Patient Privacy Notice: Lawful basis for processing

Please find below the purpose of our processing, the type of data processed, and the lawful basis used to process the data (article 6 and 9 of UK GDPR, or schedule 9 and 10 of Data Protection Act 2018).

Contents

Lawful basis for processing

Purpose: To register you as a new customer.

Type of data: Identity details (e.g. name, surname, gender, date of birth), contact details (e.g. email, telephone number).

Lawful basis: Performance of a contract.

Purpose: To provide the medical service as requested by you. To perform the diagnosis, issue a prescription when appropriate, and for the delivery of your treatment or goods. To follow-up on the treatments and advice given by our doctors.

Type of data: Identity details (e.g. name, surname, gender, date of birth), contact details (e.g. email, telephone number), medical details.

Lawful basis: Performance of a contract and medical diagnosis, provision of health care and treatment pursuant to the contract between the patient and us.

Purpose: To generate a certificate for our Covid-19 test for travel purposes.

Type of data: Identity details (e.g. name, surname, gender, date of birth), contact details (e.g. email, telephone number), medical details, passport details.

Lawful basis: ​​Performance of a contract.

Purpose: To verify that you actually are who you say you are.

Type of data: Identity details (e.g. name, surname, gender, date of birth), contact details (e.g. email, telephone number), financial data (e.g. payment transaction details: date, amount, name, address, email).

Lawful basis: Legitimate interests (to prevent identity or medical fraud).

Purpose: To collect and recover money owed to Zava. To provide you with updates about your transaction (e.g. has the payment succeeded?)

Note: we do not store card data on our end. The payment process is delegated to a third party supplier certified to process payments.

Type of data: Financial data (e.g. payment transaction details: date, amount, name, address, email).

Lawful basis: Performance of a contract. Legitimate interests (to prevent fraud).

Purpose: To prevent fraud and maintain security on our website (e.g. suspicious connection to our website outside the countries we are operating in). To improve your browsing experience based on your technical device information.

Type of data: Technical details (e.g. technical device information such as type of device used, browser used, IP address, location, device unique identifier, network information, login information).

Lawful basis: Legitimate interests.

Purpose: To understand the behaviours of the visitors on our website.

Type of data: Usage details (e.g. browsing information such as clickstream, your searches on our website, load and download time, time spent on our pages, interaction with the page, IP address), identity details (e.g. anonymous ID, patient ID when logged in on the website).

Lawful basis: Legitimate interests.

Purpose: Marketing purpose - targetted. In order to send you relevant information, news, advice, recommendation, offers. This data can be processed to send information only to certain groups of our patients (e.g. only women within a certain age range).

Type of data: Identity details (e.g. name, gender, age), contact details (e.g. email, telephone number), purchase history.

Lawful basis: Legitimate interest. We only send these marketing emails to you if you consented to receive them (e.g. signed up for our newsletters). This consent is based on PECR rather than GDPR consent for processing. You can withdraw consent and/or unsubscribe at any time.

Purpose: Marketing purpose - medically targeted. Medical data will be used to serve you with more medically specific content, adapted to the condition you came to see us for.

Type of data: Health information (e.g. data provided in the medical questionnaire).

Lawful basis: Explicit consent. You can withdraw consent and/or unsubscribe at any time.

Purpose: Advertising. To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you.

Type of data: System assigned ID number, technical details (e.g. IP address), usage (e.g. page viewed).

Lawful basis: Necessary for our legitimate interests (to study how customers use our products/services, to develop them, to grow our business and to inform our marketing strategy).

Purpose: Research and statistics. To perform research to understand the use of our services on our website and apps, in order to enhance our services and medical research.

Type of data: Identity details (e.g. name, gender, age), information provided during the surveys, interviews and research sessions.

Lawful basis: Depending on the type of research, legitimate interest or consent.


Authorised and regulated by