things beyond your individual care and if the law allows it. This could include improving quality and standards of care, research into the development of new treatments, and planning services. Most of the time, any data used for research and planning is anonymised, so that you cannot be identified. If this is the case, it means that we don't use your confidential patient information.

You have a choice about whether you want your confidential patient information to be used in this way. To find out more, or to register your choice to opt out, please visit this information page from the NHS. If you choose to opt out, your patient information will still be used to support your individual care.

Integrated care

If you are a GP at Hand patient, we will share your records with North West London Whole Systems Integrated Care or other systems for other locations in which GP at Hand operates.

This gives other members of the scheme like NHS Trusts and the ambulance services access to your data. We do this to provide 'integrated care' for you. This is healthcare that's delivered to you by different organisations that work separately.

It also helps with research and statistical studies, based on medical and public interest research.

Integrated care

Your summary care records are an electronic record of important patient information, created from GP medical records.

Your summary care records data can be seen by authorised staff in other areas of the health and care system involved in your direct care. If you're based in Birmingham, Sandwell and Solihull, this will involve the use of Your Care Connected (YCC).

More information on YCC.

You can choose not to share this data at any time. To do this, complete and send an SCR opt-out form.

We may keep or share information about you, if we need to:

• Comply with a law, regulation, legal process, or government request
• State our legal rights or defend against legal claims
• Stop, find, or look into illegal activity, fraud, abuse, breaking our terms, or threats to the security of our services or the physical safety of anyone

6. How long we keep your data

We follow advice from the Department of Health and the British Medical Association on how long to keep information found in your medical records. This is called a 'retention period'.

We might also keep some information that doesn't identify you to help improve our business and our services.

In some circumstances, we might keep data longer if the law says we have to.

7. Your rights

You're in control of your personal information. Under data protection law, you have the right to:

• Remove or change your consent at any time, if we are using your data in a certain way based on it. You can do this by:
  - Going to the app, selecting 'Me' and then 'Privacy preferences'; or
  - Going to the Babylon Health website, selecting 'Account' and then 'Privacy'
• Ask for a copy of the personal data we hold about you. Your data is stored in line with our legal and medical obligations. See: how long we keep your data)
• Ask us to correct information that's wrong, delete it, or ask that we only use it for certain purposes. There might be times when we're not able to help, like if the law or our medical obligations say we can't.
• Ask us to restrict any automated (computer-made) decisions made with your data
• Ask for your data to be provided in a portable format that allows you to move, copy or transfer it. Or ask us to send it in this format to someone else.

To exercise your rights, please complete our online webform here.

If you have any general queries about how we process your information, please contact us at DPO@babylonhealth.com

Or write to us at eMed Healthcare UK, 184, 192 Drummond St, London, NW1 3HP

We'll ask you for a proof of identity. Data protection laws give us one month to get back to you.

We're regulated by the Information Commissioner's Office (ICO). If you're not happy with any aspect of our data handling, you can complain to the ICO directly. You can contact them at:

Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF

Phone: 0303 123 1113