Privacy Notice
At ZAVA, we believe in giving our patients the best possible care. And a big part of that means taking care of their privacy. Our privacy notice tells you what personal data we collect and why. It also explains your rights and the types of data we might share about you. So, first things first, here’s a little bit about us.
Who are we?
zavamed.com/ie is a website and service operated by HEALTH BRIDGE MEDICAL LIMITED (“ZAVA”).
We are registered in the Republic of Irelands under company number 648769 and our head office and trading address is: Health Bridge Medical Limited, 2 Dublin Landings, North Wall Quay, North Dock, Dublin, D01 V4A3.
Our Data Protection Officer can be contacted by emailing DPO@zavamed.com
Our Role:
We are what is known as a data controller: In terms of the Data Protection Act 2018, that means we are trusted to look after and deal with your personal information in accordance with this policy. We determine the ways and means of processing and must therefore be accountable for it.
Your Rights
As a data subject you have rights in respect of our processing of your personal data.
-
-
You have the right to ask us for copies of your personal information.
-
-
You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
-
-
You have the right to ask us to erase your personal information in certain circumstances unless it’s a legal requirement, or we have a valid business reason, not to delete it. As a healthcare provider, we will not always be able to delete your data for the following reasons:
- continuity of healthcare provision: we need to be able to know what treatments we have prescribed to you as your GP will do as well as, for example, providing relevant information to other healthcare professionals providing care to you if we need to (e.g. do we know of any allergies, any bad reaction to a certain ingredient etc.). Hence we will not be able to delete your medical record as well as any communications between you and our team related to your request of a medical service before the end of our retention period.
- establishment, exercise or defence of legal claims.
You can ask us to suspend your electronic patient account by clicking on the suspend button in your account. Your account will stop working immediately and you will no longer be able to access your account and you will cease to receive any further notification in relation to your account but the data will not be erased.
-
-
You have the right to ask us to restrict the processing of your information in certain circumstances, for example, because you believe that your data is incorrect, or the processing of your data is unlawful.
-
-
You have the right to object to our processing of your information if the legal basis is legitimate interest.
-
-
This only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under a contract, or in talks about entering into one, and the processing is automated.
If you want to exercise any of these rights, please contact us on DPO@zavamed.com and state the nature of your request in the subject of your email (e.g. Access Request, Deletion request etc).
- You also have the right to lodge a complaint about our processing with a supervisory authority — in Ireland, this is the Data Protection Commission (DPC).
Technical and Operational Security
Our promise
- Our security measures protect you against unauthorised access, changes, disclosure or destruction of your data.
- We regularly review our security measures, including how we collect, process and store data. Part of this means encrypting data and putting in place physical security measures to protect our storage systems. We are Cyber Essential Plus certified.
- Your payment transaction and your personal data are encrypted using SSL technology.
- Every member of our staff signs and agrees to a confidentiality agreement when they start working for us and are trained in relevant data protection regulations.
- Access to your data is only given to employees on a need-to-know basis.
- All our suppliers have to abide to privacy undertakings, in accordance with the applicable data protection laws and regulations.
Tell me more
To see more about how we use your personal data, read the notice or notices which apply best to your relationship with us:
Patient Privacy Notice
-
-
As a patient of ZAVA, we hold the following information about you:
Identity details
When you set up an account with us, you will provide your name, date of birth, gender and you might also have to provide an ID in order for us to check your identity.
We also generate a patient ID in order to identify you in a pseudonymised manner wherever possible.
Your identity details are also used for marketing purposes when you did not object to the use of these data for this purpose.
Contact details
When you set up the account, the identifier and username for our services is your email address.
The email address is used to send you alerts to let you know that you have a service related email in your patient account.
Your contact details are also used for marketing purposes and to send marketing emails to you if you have not opted out, including prescription reminders, basket abandonment and reviews . You can object to the use of your data for direct marketing at all times by contacting us.
We process your delivery address in order to deliver your prescription and this is also data that is required on the prescription and as a billing address for payment purposes.
If you provided a phone number, it is used to send information to you in relation to the service you requested. If we decide to use your phone number for marketing purposes, we will ask for your consent.
Medical information
We hold information about your health and medical history that you provide us with when you complete our medical assessments online. This includes photos and information you provided when communicating with our doctors or customer service, the treatments that our doctors prescribed to you, the messages exchanged and the results of the tests.
This data is required to enable our doctors to do the diagnosis and issue a prescription or advice to you.
We might also obtain information from your GP when we or you inform your GP about the treatments we provided to you. (We will inform your GP only if you provide your consent or if we need to for your vital interest).
Financial information
When you make a payment to us, we will process your payment data. However, ZAVA does not act as a payment provider, so we do not store your card details, we just pass them directly to the provider. We do however have access to the transaction details: type of card, bank details, last 4 digits of your card, billing address and transaction IDs. Those details are not directly saved by us, but we are able to access them in order to assist you or if there is a payment dispute. In the case of a dispute, we would store the details of the transaction until the dispute is settled.
Technical Information
When you are browsing our website or using our services, we will automatically collect technical information such as the type of device you’re using, browser, IP address, screen size etc.
This allows us to understand any issues with our website, show you relevant information (e.g.pharmacies near you) and for the prevention of fraud.
Browsing activity/usage details
If cookies are loaded, we will process information about the pages you have visited, your searches on our website, load and download times, time spent on our pages, interaction with the page (click, scrolling, mouse-overs) and what led you to our website (link in an article, google search etc).
We perform analytics based on this data. Performing analytics is vital for us to understand how you interact with our website and various services in order to improve them and to give you a good user experience.
Marketing information
We store your consent status and the type of marketing you have subscribed/unsubscribed to.
Research data
We will store the different surveys you have participated in and your survey responses.
-
-
Within ZAVA:
Your medical information and identity details are shared amongst our doctors to provide quality and continuity of care. Our customer service might also need to access your record in order to assist you in your query and verify your identity before releasing any information to you.
Our IT department might need to access your account if there is a technical issue to solve or in order to enhance the tools we’re using.
Finally, the compliance/legal team might also access your information in order to send you data when you make a data subject request.
All our staff are bound to strict confidentiality undertakings and have had initial and ongoing data protection training.
ZAVA implements an access right policy and this allows access to the data only on a need-to-know basis.
With third parties and processors:
Like most companies, we use a number of suppliers as part of our data processing, for example cloud services, technology services, carriers. For marketing purposes, research and analytics, we are also using suppliers such as email platform providers, analytics software, survey tools or social media platforms.
We have Data Processing Agreements in place with these providers to secure the use of your data by these suppliers.
Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example with Standard Contractual Clauses with additional due diligence.
If data is transferred from the UK to the EEA or from the EEA to the UK, then it is done so on the basis of those countries receiving the data are having a comparable data protection regime to the country sharing the data (adequacy).
In order to provide the medical service to you and for security purposes, we need to share your personal data with third parties including payment providers.
As regulated healthcare providers, we might need to disclose certain of your information including personal data and medical data to, including but not limited to,
- Other regulators such as the Irish Medical Council if you make a complaint or in case of an investigation.
- Your GP with your consent or based on your vital interests
- Other healthcare partners such as laboratories.
Finally, we may need to share your information for legal reasons:
- As our business evolves, the structure of our business may change by changing its legal form, establishing, buying or selling subsidiaries, divisions or components. In such transactions, customer information may be transferred along with the part of the company being transferred. In any transfer of personal information to third parties to the extent described above, we will ensure that it is done in accordance with this Privacy Notice and applicable data protection law. Any transfer of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as necessary and that your rights and interests in the protection of your personal data.
- If we are asked to share your personal data as a result of a court order, legal processing or any other legal obligation.
- To protect the rights, property, or safety of ZAVA, our patients, suppliers and partners, or others. This includes exchanging information for fraud protection, reducing credit risk and verifying your identity by an ID&V provider.
Rest assured, we only share information that is absolutely necessary and we go to great lengths to make sure everyone we work with takes your privacy as seriously as we do.
-
-
Medical records
We are keeping your health records for a minimum of at least 8 years (or longer to comply with best medical practice) after your last treatment. Note that the records include your identity data, medical data and contact details and the messages exchanged with our doctors and customer service.
Account details
If you registered with us and have not ordered any service, we will retain this data until you notify us that you want to stop using our service and ask for your data to be deleted unless we have a legal or regulatory reason to keep them.
If you’ve ordered from us or had any exchanges with our doctors about your health or if you are making any claim, we will keep these data as per the paragraph above (Medical Records) and in order to defend our rights and interests in case of a dispute or a claim.
Note that the account cannot be deleted but suspended which means that access is revoked. If we have no reason to keep the data as explained above, we will anonymise the account.
Research
If you have provided your data for research purposes, we retain the data for 4 years. After 4 years, the data is anonymised and so no longer falls under the GDPR.
Analytics
Data about the usage of our services and technical data used for analytics are retained in a pseudonymous manner for as long as you have a non-suspended account with us or until you action a right to erasure.
Marketing
Data used for marketing purposes is retained for as long as you have a non-suspended account with us until you ask for the deletion of your non-medical data. If you ask to unsubscribe to marketing, then the data is moved to a suppression list to ensure that there is no danger of you being added to any marketing lists in the future.
-
-
This notice describes how we may use your information to protect you and others during the Covid-19 outbreak. It supplements our main Privacy Notice.
In the context of the pandemic, the Secretary of State has required health organisations amongst other entities to share confidential patient information to respond to the Covid-19 outbreak based on reasons of public interest in the area of public health, and research in the public interest.
Any information used or shared during the Covid-19 outbreak will be limited to the period of the outbreak unless there is another legal basis to use the data.
Where data is used and shared under these laws your right to have personal data erased will also not apply.
We may share your confidential patient information including, but not limited to, your name, ethnicity, NHS number, test results with health and care organisations and public bodies engaged in disease surveillance for the purposes of protecting public health including the UK government.
We may also use the details we have to send public health messages to you, either by phone, text or email and /or to follow-up on Covid-19 test you’ve done.
Your personal/confidential patient information will be safeguarded in the same way it would with any other consultation. We will not collect more information than we require, and we will ensure that any information collected is treated with the appropriate safeguards.
Website Browsing Privacy Notice
-
-
As a user of our website and depending on the cookie preferences you gave, we collect your individual usage data which includes information about how you use our website, products and services. This is used to create aggregated data.
If cookies are loaded, we will process information about the pages you have visited, your searches on our website, load and download times, time spent on our pages, interaction with the page (click, scrolling, mouse-overs) and what led you to our website (link in an article, google search etc).
We perform analytics based on this data. Performing analytics is vital for us to understand how you interact with our website and various services in order to improve them and to give you a good user experience.
We do not use your browsing data to predict or make any assumptions about you.
Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with the patient privacy notice.
-
-
Our lawful basis for processing your data is legitimate interest for security purposes and for business purposes.
-
-
Like most companies, we use a number of suppliers as part of our data processing, for example cloud services, technology services and analytics tools. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. If data is transferred from the UK to the EEA or from the EEA to the UK, then it is done so on the basis of those countries receiving the data are having a comparable data protection regime to the country sharing the data (adequacy).
Finally, we may need to share your information for legal reasons:
- As our business evolves, the structure of our business may change by changing its legal form, establishing, buying or selling subsidiaries, divisions or components. In such transactions, customer information may be transferred along with the part of the company being transferred. In any transfer of personal information to third parties to the extent described above, we will ensure that it is done in accordance with this Privacy Notice and applicable data protection law. Any transfer of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as necessary and that your rights and interests in the protection of your personal data.
- If we are asked to share your personal data as a result of a court order, legal processing or any other legal obligation.
- To protect the rights, property, or safety of ZAVA our patients, suppliers and partners, or others. This includes exchanging information for fraud protection, reducing credit risk and verifying your identity by an ID&V provider.
Rest assured, we only share information that is absolutely necessary and we go to great lengths to make sure everyone we work with takes your privacy as seriously as we do.
-
-
If any usage and technical data are linked to you directly once you register with us, we will keep them until you ask for the deletion of your data or until you inform us that you want to stop using our services.
Research Participant Privacy Notice
-
-
As a research participant of ZAVA, we hold the information you provide when answering a survey, or participating in an interview, face to face or remotely.
We hold personal data and aggregated data such as statistical or demographic data.
Once data is aggregated it is not considered personal data, as you cannot be identified from it, directly or we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with the patient privacy notice.
We use these data in order to continually get feedback on our services and understand our customers’ expectations and experiences.
When you browse our website we also collect additional information. Please see our Web Browsing Privacy Notice above for more details.
-
-
Our lawful basis for processing your data is based on legitimate interest or consent depending on the type of research being carried out.
If you provided consent, you may withdraw this consent at any time by emailing customer services or your research team contact.
-
-
Like most companies, we use a number of suppliers as part of our data processing, for example cloud services and technology services. In order to perform the interviews, we might reach out to external agencies and use tools to record sessions, your image and/or voice.
We have Data Processing Agreements in place with these providers to secure the use of your data by these suppliers.
Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place.
If data is transferred from the UK to the EEA or from the EEA to the UK, then it is done so on the basis of those countries receiving the data are having a comparable data protection regime to the country sharing the data (adequacy).
Finally, we may need to share your information for legal reasons:
- As our business evolves, the structure of our business may change by changing its legal form, establishing, buying or selling subsidiaries, divisions or components. In such transactions, customer information may be transferred along with the part of the company being transferred. In any transfer of personal information to third parties to the extent described above, we will ensure that it is done in accordance with this Privacy Notice and applicable data protection law. Any transfer of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as necessary and that your rights and interests in the protection of your personal data.
- If we are asked to share your personal data as a result of a court order, legal processing or any other legal obligation.
Rest assured, we only share information that is absolutely necessary and we go to great lengths to make sure everyone we work with takes your privacy as seriously as we do.
-
-
If research data is linked to you as an individual then, we will keep the data for 4 years.
Supplier Privacy Notice
-
-
As a supplier of ZAVA, we hold information about you that you provided as part of our negotiations, our due diligence results and also the information provided in order to put contracts in place between our companies.
We also hold your data in order to pay you for the services provided.
When you use our website we also collect additional information. Please see our Web Browsing Privacy Notice above for more details.
-
-
Our lawful basis for processing your data is either based on performance of the contract, to defend our rights in case of claims, or to comply with any due diligence or legal obligation.
-
-
We might have to share your data to third parties due to a legal obligation (e.g. financial authorities).
Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. If data is transferred from the UK to the EEA or from the EEA to the UK, then it is done so on the basis of those countries receiving the data are having a comparable data protection regime to the country sharing the data (adequacy).
We may need to share your information for legal reasons:
- As our business evolves, the structure of our business may change by changing its legal form, establishing, buying or selling subsidiaries, divisions or components. In such transactions, customer information may be transferred along with the part of the company being transferred. In any transfer of personal information to third parties to the extent described above, we will ensure that it is done in accordance with this Privacy Notice and applicable data protection law. Any transfer of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as necessary and that your rights and interests in the protection of your personal data.
- If we are asked to share your personal data as a result of a court order, legal processing or any other legal obligation.
- To protect the rights, property, or safety of ZAVA.
Rest assured, we only share information that is absolutely necessary and we go to great lengths to make sure everyone we work with takes your privacy as seriously as we do.
-
-
We will keep your data for the duration of our contract and for a period of 7 years after the end of our relationship or longer if submitted to a legal/regulatory obligation.
Investor Privacy Notice
-
-
As an investor or potential investor, we hold information about the representatives of your company such as name, email and telephone number, title, and business information shared with us.
This will be used within the scope of the discussions between our companies, and the management of our business relationship if applicable).
When you use our website we also collect additional information. Please see our Web Browsing Privacy Notice above for more details.
-
-
Our lawful basis for processing your data is either based on performance of the contract and/or to defend of our rights in case of claims and/or legal obligation.
-
-
We might have to share your data to third parties due to a legal obligation (e.g. financial authorities), with our representatives such as lawyers, auditors and legal, tax or financial advisers.
Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses.
If data is transferred from the UK to the EEA or from the EEA to the UK, then it is done so on the basis of those countries receiving the data are having a comparable data protection regime to the country sharing the data (adequacy).
We may need to share your information for legal reasons:
- As our business evolves, the structure of our business may change by changing its legal form, establishing, buying or selling subsidiaries, divisions or components. In such transactions, customer information may be transferred along with the part of the company being transferred. In any transfer of personal information to third parties to the extent described above, we will ensure that it is done in accordance with this Privacy Notice and applicable data protection law. Any transfer of personal data is justified by the fact that we have a legitimate interest in adapting our corporate form to the economic and legal circumstances as necessary and that your rights and interests in the protection of your personal data.
- If we are asked to share your personal data as a result of a court order, legal processing or any other legal obligation.
- To protect the rights, property, or safety of ZAVA.
Rest assured, we only share information that is absolutely necessary and we go to great lengths to make sure everyone we work with takes your privacy as seriously as we do.
-
-
We will keep your data whilst you are a potential or existing investor, then for a period of 7 years after the end of our relationship or longer if submitted to a legal/regulatory obligation.
Job Applicant Privacy Notice
-
-
As an applicant to any of our job positions, we collect your contact details, data provided in your application, your right to work status, experience, qualifications, then any results of interviews and assessments.
When you use our website we also collect additional information. Please see our Web Browsing Privacy Notice above for more details.
We process this data to assess your suitability for the role you have applied for and any pre screening that may be required.
-
-
Our lawful basis for processing your data is: contract (you are looking to potentially enter into an employment contract with us); compliance with legal obligation (pre-screening); legitimate interest (assessing your suitability) and then, if necessary to defend any legal claims.
To the extent special categories of personal data are involved (health data, racial or ethnic origin), processing will be done for the purposes of carrying out the obligations and exercising specific rights in the field of employment.
-
-
We might have to share your data to third parties for background checks, competent public authorities where it is necessary to comply with a legal obligation and to protect the rights, property, or safety of ZAVA.
Rest assured we only share information that is absolutely necessary.
-
-
If you are not successful, we will keep your data for the duration of 6 months after the end of our relationship in case other roles become available.
If you are successful in your application, the personal data gathered through the recruitment process will be retained in line with the Employee Privacy Policy available at ZAVA.
ZAVA Employee Privacy Notice
-
-
Please refer to the Employee Privacy Notice available on our shared resources or speak directly to the People Team.