mybmi logoHome

Privacy Policy

Carousel scrolled to 0% of content

Delivery & Returns

Find out more

Complaints Policy

Find out more

Privacy Policy

Find out more
Carousel scrolled to 0% of content

Cookies Policy

Find out more

User Generated Content

Find out more

Indemnity Insurance

Find out more

We are committed to the highest standards of data privacy, and keeping your personal data safe, used properly and stored securely.   

This privacy notice tells you what to expect when we collect personal information from you. It also explains how we will store, handle and keep your personal information safe.   

We respect your privacy and are transparent about how your data is collected, stored, processed, and shared. Please read the following carefully to understand our practices regarding your personal information and how we will treat it. 

Information about who we are:  

MyBMI is owned and operated by the UK registered company My Health Online Limited . Company No. 12555647.   

 (https://data.companieshouse.gov.uk/doc/company/12555647

This privacy statement applies to My Health Online Limited trading as MyBMI. 

My Health Online Limited is the controller for the personal information we process unless otherwise stated and is responsible your personal data, collectively referred to “we”, “us,” or “our”. 

We are registered with the ICO under reg. no ZB025368 

(https://ico.org.uk/ESDWebPages/Entry/ZB025368) 

You can contact us at: 

Postal address:  

1 Penketh Place,

Skelmersdale,

Lancashire,

WN8 9Q  

Email:  

We have appointed a Data Protection Officer (DPO). Our DPO is James O’Loan.

Collection of your personal information

We use different methods to collect information from and about you.  

We collect personal data when you visit or register on or contact us or you request information from our websites, you may be asked to provide information about yourself.  

We also collect information when you purchase our products online, engage with us on social media, or sign up to an account.  

When you provide personal information to us, we will treat that information in accordance with this Privacy Policy. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you. 

Information we collect about you.  

Personal information or personal data, means any information about an individual from which that person can be identified and is generally referred to throughout this Privacy Policy as “personal information”. It does not include data where the identity has been removed (anonymous data). 

Personal data we may collect, use, store and transfer about you, are as follows: 

  • Identity data, which includes your name, age/date of birth and gender;
  • Contact data which includes postal address including billing and delivery addresses, your location, telephone numbers (including mobile numbers) and e-mail address;
  • Special category data, which includes information about your physical or mental health, health conditions, and other clinical metrics including environmental, socioeconomic, and behavioural information pertinent to health and wellness. 
  • Transaction data which includes purchases and/or orders made by you and your payment card details;
  • Technical data which includes your on-line browsing activities on our website;
  • Profile Data which includes your account login details for website and/or our on-line account, including your username and password(s), your interests, preferences, feedback and survey responses;
  • Marketing and communications data which includes your marketing preferences from us and our third parties, your communication preferences and your correspondence to and communications with us; and
  • other publicly available personal data, including any which you have shared via a public platform (such as a Twitter feed or public Facebook page).

This list is not exhaustive, and, in specific instances, we may need to collect additional data for the purposes set out in this Policy.  Some of the above personal data is collected directly, for example when you set up an on-line account on our website or send an email to us or contact us via social media.   

The confidentiality of your medical information is important to us. All your personal information will be processed in line with this policy, and in compliance with all applicable medical confidentiality guidelines.  

On-line account information

Some personal information is required to set up your on-line account including name, contact details, email address, date of birth. By logging-in to your on-line account you can access and update your personal information.  

Information we receive from other sources. 

This is information we receive about you. In order to provide you with prescriptions for medicines and health care services we may have to collect personal data about you from other organisations. This may include medical records which include personal data about your tests and diagnosis, clinic and hospital visits and medicines administered from: 

  • your GP or doctor 
  • your healthcare professional (including their medical secretaries) 
  • the NHS or any private healthcare organisation 
  • mental health providers 

The lawful basis for processing data 

We will only use your personal data when the law allows us to do so. The law on data protection sets out a number of different reasons for which a company may collect and process your personal data. 

We will also use your personal data in the following circumstances: 

  • Where we need to perform a contract, we are about to enter or have entered with you. 
  • Where you have consented before the processing. 
  • Where the processing is necessary in order to protect the vital interests of the data subject or of another natural person. 
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 
  • Where we need to comply with a legal or regulatory obligation. 

The lawful basis for processing special category data is as follows: 

  • Where we need to perform a contract, we are about to enter or have entered with you. 
  • Where the processing is necessary for the purposes of preventive or occupational medicine, including medical diagnosis, the provision of health or social care or treatment.  
  • Where the processing is necessary in order to protect the vital interests of the data subject or of another natural person. 
  • Where you have consented before the processing. 

When collecting your personal information, we will always make it clear to you, which data is necessary in connection with the particular activity. 

In certain circumstances, we need your personal information to comply with our contractual obligations or to pursue our legitimate interests in a way which might be reasonably expected as part of our running our business. For example, we process your personal information, which includes your name, contact details, prescription medicines and data from other health care services for the purposes of providing pharmacy services, treatments and care to you. 

Whenever you have given us your consent to use your personal information, you have the right to change your mind at any time and withdraw that consent. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. 

For more information about how and why we process your personal data, please see our schedule of personal data processing activities.  

If you fail to provide personal information  

Where we need to collect personal information by law, legitimate interest or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide you with prescription medicines, treatments and/or health care services. In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time. 

Information required to provide treatment 

We provide health advice and treatment by remote and postal service and therefore we must abide by the legal requirements for the supply of General Sales List, Pharmacy only and Prescription only medicine. The collection, processing, and sharing of data is necessary for compliance with our legal requirements. These legal requirements include confirming your identity, keeping accurate personal and medical records, and informing your regular doctor of treatment provided where necessary. 

Confirming your identity 

In some circumstances we may need to confirm your identity.  

To confirm a person’s identity for a prescription requires the correct following information: 

  • Gender (at birth) 
  • Full first name and surname 
  • Date of birth 
  • Postcode – Full address we can verify with the NHS Spine or financial records 

Where your identity cannot be sufficiently verified (for private prescriptions) with the NHS Spine or financial records, additional proof of identity will be required. Proof of identity that could be accepted includes a copy of a photo identity document (passport, driving licence, national identity card, 18+ card). Once we have confirmed your identity you can re-confirm your identity each time contact is made with the pharmacy. 

Medical records and prescriptions  

Medical records include personal data about your tests and diagnosis, clinic and hospital visits and medicines administered, and they can be seen and used by our authorised staff involved in your care.  

All prescriptions for medicines issued under Pharmacy Only Medication and Private Prescriptions that we process will remain part of your patient medication record.  

Pharmacy Only Medication:  

Where you require pharmacy only medications, which are the selection of medicines that can be purchased from a pharmacist without a prescription we require you to answer some medical questions. The answers to these questions are recorded and form part of the medical consultation with our pharmacist(s). The previous pharmacy only medications supplied are considered when providing new purchases, and also form part of your sales record. 

Private Prescriptions:  

Treatment by private prescriptions may require further personal information from you, the patient, or representative, the GP or private doctor in order to confirm test results, medicines use reviews, new medication services, and / or confirmation of your nominated pharmacy.  

Pharmacy records 

Your personal information and prescription data will be entered into a pharmacy dispensing system by our partner pharmacy (Chemist4u) which serves as an independent record of treatment supplied on private prescriptions.   

We and our partner pharmacy retain private prescriptions in accordance with GPhC standards

Changes to your personal information  

Any change made to your personal information is recorded (what data, when changed, and by whom). 

It is important to keep your personal information up to date. 

Communication 

We use your contact information to communicate with you to facilitate the provision of healthcare remotely. We are likely to communicate with you via your email, telephone number(s) or SMS.  

Sensitive details are not sent by email, unless you explicitly request information to be sent via email. Sensitive information is typically discussed via a phone call to ensure confidentiality. 

Confidential messages 

When you send us a message, and doctors, carers, other healthcare staff or administrators require additional information they will contact you via your requested means and use your personal information to respond to your message.  

This information also forms part of your patient record. 

Emails 

We provide you with automated notification emails when you place an order and to provide you with delivery information and updates.  

Supplementary emails 

We may also contact you when you are checking out or placing a transaction on our website.  

We may contact you via email where your cart is abandoned without placing an order or where you have placed an order. Follow up emails are provided which includes reminder emails, survey emails and re-engagement emails which are based on your original purchase date and items purchased. 

Marketing  

We strive to provide you with choices regarding certain personal information uses, particularly around marketing and advertising. 

If you have given your consent to receive marketing emails you can withdraw this at any time, or if we are relying on our legitimate interests to send you marketing you can object.  

If you have received a direct marketing email from us and no longer wish to receive these marketing emails, the easiest way to let us know is to click on the unsubscribe link at the bottom of our marketing emails. We provide opt out or unsubscribe links at the bottom of these emails to allow you to opt out at any time.  

Cookies

Our website my-bmi.co.uk use cookies to distinguish you from other users of our websites. This helps us to provide you with a good experience when you browse our websites and also allows us to improve our site. 

A cookie is a piece of data stored locally on your computer containing information about your activities on the Internet. For further information, including details on how to remove cookies, please read our full cookie policy

Retention of your data 

How long we will retain your personal data?  

We will only retain your personal data for as long as is necessary for the purpose or purposes for which we have collected it. 

If you would like further information regarding the periods for which your personal data will be held, please contact our DPO. 

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for analytical or statistical purposes, in which case we may use this information indefinitely without further notice to you. 

Automated decision making 

We may use automated decision-making and profiling to provide some services and to tailor the information we provide to you to your specific circumstances. 

The medical questionnaires for each treatment area will automatically exclude you from requesting treatment if the following is identified: 

  • A reason including a symptom or medical condition that would mean you should not receive a particular treatment or procedure because it may be harmful. 
  • ‘Red flag’ signs and symptoms 
  • Incorrect gender 
  • Excessive order quantities 

If you are automatically excluded for treatment your medical questionnaire will be considered by  

Where the remote provision of treatment is not suitable, you are advised to contact your regular doctor or visit a health centre.  

You can seek advice and discuss symptoms and treatment with our pharmacy team or pharmacist(s) via a secure email system or telephone. 

You will be notified if we a solely automated decision which produces a legal effect or significantly affects you. 

Your rights

You are also able to exercise your rights which include: 

The right to be informed

We aim to be transparent within our Privacy Policy and provide you with information about how we use your personal information.  

Right of access. 

You have the right to request a copy of any information that we hold about you. We try to be as open as possible as we can be in terms of giving people access to their personal data.  

You can find out if we hold any personal information by making a subject access request. 

The right to rectification

You have the right to request the correction of your personal information when it is incorrect, out of date or incomplete. You can contact us, and we can amend inaccurate personal data, however, please note that in some circumstances we may ask for the documentary proof that the amendment is necessary.  

The right to erasure

You can request the erasure of your personal information when it is no longer necessary, you withdraw consent, or you object to its processing. Some information held by us is required by law to be held for a period of time. You can contact us if you wish to make a request. 

The right to restrict data

You can request that we restrict the processing of your personal information. This can be done in circumstances where we need to verify the accuracy of personal data, if you do not wish to have personal data erased or you object to the processing and we are considering this request. 

The right to data portability. 

Under some circumstances you can request a copy of the personal information you provided to us in a machine-readable format or ask that this data be transferred another third party. 

The right to object. 

In some circumstances you can stop the processing of your personal information for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal information. Where your details are used for marketing, you can opt out at any time.  

The right not to be subject to automated decision making and profiling. 

You have the right to not be subject to solely automatic decisions (i.e., decisions that are made about you by computer without any human input) in relation to your treatments, care or other processes that have a legal or similarly significant effect on you. 

Please see the section on Automated decision making for details about when we may make automated decisions. 

You have the right to ask what personal information that we hold about you at any time. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. .   

If you wish to exercise any of the above rights, please contact us.  

Where you have access to your account settings and / or tools which allow you to access and control your personal information.  By logging into your account and using your account settings, you can change and delete your personal information. For instance, you can edit or delete the profile data you provide. You are also able to disable and [delete your account if you wish.]   

Data security 

We work hard to keep your information and personal information safe. We use a combination of technical, administrative, and physical controls to maintain the security of your personal information and protect against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use.   

All information you provide to us is stored on our secure servers or within secure filing systems. Some of the controls we have in place to protect your personal data include technological controls such as firewalls, user verification, strong data encryption. We utilise industry “good practice” standards to support the maintenance of a robust information security management system. Any payment transactions will be encrypted. Please see our Payment security section.  

As part of our security controls we use data entry and retrieval which is encrypted using an SSL certificate provided by Cloudflare and secured by ComodoSSL, a leading SSL Certificate Authority. This ensures that no one else can read or change information as it travels over the internet.  

SSL certificates trigger modern web browsers to display the name of an organisation (My Health Online Limited) in green in the browser address bar and give details of the Certificate Authority (Cloudflare) that issued it. ComodoSSL uses an audited and rigorous authentication method, and browsers control the display of the green bar, making it difficult for phishers and counterfeiters to use our branding. Look for the green bar and locked padlock in your browser to indicate a secure and encrypted connection to our websites. 

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know it. They will only use your personal information on our instructions, and they are subject to a duty of confidentiality. 

Whilst we work hard to ensure that personal information processed is subject to appropriate security we cannot accept any responsibility for any loss, disruption or damage to your data or your computer system which may occur whilst using third party material derived from our websites.  

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so. 

Personal online security 

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website or online account you are responsible for keeping this password confidential. We ask you not to share a password with anyone. 

For further advice on personal online security, you can obtain further information at  the Get Safe Online service. 

Payment security 

We use trusted third-party payment gateways, Stripe (operated by Stripe Payments UK Ltd) and Checkout.com (operated by Checkout Ltd), to process your payments securely. When you make a purchase on our website, your payment information (such as credit or debit card details) is collected and processed directly by these providers. We do not store your full payment details on our servers; however, we may retain limited information (e.g., transaction ID, date, and amount) for order fulfillment, accounting, and legal purposes. 

Stripe and Checkout.com are responsible for handling your payment data in accordance with their own privacy policies and applicable data protection laws. We recommend reviewing their privacy notices for more details: 

Your payment information is processed securely using industry-standard encryption and security measures. These third-party providers may process your data outside the UK; however, they are committed to ensuring adequate safeguards are in place, such as Standard Contractual Clauses, to protect your personal information in compliance with UK data protection regulations. 

By completing a purchase, you consent to your payment details being shared with Stripe and/or Checkout.com solely for the purpose of processing your transaction and related activities (e.g., refunds or fraud prevention). If you have any questions about how your payment data is handled, please contact us at [insert contact email] or reach out directly to the payment providers. 

If for any reason your order is declined by the pharmacist, or you cancel the order after making a payment, then a refund will be automatically made to the same payment card. Payments are processed on a ‘single payment authority’ basis, not allowing for further automatic recurring payments, but allowing refunds to your payment card if necessary.

Third-party links

Our websites may include links to third-party websites, plug-ins and applications, including links to websites of our partner networks or third-party service providers. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.  

We do not control these third-party websites and are not responsible for their privacy statements or policies. When you leave our websites, we encourage you to read the Privacy Policy of every website you visit.  

We are not responsible for the content, function or information collection policies of these external websites. 

How and why your information is shared:  

The reasons we may share your personal information with third parties are:   

  • if we are under a legal or regulatory duty to do so,  
  • if it is necessary to do so to enforce our terms of use, terms and conditions or other contractual rights,  
  • to lawfully assist the police or security services with the prevention and detection of crime or terrorist activity,  
  • where such disclosure is necessary to protect the safety or security of any persons, and/or  
  • otherwise as permitted under applicable law. 

We may also share your personal information to help with the processing of your request for treatment and providing healthcare.  

We will never sell your personal information.  

We only provide third parties with the information they need to know to perform their specific services.  

We work closely with all the third parties to ensure that your personal data is secure and protected at all times. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. Our contracts with third parties make it clear that they must hold information it securely, abide by the principles and provisions of data protection, and only use information as we instruct them to. 

In all instances where we disclose your information to third parties, we will ensure that your information is appropriately protected. If we stop using their services, any of your personal information data held by them will either be deleted or rendered anonymous. 

Who might have access to the personal data we collect? 

We use the following organisations to help us provide and / or support us provide services to you.   

Please also see our cookie policy for further information.  

How can we help?  

If you have any questions that haven’t been covered, or you have any concerns about our use of your personal information please contact us.  

For further information on data protection please visit the Information Commissioner Office (ICO) website. 

The ICO regulates data protection. If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal information, you have the right to lodge a complaint with the ICO. 

You can contact them by calling 0303 123 1113 or visit the website. 

Changes to our Privacy Policy 

Any changes we make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our Privacy Policy.