Search

Privacy Policy

Everything you need to know about our privacy policy before you place an order with us.

We are committed to the highest standards of data privacy, and keeping your personal data safe, used properly and stored securely.   

This privacy notice tells you what to expect when we collect personal information from you. It also explains how we will store, handle and keep your personal information safe.   

We respect your privacy and are transparent about how your data is collected, stored, processed, and shared. Please read the following carefully to understand our practices regarding your personal information and how we will treat it. 

Information about who we are:  

MyBMI is owned and operated by the UK registered company My Health Online Limited . Company No. 12555647.   

 (https://data.companieshouse.gov.uk/doc/company/12555647) 

This privacy statement applies to My Health Online Limited trading as MyBMI. 

My Health Online Limited is the controller for the personal information we process unless otherwise stated and is responsible your personal data, collectively referred to “we”, “us,” or “our”. 

We are registered with the ICO under reg. no ZB025368 

(https://ico.org.uk/ESDWebPages/Entry/ZB025368) 

You can contact us at: 

Postal address:  

35-37 Greenhey Place,  

Skelmersdale,  

Lancashire,  

WN8 9SA.  

Email:  

We have appointed a Data Protection Officer (DPO). Our DPO is James O’Loan.

Collection of your personal information

We use different methods to collect information from and about you.  

We collect personal data when you visit or register on or contact us or you request information from our websites, you may be asked to provide information about yourself.  

We also collect information when you purchase our products online, engage with us on social media, or sign up to an account.  

When you provide personal information to us, we will treat that information in accordance with this Privacy Policy. 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you. 

Information we collect about you.  

Personal information or personal data, means any information about an individual from which that person can be identified and is generally referred to throughout this Privacy Policy as “personal information”. It does not include data where the identity has been removed (anonymous data). 

Personal data we may collect, use, store and transfer about you, are as follows: 

  • Identity data, which includes your name, age/date of birth and gender;
  • Contact data which includes postal address including billing and delivery addresses, your location, telephone numbers (including mobile numbers) and e-mail address;
  • Special category data, which includes information about your physical or mental health, health conditions, and other clinical metrics including environmental, socioeconomic, and behavioural information pertinent to health and wellness. 
  • Transaction data which includes purchases and/or orders made by you and your payment card details;
  • Technical data which includes your on-line browsing activities on our website;
  • Profile Data which includes your account login details for website and/or our on-line account, including your username and password(s), your interests, preferences, feedback and survey responses;
  • Marketing and communications data which includes your marketing preferences from us and our third parties, your communication preferences and your correspondence to and communications with us; and
  • other publicly available personal data, including any which you have shared via a public platform (such as a Twitter feed or public Facebook page).

This list is not exhaustive, and, in specific instances, we may need to collect additional data for the purposes set out in this Policy.  Some of the above personal data is collected directly, for example when you set up an on-line account on our website or send an email to us or contact us via social media.   

The confidentiality of your medical information is important to us. All your personal information will be processed in line with this policy, and in compliance with all applicable medical confidentiality guidelines.  

On-line account information

Some personal information is required to set up your on-line account including name, contact details, email address, date of birth. By logging-in to your on-line account you can access and update your personal information.  

Information we receive from other sources. 

This is information we receive about you. In order to provide you with prescriptions for medicines and health care services we may have to collect personal data about you from other organisations. This may include medical records which include personal data about your tests and diagnosis, clinic and hospital visits and medicines administered from: 

  • your GP or doctor 
  • your healthcare professional (including their medical secretaries) 
  • the NHS or any private healthcare organisation 
  • mental health providers 

The lawful basis for processing data 

We will only use your personal data when the law allows us to do so. The law on data protection sets out a number of different reasons for which a company may collect and process your personal data. 

We will also use your personal data in the following circumstances: 

  • Where we need to perform a contract, we are about to enter or have entered with you. 
  • Where you have consented before the processing. 
  • Where the processing is necessary in order to protect the vital interests of the data subject or of another natural person. 
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. 
  • Where we need to comply with a legal or regulatory obligation. 

The lawful basis for processing special category data is as follows: 

  • Where we need to perform a contract, we are about to enter or have entered with you. 
  • Where the processing is necessary for the purposes of preventive or occupational medicine, including medical diagnosis, the provision of health or social care or treatment.  
  • Where the processing is necessary in order to protect the vital interests of the data subject or of another natural person. 
  • Where you have consented before the processing. 

When collecting your personal information, we will always make it clear to you, which data is necessary in connection with the particular activity. 

In certain circumstances, we need your personal information to comply with our contractual obligations or to pursue our legitimate interests in a way which might be reasonably expected as part of our running our business. For example, we process your personal information, which includes your name, contact details, prescription medicines and data from other health care services for the purposes of providing pharmacy services, treatments and care to you. 

Whenever you have given us your consent to use your personal information, you have the right to change your mind at any time and withdraw that consent. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. 

For more information about how and why we process your personal data, please see our schedule of personal data processing activities.  

If you fail to provide personal information  

Where we need to collect personal information by law, legitimate interest or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to provide you with prescription medicines, treatments and/or health care services. In this case, we may have to cancel a service you have with us, but we will notify you if this is the case at the time. 

Information required to provide treatment 

We provide health advice and treatment by remote and postal service and therefore we must abide by the legal requirements for the supply of General Sales List, Pharmacy only and Prescription only medicine. The collection, processing, and sharing of data is necessary for compliance with our legal requirements. These legal requirements include confirming your identity, keeping accurate personal and medical records, and informing your regular doctor of treatment provided where necessary. 

Confirming your identity 

In some circumstances we may need to confirm your identity.  

To confirm a person’s identity for a prescription requires the correct following information: 

  • Gender (at birth) 
  • Full first name and surname 
  • Date of birth 
  • Postcode – Full address we can verify with the NHS Spine or financial records 

Where your identity cannot be sufficiently verified (for private prescriptions) with the NHS Spine or financial records, additional proof of identity will be required. Proof of identity that could be accepted includes a copy of a photo identity document (passport, driving licence, national identity card, 18+ card). Once we have confirmed your identity you can re-confirm your identity each time contact is made with the pharmacy. 

Medical records and prescriptions  

Medical records include personal data about your tests and diagnosis, clinic and hospital visits and medicines administered, and they can be seen and used by our authorised staff involved in your care.  

All prescriptions for medicines issued under Pharmacy Only Medication and Private Prescriptions that we process will remain part of your patient medication record.  

Pharmacy Only Medication 

Where you require pharmacy only medications, which are the selection of medicines that can be purchased from a pharmacist without a prescription we require you to answer some medical questions. The answers to these questions are recorded and form part of the medical consultation with our pharmacist(s). The previous pharmacy only medications supplied are considered when providing new purchases, and also form part of your sales record. 

Private Prescriptions 

Treatment by private prescriptions may require further personal information from you, the patient, or representative, the GP or private doctor in order to confirm test results, medicines use reviews, new medication services, and / or confirmation of your nominated pharmacy.  

Pharmacy records 

Your personal information and prescription data will be entered into a pharmacy dispensing system by our partner pharmacy (Chemist4u) which serves as an independent record of treatment supplied on private prescriptions.   

We and our partner pharmacy retain private prescriptions in accordance with GPhC standards. 

Changes to your personal information  

Any change made to your personal information is recorded (what data, when changed, and by whom). 

It is important to keep your personal information up to date. 

Communication 

We use your contact information to communicate with you to facilitate the provision of healthcare remotely. We are likely to communicate with you via your email, telephone number(s) or SMS.  

Sensitive details are not sent by email, unless you explicitly request information to be sent via email. Sensitive information is typically discussed via a phone call to ensure confidentiality. 

Confidential messages 

When you send us a message, and doctors, carers, other healthcare staff or administrators require additional information they will contact you via your requested means and use your personal information to respond to your message.  

This information also forms part of your patient record. 

Emails 

We provide you with automated notification emails when you place an order and to provide you with delivery information and updates.  

Supplementary emails 

We may also contact you when you are checking out or placing a transaction on our website.  

We may contact you via email where your cart is abandoned without placing an order or where you have placed an order. Follow up emails are provided which includes reminder emails, survey emails and re-engagement emails which are based on your original purchase date and items purchased. 

Marketing  

We strive to provide you with choices regarding certain personal information uses, particularly around marketing and advertising. 

If you have given your consent to receive marketing emails you can withdraw this at any time, or if we are relying on our legitimate interests to send you marketing you can object.  

If you have received a direct marketing email from us and no longer wish to receive these marketing emails, the easiest way to let us know is to click on the unsubscribe link at the bottom of our marketing emails. We provide opt out or unsubscribe links at the bottom of these emails to allow you to opt out at any time.  

Cookies

Our website www.my-bmi.co.uk use cookies to distinguish you from other users of our websites. This helps us to provide you with a good experience when you browse our websites and also allows us to improve our site. 

A cookie is a piece of data stored locally on your computer containing information about your activities on the Internet. For further information, including details on how to remove cookies, please read our full cookie policy. 

Retention of your data 

How long we will retain your personal data?  

We will only retain your personal data for as long as is necessary for the purpose or purposes for which we have collected it. 

If you would like further information regarding the periods for which your personal data will be held, please contact our DPO. 

In some circumstances we will anonymise your personal data (so that it can no longer be associated with you) for analytical or statistical purposes, in which case we may use this information indefinitely without further notice to you. 

Automated decision making 

We may use automated decision-making and profiling to provide some services and to tailor the information we provide to you to your specific circumstances. 

The medical questionnaires for each treatment area will automatically exclude you from requesting treatment if the following is identified: 

  • A reason including a symptom or medical condition that would mean you should not receive a particular treatment or procedure because it may be harmful. 
  • ‘Red flag’ signs and symptoms 
  • Incorrect gender 
  • Excessive order quantities 

If you are automatically excluded for treatment your medical questionnaire will be considered by  

Where the remote provision of treatment is not suitable, you are advised to contact your regular doctor or visit a health centre.  

You can seek advice and discuss symptoms and treatment with our pharmacy team or pharmacist(s) via a secure email system or telephone. 

You will be notified if we a solely automated decision which produces a legal effect or significantly affects you. 

Your rights

You are also able to exercise your rights which include: 

The right to be informed. 

We aim to be transparent within our Privacy Policy and provide you with information about how we use your personal information.  

Right of access. 

You have the right to request a copy of any information that we hold about you. We try to be as open as possible as we can be in terms of giving people access to their personal data.  

You can find out if we hold any personal information by making a subject access request. 

The right to rectification. 

You have the right to request the correction of your personal information when it is incorrect, out of date or incomplete. You can contact us, and we can amend inaccurate personal data, however, please note that in some circumstances we may ask for the documentary proof that the amendment is necessary.  

The right to erasure. 

You can request the erasure of your personal information when it is no longer necessary, you withdraw consent, or you object to its processing. Some information held by us is required by law to be held for a period of time. You can contact us if you wish to make a request. 

The right to restrict data. 

You can request that we restrict the processing of your personal information. This can be done in circumstances where we need to verify the accuracy of personal data, if you do not wish to have personal data erased or you object to the processing and we are considering this request. 

The right to data portability. 

Under some circumstances you can request a copy of the personal information you provided to us in a machine-readable format or ask that this data be transferred another third party. 

The right to object. 

In some circumstances you can stop the processing of your personal information for reasons connected to your individual situation. We must then do so unless we believe we have a legitimate overriding reason to continue processing your personal information. Where your details are used for marketing, you can opt out at any time.  

The right not to be subject to automated decision making and profiling. 

You have the right to not be subject to solely automatic decisions (i.e., decisions that are made about you by computer without any human input) in relation to your treatments, care or other processes that have a legal or similarly significant effect on you. 

Please see the section on Automated decision making for details about when we may make automated decisions. 

You have the right to ask what personal information that we hold about you at any time. You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you. .   

If you wish to exercise any of the above rights, please contact us.  

Where you have access to your account settings and / or tools which allow you to access and control your personal information.  By logging into your account and using your account settings, you can change and delete your personal information. For instance, you can edit or delete the profile data you provide. You are also able to disable and [delete your account if you wish.]   

Data security 

We work hard to keep your information and personal information safe. We use a combination of technical, administrative, and physical controls to maintain the security of your personal information and protect against accidental, unlawful or unauthorised destruction, loss, alteration, access, disclosure or use.   

All information you provide to us is stored on our secure servers or within secure filing systems. Some of the controls we have in place to protect your personal data include technological controls such as firewalls, user verification, strong data encryption. We utilise industry “good practice” standards to support the maintenance of a robust information security management system. Any payment transactions will be encrypted. Please see our Payment security section.  

As part of our security controls we use data entry and retrieval which is encrypted using an SSL certificate provided by Cloudflare and secured byComodoSSL, a leading SSL Certificate Authority. This ensures that no one else can read or change information as it travels over the internet.  

SSL certificates trigger modern web browsers to display the name of an organisation (My Health Online Limited) in green in the browser address bar and give details of the Certificate Authority (Cloudflare) that issued it. ComodoSSL uses an audited and rigorous authentication method, and browsers control the display of the green bar, making it difficult for phishers and counterfeiters to use our branding. Look for the green bar and locked padlock in your browser to indicate a secure and encrypted connection to our websites. 

In addition, we limit access to your personal information to those employees, agents, contractors and other third parties who have a business need to know it. They will only use your personal information on our instructions, and they are subject to a duty of confidentiality. 

Whilst we work hard to ensure that personal information processed is subject to appropriate security we cannot accept any responsibility for any loss, disruption or damage to your data or your computer system which may occur whilst using third party material derived from our websites.  

We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so. 

Personal online security 

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our website or online account you are responsible for keeping this password confidential. We ask you not to share a password with anyone. 

For further advice on personal online security, you can obtain further information at  the Get Safe Online service. 

Payment security 

We use trusted third-party payment gateways, Stripe (operated by Stripe Payments UK Ltd) and Checkout.com (operated by Checkout Ltd), to process your payments securely. When you make a purchase on our website, your payment information (such as credit or debit card details) is collected and processed directly by these providers. We do not store your full payment details on our servers; however, we may retain limited information (e.g., transaction ID, date, and amount) for order fulfillment, accounting, and legal purposes. 

Stripe and Checkout.com are responsible for handling your payment data in accordance with their own privacy policies and applicable data protection laws. We recommend reviewing their privacy notices for more details: 

Your payment information is processed securely using industry-standard encryption and security measures. These third-party providers may process your data outside the UK; however, they are committed to ensuring adequate safeguards are in place, such as Standard Contractual Clauses, to protect your personal information in compliance with UK data protection regulations. 

By completing a purchase, you consent to your payment details being shared with Stripe and/or Checkout.com solely for the purpose of processing your transaction and related activities (e.g., refunds or fraud prevention). If you have any questions about how your payment data is handled, please contact us at [insert contact email] or reach out directly to the payment providers. 

If for any reason your order is declined by the pharmacist, or you cancel the order after making a payment, then a refund will be automatically made to the same payment card. Payments are processed on a ‘single payment authority’ basis, not allowing for further automatic recurring payments, but allowing refunds to your payment card if necessary.

Third-party links

Our websites may include links to third-party websites, plug-ins and applications, including links to websites of our partner networks or third-party service providers. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.  

We do not control these third-party websites and are not responsible for their privacy statements or policies. When you leave our websites, we encourage you to read the Privacy Policy of every website you visit.  

We are not responsible for the content, function or information collection policies of these external websites. 

How and why your information is shared:  

The reasons we may share your personal information with third parties are:   

  • if we are under a legal or regulatory duty to do so,  
  • if it is necessary to do so to enforce our terms of use, terms and conditions or other contractual rights,  
  • to lawfully assist the police or security services with the prevention and detection of crime or terrorist activity,  
  • where such disclosure is necessary to protect the safety or security of any persons, and/or  
  • otherwise as permitted under applicable law. 

We may also share your personal information to help with the processing of your request for treatment and providing healthcare.  

We will never sell your personal information.  

We only provide third parties with the information they need to know to perform their specific services.  

We work closely with all the third parties to ensure that your personal data is secure and protected at all times. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. Our contracts with third parties make it clear that they must hold information it securely, abide by the principles and provisions of data protection, and only use information as we instruct them to. 

In all instances where we disclose your information to third parties, we will ensure that your information is appropriately protected. If we stop using their services, any of your personal information data held by them will either be deleted or rendered anonymous. 

Who might have access to the personal data we collect? 

We use the following organisations to help us provide and / or support us provide services to you.   

3rd party provider 

Service provided 

My Health Online staff 

Treatment and services 

Innox Trading Ltd (t/a Chemist4u) staff 

 Treatment and services  

 GPhC registered pharmacies  

Treatment and services  

GPhC  

Regulatory audits and inspections  

NHS  

Treatments, medical records and services.  

Delivery companies, for example Royal Mail, DPD, P2P 

Delivery services 

Doctors  

Treatment and services.  

Trust pilot  

 Review of services.  

Hello Telecom  

VOIP Phone service 

Survey Monkey  

Customer satisfaction surveys  

 

Please also see our cookie policy for further information.  

How can we help?  

If you have any questions that haven’t been covered, or you have any concerns about our use of your personal information please contact us.  

For further information on data protection please visit the Information Commissioner Office (ICO) website. 

The ICO regulates data protection. If you feel that your data has not been handled correctly, or you are unhappy with our response to any requests you have made to us regarding the use of your personal information, you have the right to lodge a complaint with the ICO. 

You can contact them by calling 0303 123 1113 or visit the website. 

Changes to our Privacy Policy 

Any changes we make to our privacy policy in the future will be posted on this page and, where appropriate, notified to you by e-mail. Please check back frequently to see any updates or changes to our Privacy Policy. 

SCHEDULE OF PERSONAL DATA PROCESSING ACTIVITIES:

WHAT WE DO WITH PERSONAL DATA WHEN:  

WHAT WE NEED?  

THE PERSONAL DATA COLLECTED:  

HOW PERSONAL DATA IS COLLECTED 

WHY WE NEED IT AND WHAT WE DO WITH IT.  

THE PURPOSE OF PROCESSING YOUR PERSONAL DATA 

LAWFUL BASIS FOR DATA PROCESSING  

YOUR ON-LINE ACCOUNT 

We need your name, contact details, email address, date of birth, health data, and  previous orders 

We ask you to provide and / or update your personal information.  

We also collect data from our data base which includes information from previous interactions and information which has been submitted by third parties, e.g., the NHS or Pharmacists. 

We need information from you to manage our relationship with you, including to facilitate orders and any contract for services.  

Where we process your information the lawful basis we rely on to process your personal data is article 6(1)(b) and (f) of the UK GDPR, which allows us to process personal data when this is necessary for the performance of a contract with you and where the processing is necessary for the purposes of a legitimate interest pursued by MYBMI.  

Where the information contains health information the lawful basis, we rely on to process it is article 9(2)(h) or (i) of the UK GDPR, which is for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professionals. 

Where we process information for the NHS the lawful basis we rely on article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform public tasks. Where the information contains health information the lawful basis we rely on to process it is article 9(2)(g) of the UK GDPR, which also relates to public tasks. 

As part of the services, we need your information to send automated service messages to you about a current contract, and / or services you have requested or  that are relating to your past purchases. 

We also need and use your information to fulfil orders for bespoke medications, tailor-made medical equipment, or appliances and to ensure the best levels of service from our third-party dispensing partners.  

We will also process your data to send you messages about important public health services that may be relevant to you (e.g., COVID-19 or seasonal flu vaccinations). 

We may also contact you to request your feedback about our services or products. 

We may also contact you to remind account users to check that their account details are up to date. 

MEDICAL AND NHS RECORDS 

We need your name, contact details, email address, date of birth, health data, and  medical records 

We ask you to provide and / or update your personal information. We also use our previous interactions and data from third parties including the NHS and / or Pharmacists.  

We need information  including your medical records and NHS records from you to manage our relationship with you, to facilitate orders and any other contract for services we have with you.  

Where we process your information the lawful basis, we rely in is rely on to process your personal data is article 6(1)(b) and (f) of the UK GDPR, which allows us to process personal data when this is necessary for the performance of a contract with you and where the processing is necessary for the purposes of a legitimate interest pursued by MYBMI. 

Where the information contains health information the lawful basis, we rely on to process it is article 9(2)(h) or (i) of the UK GDPR, which is for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professionals. 

Where we process information for the NHS the lawful basis, we rely on to process your personal data is article 6(1)(e) of the UK GDPR, which allows us to process personal data when this is necessary to perform our public tasks. Where the information contains health information the lawful basis, we rely on to process it is article 9(2)(g) of the UK GDPR, which also relates to our public task.  

We may also contact you to request your feedback about our services or products. 

ORDERS  

We need your name, contact details, email address, delivery address, health data, medication details, payment details. 

We ask you to provide and / or update your personal information. We also may use previous or historical data provided during previous interactions or by third parties including the NHS and / or Pharmacists.  

Your information is needed to facilitate your order and / or any contract for the provision of services we have with you. We also need your information to  confirm your identity, and to provide your order or medication. 

 

Where we process your information the lawful basis, we rely in is rely on to process your personal data is article 6(1)(b) and (f) of the UK GDPR, which allows us to process personal data when this is necessary for the performance of a contract with you and where the processing is necessary for the purposes of a legitimate interest pursued by MYBMI.  

Where the information contains health information the lawful basis, we rely on to process it is article 9(2)(h) or (i) of the UK GDPR, which is for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professionals. 

 

We also collect  your information to fulfil orders for any bespoke medications, tailor-made medical equipment, or appliances and ensuring the best levels of service from our dispensing partners. 

Where you have started an order with us for services or products, but have yet to complete the order, we use your information to send you an e-mail reminder. 

We use your information to send you automated service messages including where you have a current order, contract, and / or services or have made past purchases. 

PROVISION OF HEALTH CARE  

 

Your name, address, e-mail address, phone number, relevant health information, previous interactions and medical history.  

We ask you to provide and / or update your personal information. We also may use previous or historical data provided during previous interactions or by third parties including the NHS and / or Pharmacists. 

Your information is needed to facilitate your order and / or any contract for the provision of services we have with you. We also need your information to  confirm your identity, and to provide your order or medication. 

Where we process your information the lawful basis we rely in is rely on to process your personal data is article 6(1)(b) and (f) of the UK GDPR, which allows us to process personal data when this is necessary for the performance of a contract with you and where the processing is necessary for the purposes of a legitimate interest pursued by MYBMI.  

Where the information contains health information the lawful basis we rely on to process it is article 9(2)(h) or (i) of the UK GDPR, which is for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professionals. 

 

Sometimes we will process your data to send you messages about public health services that may be relevant to you (e.g., COVID-19 or seasonal flu vaccinations). 

We may also contact you to request your feedback about our services or products. 

 

CONSULTATIONS AND ONLINE CLINIC SERVICES   

Your name, address e-mail address, phone number, relevant health information and other details including previous medical history and prescriptions.  

We ask you to provide and / or update your personal information.  

We also use previous or historical data provided during previous interactions or by third parties including the NHS and / or Pharmacists. 

We may also use our own data base including the Chemsit4u telemedicine platform during remote consultations.  

We use your information to provide you with health advice and treatment. 

Where we process your information the lawful basis we rely in is rely on to process your personal data is article 6(1)(b) and (f) of the UK GDPR, which allows us to process personal data when this is necessary for the performance of a contract with you and where the processing is necessary for the purposes of a legitimate interest pursued by MYBMI.  

Where the information contains health information the lawful basis we rely on to process it is article 9(2)(h) or (i) of the UK GDPR, which is for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professionals. 

 

PHONE CONTACTS  

We need your name, contact details, email address, date of birth. We may also need your health data including information about your medical history and / or prescriptions.  

We ask you to provide and / or update your personal information. We may also use data from our own data base.  

 

We use your information to ensure there is an accurate record of the telephone call.  

The lawful basis we rely in is rely on to process your personal data is article 6(1)(b) and (f) of the UK GDPR, which allows us to process personal data when this is necessary for the performance of a contract with you and where the processing is necessary for the purposes of a legitimate interest pursued by MYBMI.  

Where the information contains health information the lawful basis we rely on to process it is article 9(2)(h) or (i) of the UK GDPR, which is for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professionals. 

 

We use your information and the contents of the telephone call to check and review the quality of care  

We may use your information to prevent, detect, investigate and prosecute allegations, complaints, claims and / or fraud relating to patients, customers, other organisations or MYBMI.  

SOCIAL MEDIA CONTACTS  

We need your name, contact details, email address, 

We ask you to provide and / or update your personal information. 

When you contact us via social and make an enquiry, we collect information, including your personal data, so that we can respond to it and fulfil any orders placed.  

 

The lawful basis we rely on to process your personal data is article 6(d) for the purpose of our legitimate interests. 

We need enough information from you to answer your enquiry. 

We also collect analytics information so we can provide a personalised service, monitor the impact of our services and improve the service we provide. 

BUSINESS COMMUNICATIONS  

We hold the names and contact details of individuals acting in their capacity as representatives of their organisations, across the business.  

We ask you to provide and / or update your personal information. 

We also use our data base and any historic contacts with you.  

We need information when we have interactions which relate to suppliers, contracts, buildings management, IT services so we can manage those relationships and / or contracts.  

Where we process business contacts information the legal basis we rely on to process your personal data is article 6(1)(c) of the UK GDPR for any legal obligation or article 6(1)(f) because the processing is within our legitimate interests as a business. 

WEBSITE CONTACTS AND REGISTRATION  

We need your name, contact details, email address 

We ask you to provide and / or update your personal information.  

We need information from you to manage our relationship with you, including to facilitate orders and any contract for services. 

Where we process your information the lawful basis we rely in is rely on to process your personal data is article 6(1)(b) and (f) of the UK GDPR, which allows us to process personal data when this is necessary for the performance of a contract with you and where the processing is necessary for the purposes of a legitimate interest pursued by MYBMI.  

Where the information contains health information the lawful basis we rely on to process it is article 9(2)(h) or (i) of the UK GDPR, which is for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services or pursuant to contract with a health professionals. 

 

MARKETING 

We need your name, contact details, including telephone number, email and postal address,  

We ask you to provide and / or update your personal information and marketing preferences.  

We use your information to send you direct marketing information about our products and services that we think will be relevant to you. We may do this by post, e-mail, SMS, or telephone. 

The lawful basis we rely on for processing your personal data is your consent under article 6(1)(a) of the UK GDPR.   

We also rely on article 6(1)(f) of the UK GDPR, which allows us to process personal data when this necessary for the purposes of a legitimate interest pursued by MYBMI 

Please note that we will check the TPS before we contact you. We will always provide you with an option to opt-out of receiving these communications.  

To undertake direct marketing activities on behalf of other organisations in the following categories: Healthcare Products and Services, Retail, Financial Services, Leisure, Charities, Clinical Trial Operators and Research Organisations. We may send to you direct marketing about the products and services that they offer. 

To undertake market research about our product on social media to help us develop our products and services. 

WEBSITE VISITORS  

We collect your IP Address, information about which pages you visit and for how long. We also collect details about the website you came from and went to before and after visiting our website. We may also collect information about the device you used to access our websites, such as the type of phone/PC, operating system.  

Where required we ask you to provide and / or update your personal information and marketing preferences. 

We collect analytics information so we can provide a personalised service, monitor the impact of our website, and improve the service or services we provide  

The lawful basis we rely on for processing your information and your cookie or interest preferences is your consent under article 6(1)(a) of the UK GDPR. 

Where we use cookies which are necessary for the running of the website, we rely on article 6(1)(d) of the UK GDPR.  

For more information on cookies please see our Cookie Policy.  

MANAGE YOU AS A PATIENT 

Name, contact details, pharmacy nomination 

We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. We will also collect data from your NHS account via use of the NHS Personal Demographics Service 

To send you a notification to confirm if any of the following details change: Address; Doctor Surgery; Pharmacy Nomination 

We do this where we have your consent.to fulfil our contracted relationship with as detailed in the terms and conditions. 

REMINDERS 

Name and contact details. 

We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. 

To send messages to account users to remind them to check their account details are up to date. 

If we do this directly on request of the NHS then this is done under the basis of the public interest. If we do this without being directly instructed, it is under the basis of our legitimate interests to ensure that you are informed of public health services relevant to you. 

REMINDERS TO COMPLETE ORDERS 

Name, contact details, partially completed subscription order. 

We collect this data from our database. Our database will have this information from our previous interactions with you and information that you have submitted to us. We will also collect data from your account’s partially completed order. 

To send you an e-mail reminder if you only partially complete a prescription order on our website or app. 

We do this under our legitimate interest to notify you of partially completed applications on our website in case users have forgotten to complete some parts of the form. 

 

For further information on how and why we collect your personal information, including your rights, who we share it with and how to contact us, please read our full privacy notice.  


Last updated: 21/07/2025