Privacy Policy

Terms of use   Using My BMI or affiliated websites This website (https://www.my-bmi.co.uk) is wholly owned and operated by My Health Online Ltd (company registration- 12555647) (“us”, “we”, “our”). By using this and affiliated websites, you agree to be legally bound by the following terms of use (“Terms”, “Terms & Conditions”, “Terms of service”). If you do not agree to be bound by these Terms, you must not use this website. For Terms specific to purchases, delivery of good and purchases additional and separate terms and conditions covering consultations/questionnaires, purchases and the delivery of goods. Media Links We welcome links to any HTML files on this server, however linking to media files (eg: jpeg, jpg, gif, pdf, Flash or video of any sort) from other sites is not permitted without our prior written approval. Unless you obtain our prior written approval, the information on this website is made available to you on the condition that you access it through the HTML files on our server; deep linking or otherwise accessing this website without going through our server shall be a breach of these Terms. Content and operation We have taken every reasonable precaution and care in compiling this website, but it is possible that errors may occur. We do not give any warranty or make any representation of any kind with respect to the contents or operation of this website. Also, no warranty is given or representation made that this website will be compatible with all operating systems, browsers or computer hardware or software. We reserve the right to make changes to these Terms and to the other contents of this website at any time without notice. Limitation of liability We do not make any promise that your use of this website will be uninterrupted, reliable or error-free or that its contents will be accurate or complete. All liability arising out of or in connection with your use of this website and/or reliance on its content is excluded. We do not accept any liability for losses or damages, whether direct or indirect that you may suffer as a result of your use of this website (including but not limited to computer service or system failure, access delays or interruption, data non-delivery or mis-delivery, computer viruses or other harmful components, breaches of security or unauthorised use of the system arising from “hacking” or otherwise). However, notwithstanding the above, nothing in these Terms shall exclude liability for death or personal injury resulting from our negligence or that of our employees, agents or authorised representatives or for fraudulent misrepresentation made by us, our employees, agents or authorised representatives or for any other liability the exclusion of which would not be permitted under English Law. Each of the exclusions or limitations in these Terms shall be construed as a separate severable provision of these Terms. If any provision of these Terms is found to be invalid or unenforceable but would be valid and enforceable if some part of the provision were deleted, the provision in question shall apply with such modification(s) as may be necessary to make it valid. Law and jurisdiction These Terms are to be interpreted in accordance with English law and any and all disputes arising out of your use of or in relation to this website shall be subject to the exclusive jurisdiction of the English Courts. Viruses We use reasonable endeavours to prevent contamination by known viruses and to maintain the security of this website but no warranty is given that this website or its contents or hypertext links are virus free or uncontaminated. Nor can we guarantee that this website will not be affected (or indeed fail or stop altogether) as a consequence of deliberate damage by hackers, failure of computers or other equipment, power failure, failure of telecommunications lines or criminal action. You should make your own virus checks and implement your own precautions in this respect. All liability for any such damage is hereby expressly excluded to the extent permitted by law. Protection of our property All designs, text, graphics, program codes and the selection or arrangement of them are the copyright of us or our licensors and all trademarks, brand names and company names or logos contained on this website are owned by us or our licensors (“Intellectual Property”). Subject to paragraph 8 below, you may not amend, republish, resend, redistribute or otherwise use or make any of the contents of this website (including the Intellectual Property) available to any other person whether by way of any website, online service, bulletin board, hard copy or any other form, without our express prior written consent. Permitted reproduction You may download onto your computer, store and use information contained in pages from this website for your own personal use and research or that of your organisation, provided that the integrity of the material is maintained, we are acknowledged as its source and our website URL is given. Also, if you provide it to other people in your organisation, you should make sure that those people are aware that these Terms apply to them and their use of the material. Linking with other websites You are not permitted, except with our prior written consent, to deep link to or to frame any of the content that appears on the website. This website may include links to other websites that may be of interest to you. We do not endorse or approve and have no responsibility for the content of any website to which this website links. Also, no warranty is given that the links are accurate. Privacy policy These Terms should be read in conjunction with our Privacy Policy. You agree that we may collect, store and use information about you in accordance with our Privacy Policy and acknowledge and agree to be legally bound by the terms of our Privacy Policy. Further information If you have any queries or complaints or would like to link to this website or request further information, please contact us. Emails The contents of any email sent from My BMI / My Health Online Ltd and any attachments may be privileged, confidential and protected by copyright. If they are received in error let us know and do not use it nor retain it nor copy it. While all efforts are made to safeguard emails, we cannot guarantee that any attachments are virus free or compatible with the recipient’s systems and does not accept liability in respect of viruses or computer problems experienced. We reserve the right to monitor all email communications through its internal and external networks. Implied Consent When using our service your consent is implied; this includes for marketing and promotional services. By engaging with our service, your confidential patient information is accessed and used for your individual care. This means your consent is implied, without you having to explicitly say so. Those caring for you will need to know relevant confidential patient information in order to treat you. If you wish to withdraw consent for information about you to be used to support your individual treatment, or for marketing purposes, you should contact us and let us know. Terms and conditions Version 1.1: Feb 2021 The legal basis of the service Definitions “You or yours” refers to yourself who has submitted your personal information on this website agreeing to use the pharmacy only medication questionnaire service (“consultation”), nomination to the pharmacy and/or purchases on My-bmi.co.uk. “We or our” refers to My Health Online Ltd, incorporated in England and Wales with registered number 12555647 whose registered office is at. 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ”Website” means the linked pages of my-bmi.co.uk that allow general purchases. Declaration You undertake that all information provided by you is correct and true. Medication is provided in accordance with the information you provide to our pharmacist(s)/accuracy checking technicians through assessments on the website and by web-messages, email, SMS and by telephone. We, therefore, take no liability for loss or damage arising from our service or medication prescribed if you supply incorrect or incomplete information. You agree to inform your GP about medication supplied and advice was given to you through the website. We are not liable for damages which arise from your failure to inform your GP or other healthcare professional about the treatment you receive from the website. We are not liable for any damages which result from your failure to follow the advice given on the website. You accept the advice that the website does not replace your GP and that you should consult with your GP and other health care professionals when you are advised and as the need arises. You undertake to read carefully all product packaging and patient information leaflets supplied with your medication. In the event that you do not fully understand the questions in the assessment part of the website or are unsure how you should answer those questions or you do not fully understand the advice or information given to you on the website, you will seek clarification from the pharmacy team. In the event, your medicine appears to be damaged or wrongly dispensed or delivery is delayed you agree to contact the dispensing pharmacy (Chemist4U) to seek advice and replacement as required. If any of these terms are held to be invalid or unenforceable then the validity and enforceability of the remaining provisions shall not be affected. You give your consent for information about yourself, your health and your current medications including, but not limited to, the information you divulge as part of the online consultation assessment to be viewed and exchanged by and between My Health Online Ltd’s employees and pharmacists working on My Health Online Ltd’s behalf for the purpose of conducting a medicinal suitability consultation(s). You understand this information may be exchanged electronically for the provisions of the service. All services provided by this Website and other My Health Online Ltd technologies are provided on a ‘best endeavours’ basis. Consultations made electronically from this Website will be forwarded to a pharmacist as soon as possible. Due to the range of third-party networks and innovative technology used for this transmission we are unable to guarantee a time of arrival of the consultation information for a pharmacist’s attention or absolutely guarantee that it will arrive at all. We are not responsible for the failure of third party companies’ inability to deliver medicines to the correct address or within any particular time or date. You are responsible for receiving packages containing medicines but confirmation of delivery from provided postal delivery service/courier used by means of scan tracking, signature, GPS or alike, resulting from receipt by third parties at the delivery address given by yourself will be deemed to be receipt of the medicines. You are responsible for providing valid credit or debit card details which may be charged if you are not exempt from payment. We reserve the right to not deliver medicines to you if your payment details have expired or are invalid in any way. In such cases, we will attempt to contact you in such instances to enable you to provide updated information. Payments are processed by Checkout.com on a ‘single payment authority’ basis, not allowing for further payments, but allowing refunds to your payment card if necessary. All information provided by you will be treated securely and strictly in accordance with the Data Protection Act 1998 and the EU GDPR directive. My Health Online Ltd and its directors or related companies shall not be liable for any losses or claims arising directly or indirectly from use of this website or its services except that this exclusion of liability does not apply to any damages in connection with death or personal injury caused by the negligence of My Health Online Ltd, its directors or employees. Your use of this website is governed by English Law and subject to the exclusive jurisdiction of the English courts. My Health Online Ltd has taken care in the preparation of the content of this website. To the fullest extent permitted by the law, My Health Online Ltd disclaims all warranties of any kind with respect to the content of this website. Privacy policy Version 1.1: Feb 2021 Summary My Health Online Ltd is committed to the highest standards of data privacy and protection. We collect personal information required to process and deliver your request for healthcare, and standard technical information to better understand how our website is used. The lawful basis for processing data Personal health and medical data is a special category of data and subject to specific provisions and exemptions. The lawful basis for processing data is as follows:

• GDPR Article 6 (1)(c): processing is necessary for compliance with a legal obligation. My Health Online Ltd is legally obliged to abide by regulations governing healthcare which require accurate medical records.
• GDPR Article 9 (h): processing of special categories of personal data Specifically: processing is necessary for the purposes of preventive or occupational medicine, … medical diagnosis, the provision of health or social care or treatment …

My Health Online Ltd does NOT rely on user consent to lawfully process their data. Consent cannot be effectively withdrawn as Electronic patient records must not be destroyed or deleted for the foreseeable future. NHS Choices – How long should medical records (health records) be kept for? Requesting consent on a lawful basis would, therefore, be misleading. Statement This privacy statement applies to My Health Online Ltd (the ‘data controller’) trading as My BMI. Please contact the data officer Mr James O’Loan, Data Privacy Officer Director (email [email protected]) for any issues regarding your personal data. We respect your privacy and are transparent about how your data is collected, stored, processed. We abide by all current data regulation – see our < >Information Commissioner’s Office‘s Register Entry Report certificate details here. Information required to provide treatment My Health Online Ltd provides health advice and treatment by remote and postal service and must abide by the legal requirements for the supply of Prescription only medicine, and the collection, processing, and sharing of data is necessary for compliance. These legal requirements include confirming your identity, keeping accurate personal and medical records, and informing your regular doctor of treatment provided where necessary. Confirming your identity To confirm a person’s identity for a prescription requires the correct following information:

• Gender (at birth)
• Full first name and surname
• Date of birth
• Postcode – Full address we can verify with the NHS Spine or financial records

Medical records We may request access to your NHS Summary Care Record to provide appropriate treatment to you. You will be asked for consent during your consultation. We access this through our NHS registered partner Pharmacy Chemist4U. Confidential messages All Healthcare staff or administrators may request or respond to additional information from the patient. This information also forms part of the patient record. Communication Effective communication is required to facilitate the provision of healthcare remotely, and, is achieved by customers providing their email and telephone number(s). Primary communication is via email, with secondary contact by phone or SMS. Sensitive details are not sent by email, unless requested via email where consent to reply via email is implied, unless stated otherwise. Sensitive information is typically discussed via a phone call where appropriate to ensure confidentiality. Addresses Customers provide a payment card billing address and delivery address if different. Each address provided will be stored and recorded. Your GP details Customers should keep their regular GP/doctor informed of treatment provided by My Health Online Ltd. This ensures your regular doctor is aware of all treatments you are using, particularly important if a new treatment or supplementary treatment is purchased. If there is a reason to believe there is a compliance, safety or abuse of medication, your GP may be contacted to confirm the viability of the medication. Changes to patient data Any change made to patient data is recorded (what data, when changed, and by whom). Pharmacy records Our partner pharmacy Chemist4U additionally enters patient and prescription data into a pharmacy dispensing system which serves as an independent record of treatment supplied on NHS and private prescriptions and is standard practice for UK registered pharmacies. The Pharmacy retains private prescriptions in accordance to GPhC standards. Emails Automated notification emails are sent to users:

• When placing an order
• Delivery updates from Royal Mail

Manual email notifications from My Health Online Ltd / My BMI regarding requests for prescriptions are required in order to provide an effective service. Customers using the service cannot opt out of receiving these emails. Supplementary emails When registering an account with My BMI customers are given the option to subscribe to an email service which will end multiple emails weekly on average using a 3rd party mailing provider. Customers agree that data, including email address, first name, and last name, share when opting to receive emails. Each email sent will include a simple method to unsubscribe from the mailing. Customers can request their data is permanently deleted from external servers, please contact the data officer. My Health Online Ltd reserves the right to send non-commercial mass emails regarding drug safety and important service updates to all registered users of the service. Support and administration My Health Online Ltd employees use Office365 to administer the service including Outlook365 for managing support emails. Visitor tracking www.my-bmi.co.uk  website uses Google Analytics website visitor tracking service to enable us to understand how users interact with our website and improve our service, and also to report on trends and sales. You can find out more about how this service works by visiting Google Analytics Overview Browser can be configured or add-ons can be downloaded to opt out of Google Analytics if customers prefer. Our website server also retains similar technical and geographical visitor data for a period of 7 days only. Cookie use policy Visiting the www.my-bmi.co.uk  website will result in cookies being stored on your computer or mobile device’s web browser. These cookies support and facilitate customers to use the service. By using these websites, you consent to these cookies being installed on your device. For further information, including details on how to remove cookies. Retention of your data Your data will be retained for up to 3 years in a secure data centre, as required by regulation regarding healthcare provision. This also protects both the patient, pharmacy and doctor in case of legal proceedings.  The NHS Choices page How long should medical records (health records) be kept for? states Electronic patient records must not be destroyed or deleted for the foreseeable future. Customer’s online account with My BMI login can be disabled. Patient and customer access to data Customers and customers can access and update their personal online profile by logging-in to their My BMI account. Customers and customers can access and update their medical records by contacting our team, directly by phone or email. Customers can request a copy of all stored data relating to themselves by contacting the Data Officer. The data will be provided in a common format for portability to other data systems. Who has access to the personal data we collect? Please review the data sharing title below for full details. 3rd party organisations process data provided by My Health Online Ltd solely for the purpose of delivering or supporting the healthcare service provided. All organisations operate strict UK/EU compliant confidentiality, privacy, and data protection procedures. My Health Online Ltd has not and will never sell any patient data to third parties. Complaints People with concerns about privacy and data held by My Health Online Ltd should contact the data officer, Mr James O’Loan (email [email protected] ) in the first instance. If the response is not to your satisfaction you can make a complaint with the Information Commissioner’s Office. EU General Data Protection Regulation The EU General Data Protection Regulation (GDPR) is now a legal requirement in the UK. Compliance required by 25 May 2018 (date of enforcement). The GDPR includes the following rights for individuals:

• the right to be informed
• the right of access
• the right to rectification
• the right to erasure
• the right to restrict processing
• the right to data portability
• the right to object
• the right not to be subject to automated decision-making including profiling

If you wish to exercise any of these rights, please contact the data officer. Please note GDPR regulation provides exceptions to these rights in relation to health, where the retention of data is required for legitimate medical and legal reasons. Data security My BMI (My Health Online Ltd) uses high-level data encryption to ensure our customer’s data is not compromised in transit or ‘at rest’ on the server. Data entry and retrieval is encrypted using an SSL certificate provided by Cloudflare and secured by ComodoSSL, a leading SSL Certificate Authority. This ensures that no one else can read or change information as it travels over the internet. SSL certificates give users confidence they are interacting with a trusted website and their information is secure. SSL certificates trigger modern web browsers to display the name of an organisation (My Health Online Ltd) in green in the browser address bar and give details of the Certificate Authority (Cloudflare) that issued it. ComodoSSL uses an audited and rigorous authentication method, and browsers control the display of the green bar, making it difficult for phishers and counterfeiters to hijack the My BMI brand. Look for the green bar and locked padlock in your browser to indicate a secure and encrypted connection to www.my-bmi.co.uk. Our server software is continually monitored and updated by our hosting company Digital Ocean, an award-winning, government approved, provider. Personal online security Customers using the My BMI service take responsibility for their own personal online security. For advice please visit the Get Safe Online service.

• If your email account(s) is compromised it can be used to gain access to your My BMI online account; it cannot be used to gain access to your medical records. My BMI does not send sensitive personal details by email unless requested by the patient/customer, but it is recommended to delete any emails no longer needed.
• Use unique passwords, with a mix of numbers, letters (lower and uppercase), preferably at least 12 characters long.
• Change passwords regularly.
• Install anti-virus software on your computer and keep up-to-date.
• Keep the operating system and browser software up-to-date.
• Do not save passwords on the web browser on shared computers.
• Remember to log-out of your My BMI account when finished.
• Use a pin code or fingerprint ID to access your personal devices.
• Check your security and privacy settings on your browser, paying particular attention to the saving of websites visited.
• Carefully check the URL (shown in browser address bar) of any website you visit to determine it is authentic.

Older web browsers The www.my-bmi.co.uk website has phased out support for older web browsers due to potential vulnerabilities with browsers using TLS 1.0 protocol. We advise all users to upgrade to newer versions. To see if your web browser will be affected please visit this link. If you cannot access the page, then we advise upgrading your browser. PCI Compliant Customer’s payment card details are not stored on our servers (payment security). Personal and private information We fully understand our customers are concerned with the security of their personal and private data and we take every measure possible to ensure it is never at risk. My Health Online Ltd abides by the Data Protection Act – our Information Commissioner’s Office‘s Register Entry Report certificate registration number is  (renews  March annually). The new GDPR law which came into force in May 2018 and My Health Online Ltd is now compliant. Company structure My BMI is owned and operated by the UK registered company My Health Online Ltd. Company No12555647. . The registered office of the company: 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ. Payment security The My BMI website uses Checkout.com Services, a leading independent Payment Service Provider, and to process credit and debit card payments. All sensitive payment card information is encrypted using the most sophisticated e-payment software available and is sent to the bank for instant authorisation via the Checkout.com Merchant Services network of payment gateways. Transactions normally take a few seconds to be processed and at no time are your payment card details at risk from cybercriminals. Data sharing policy Version 1.1: Feb 2021 Summary My Health Online Ltd is committed to the highest standards of data privacy and protection. We share your information with organisations as required solely for the purpose of processing your request for treatment and providing healthcare. This data sharing policy applies to My Health Online Ltd (the ‘data controller’) trading as My BMI. Who might have access to the personal data we collect? My Health Online Ltd has not and will never sell any patient data to third parties. The following organisations may process data provided by My Health Online Ltd solely for the purpose of providing or supporting the My Health Online Ltd healthcare service. All organisations operate strict UK/EU compliant confidentiality, privacy, and data protection procedures.

1. My Health Online Ltd staff. Data processed: full data access.
2. The Partner Pharmacy fulfilling patient orders. All pharmacies UK-based and GPhC registered. Data processed: name, address, gender, date of birth (DOB), telephone, email address, prescription details.
3. Delivery companies Royal Mail. Data processed: title/gender, name, address, telephone.
4. Doctor’s surgeries as requested by customers or required by My Health Online Ltd dispensing and sale of medication protocols and with patient’s consent. Data processed: title/gender, name, address, telephone, DOB, prescription details.
5. Digital Ocean – website hosting company (DO staff policy is not to access customer data). Data processed: all data.
6. Checkout.com – service used to process payments. Data processed: title/gender, name, email address, payment card details including payment card address.
7. Office365, One Drive, < >Google Analytics – used by My Health Online Ltd for email communications (Outlook), file & document storage, and website visitor statistics Data processed: email address, details sent by a patient/customer by email to My Health Online Ltd, and files sent by email. Internal My Health Online Ltd report documents may include anonymised patient details. Visitor statistics provided by Google Analytics include: types and versions of device, operating system, web browser, geographical country location of visitor, referring web page, gender and age range of visitor, search term used to find My Health Online Ltd website, IP address and network, pages visited on My Health Online Ltd websites, record of purchase.

8. 24x SMS SMS text sending service. Data processed: telephone number.

1. GPhC – UK healthcare regulators, when required for audit and inspection purposes. Data processed: full data access.
2. Police – official ‘Personal data requests’ from Police forces will be considered subject to GMC guidance on patient confidentiality. Data processed: as requested.

Sending personal data by email Customers or customers that send emails containing or requesting personal data to My Health Online Ltd consent to receive their personal data in a reply email sent to the ‘reply to’ email address of original, unless specifically requested to be supplied by some other method, by agreeing to this data sharing policy. Please note email is generally not considered a secure method to send confidential data. Please contact the Data Officer (email [email protected]) for any issues regarding your personal data. Cookie policy www.my-bmi.co.uk uses cookies and similar small bits of software to improve the performance and enhance the user experience of www.my-bmi.co.uk. The use of cookies is common practice on the majority of websites. Without these cookies, many of the functions required to enable our users to make purchases would not be available. We specifically do NOT use cookies to store sensitive details regarding consultations or medicine viewed or ordered. Consent By using the website, you have implied consent for the cookies listed below to be installed. www.my-bmi.co.uk is currently implementing a more comprehensive cookie policy in-line with ICO cookie regulation. What are cookies? Cookies are small text files which a website may put on your computer or mobile device’s website browser when you first visit a site or page. The cookie will help the website, or another third party website or online services such as Google Analytics or Facebook, to recognise your browser the next time you visit. Certain cookies contain personal information. Most cookies won’t collect information that identifies you personally, and will instead collect more general information such as how users arrive at and use the www.my-bmi.co.uk website or a user’s general geographical location. Further information on cookies and how to delete or block cookies on your browser. Cookies in use on this website

Name of cookie	Type of cookie	Expiry period	Reason for use	Level of privacy	Description
My BMI_User	Session cookie		Login	Medium	Once you have logged into a secure area of the website, this cookie is used to keep you logged in during your visit.
country_id	Persistent cookie	1 day	Order	Medium	Save your country reference when you create order
delivery_type	Persistent cookie	1 day	Order	Medium	Save your selected delivery type for order
discount_amount	Persistent cookie	7 days	Order	Medium	Save your discount amount for an order
discount_name	Persistent cookie	7 days	Order	Medium	Save your discount name for an order
message_visit	Persistent cookie	10 years	On-site user messages	Medium	Save user message settings for different pages
ysm_ + unique number	Session cookie		Order	Medium	To help measure the efficiency of our sales channels
PHPSESSID	Session cookie		Login	Medium	To keep the state of your session between page views
__utma	Persistent cookie	2 years	Analytics	Medium	This cookie is set by our analytics provider, Google Analytics.
__utmb	Persistent cookie	30 minutes	Analytics	Medium	This cookie is set by our analytics provider, Google Analytics
__utmc	Session cookie		Analytics	Medium	This cookie is set by our analytics provider, Google Analytics
__utmz	Persistent cookie	6 months	Analytics	Medium	This cookie is set by our analytics provider, Google Analytics

The Privacy Notice When you collect personal data from a data subject you must provide the data subject with relevant information; the Privacy Notice. This should be available on the pharmacy premises, for example, in a poster or the practice leaflet, and, if appropriate, on the website; and you should draw the attention of new customers to the Privacy Notice. Draft shorter and longer forms of notice are as follows. My BMI of 71-75 Shelton Street, Covent Garden, London, England, WC2H 9JQ–  PRIVACY NOTICE We process your personal data, which includes your name, contact details, prescription medicines. Your care – providing  services and care to you and, as appropriate, sharing your information with your GP and others in the wider NHS; We process your personal data in the performance of a task in the public interest, for the provision of health care and treatment and the management of healthcare systems. A pharmacist is responsible for the confidentiality of your information. You may object to us holding your information. You may also lodge a complaint with the Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF. Please ask if you want more information. Our Data Protection Officer is James O’Loan- [email protected]