1. Introduction
This Privacy Policy sets out how we collect and process your personal data and explains your rights in relation to your personal data. Your privacy is very important to us. For the purposes of applicable data protection legislation, we are the controller of the personal data provided to us or collected by us.
We are Nell Health ltd. of 3.08 The Food Exchange, New Covent Garden Market, SW8 5EL, London. If you have any questions about this Privacy Policy or wish to exercise any of your rights in relation to your personal data, you can contact us at this address or by email to info@nellhealth.com.
We reserve the right to update this Privacy Policy from time to time at our discretion. If we do so, and the changes substantially affect your rights or obligations, we shall notify you if we have your email address. Otherwise, you are responsible for regularly reviewing this Privacy Policy so that you are aware of any changes to it.
2. Collecting Personal Data
By personal data we mean identifiable information about you, such as your name, email address, gender, age, mobile and home telephone number and your IP address.
If you purchase a report from us, personal data also includes information about your health, including your DNA and/or information about your blood. This is a special category of personal data under applicable data protection legislation, and we process such personal data because it is necessary for the purposes of preparing the report you have requested.
Information you provide to us
From time to time you may provide to us personal data. This may be because you wish to:
- use our website;
- purchase a report from us;
- complete our consent form in relation to the use of your mouth swab sample;
- complete our online form to Contact Us;
- apply for a job with us;
- provide services to us; or
- otherwise contact us including with queries, comments or complaints.
You may provide personal data to us directly, or to us through our social media platforms. We will collect personal data about you when we analyse the sample you provide to us and prepare the report.
We shall process all such personal data in accordance with this Privacy Policy. Certain personal data is mandatory to be provided to us in order that we can fulfill your request for example provide a report or other services to you and we shall make this clear to you at the point of collection of the personal data.
All personal data that you provide to us must be true, complete and accurate. At our request, you shall promptly provide evidence of your identity.
If you order a report for someone else, you must have their consent to provide their personal data to us for the purposes of preparing the report.
If you provide us with inaccurate or false data, and we suspect or identify fraud, we will record this and we may also report this.
When you contact us by email or post, we may keep a record of the correspondence and we may also record any telephone call we have with you.
Information we automatically collect about you
When you use our website, we automatically collect and store information about your device and your activities. This information could include:
- technical information about your device such as type of device, web browser or operating system;
- your preferences and settings such as time zone and language; and
- how you arrived at our site, how long you used the website and which services and features you used.
This analytics data, collected via a JavaScript tag in the pages of our site, is not tied to personally identifiable information. We use Google Analytics https://www.google.com/analytics/ for this purpose.
Some of this information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why, and how you can control them, please see our Cookies Policy.
Information we receive from others
If someone else has ordered a genetics report for you, we will receive your personal data from that person. However, please note that we shall not prepare that report unless we receive a consent form completed by you.
If we reasonably believe that any of the personal data you have provided to us is inaccurate, we may receive further personal data from third parties confirming or otherwise, your identity.
We will receive personal data about you from the laboratories that prepare the reports for us.
We may also receive personal data about you from our payment providers and our website security service partners.
3. Lawful use of your personal data
We will only use your personal data where we have a lawful basis to do so. The lawful purposes that we rely on under this Privacy Policy are:
- consent (where you choose to provide it);
- performance of our contract with you;
- compliance with legal requirements; and
legitimate interests. When we refer to legitimate interests we mean our legitimate business interests in the normal running of our business which do not materially impact your rights, freedom or interests.
The main reason that we use personal data is to prepare and then to provide you with a report in accordance with the Nell Terms of Use. We may contact you with further information about the report from time to time, particularly if you have any queries in relation to the content or meaning of your report.
We may from time to time need to use your personal data to comply with any legal obligations, demands or requirements, for example, as part of anti-money laundering processes or to protect a third party's rights, property, or safety. We would not, however, expect to use your report in this way.
We may also use your personal data for our legitimate interests including to improve our services and in connection with, or during negotiations of, any merger, sale of assets, consolidation or restructuring, financing, or acquisition of all or a portion of our business by or into another company; to deal with any customer services you require; for audit purposes and to contact you about changes to this Privacy Policy.
We may test your sample and use the results of your report on an anonymous basis for our research and analytics. This helps us to continue to improve our services.
4. Who do we share your data with?
We will only send a report to the individual who has completed the consent form.
For our legitimate interests, we will share limited personal data with our laboratories to prepare the report. For our genetic tests, we will use ID numbers as individual identifiers to protect the privacy of our clients.
For our legitimate interests, we may also share your personal data with any other service providers, sub-contractors and agents that we may appoint to perform functions on our behalf and in accordance with our instructions, including payment providers, IT service providers, accountants, auditors and lawyers.
We shall provide our laboratories, service providers, sub-contractors and agents only with such of your personal data as they need to provide the service for us and if we stop using their services, we shall request that they delete your personal data or make it anonymous within their systems.
Nell may partner with expert organisations to deliver support programmes including, amongst others, dietitians and personal trainers. In these cases, you will be made aware of who our partners are. Nell will not share any data with partners without your consent. To enable a personalised service, with your consent, Nell will share your report and lifestyle questionnaire responses with partners. Nell will not share any genetics data with partners. To help us improve our support programmes, partners may share data related to your health goals and progress against these goals with us.
5. Where we hold and process your personal data
Some or all of your personal data may be stored or transferred outside of the European Economic Area (the EEA) for any reason, including for example, if our email server is located in a country outside the EEA or if any of our service providers are based outside of the EEA
Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data or to a third party where we have approved transfer mechanisms in place to protect your personal data – i.e., by entering into the European Commission's Standard Contractual Clauses, or by ensuring the entity is Privacy Shield certified (for transfers to US-based third parties).
We do use the services of companies who are not located in the EEA. We are only using the services of providers who are recognised as market leaders in their field. This includes but is not limited to the following organisations. All of these organisations have subscribed to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (collectively, "Privacy Shield ").
- Google - Google's Cloud Platform for the cloud storage of data, Google Analytics, GSuite email, GDrive
- MailChimp - for the secure transmission of marketing emails
- Sendgrid - for the secure transmission of emails from our booking system
- Squarespace - for the hosting of our website
- Stripe - payment services
6. Security
We shall process your personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. In particular, access is restricted to employees who need to know your personal data, and we use appropriate password protection and appropriate strong encryption electronic measures within our electronic data management systems.
Where you have set up a password to access certain areas of the website, please make sure you keep this secure.
However, unfortunately, because of the nature of electronic storage, we cannot promise that your personal data will always remain secure. If there is a security breach, we will do all that we can as soon as we can to stop the breach and minimise the loss of any data.
7. Marketing
You may consent to receive marketing email messages from us. You can choose to no longer receive marketing emails from us by contacting us or clicking unsubscribe from a marketing email. Please note that it may take us a few days to update our records to reflect your request.
We shall therefore retain your personal data in our records for marketing purposes until you notify us that you no longer wish to receive marketing emails from us.
8. Cookies
We use a number of different cookies on our site. If you do not know what cookies are, or how to control or delete them, then we recommend you visit https://www.aboutcookies.org for detailed guidance.
The following describes the cookies we use on this site and what we use them for. Currently we operate an ‘implied consent' policy which means that we assume you are happy with this usage. If you are not happy, then you should either not use this site, or you should delete Nell Health cookies having visited the site, or you should browse the site using your browser's anonymous usage setting (called "Incognito " in Chrome, "InPrivate" for Internet Explorer, "Private Browsing" in Firefox and Safari etc.). If you block cookies, for the most part the websites should continue to operate normally, however there may be some areas where you may not be able to take full advantage of the website's functionality.
You can disable Cookies in your web browser. Information can usually be found in your Web Brower's help section.
9. Persistent cookies for site performance & analytics
Google Analytics – we use this to understand how the site is being used in order to improve the user experience. User data is all anonymous. You can find out more about Google's position on privacy with regards to its analytics service at
https://www.google.co.uk/intl/en/analytics/privacyoverview.html.
10. Social Buttons.
On our websites you may see 'social buttons'. These enable users to share or bookmark the web pages. In order to
implement these buttons, and connect them to the relevant social networks and external sites, there are scripts from
domains outside of Nell Health. You should be aware that these sites are likely to be collecting information about what
you are doing all around the internet, including on Nell Health's site. So if you click on any of these buttons, these
sites will be registering that action and may use that information. In some cases these sites will be registering the
fact that you are visiting https://nellhealth.com
and the specific pages you are on, even if you don't click on the button
if you are logged into their services, like Google and Facebook. You should check the respective policies of each of
these sites to see how exactly they use your information and to find out how to opt out, or delete, such information.
11. External Web Services
We use a number of external web services on the Nell Health websites, mostly to display content within our web pages. For example to show videos we may use YouTube. This is not the only service we use, or might use in the future, when embedding content, but it is the most common. As with the social buttons we cannot prevent these sites, or external domains, from collecting information on your usage of this embedded content. If you are not logged in to these external services then they will not know who you are but are likely to gather anonymous usage information e.g. number of views, plays, loads etc.
12. Email Tracking
Most standard emails that we send you have no tracking in at all. We use Mailchimp for our marketing emails. Some marketing and all platform emails we track, at an individual level, whether the user has opened and clicked on the email. We rarely use the latter information at a personal level, rather we use it to understand open and click rates on our emails to try and improve them. If you want to be sure that none of your email activity is tracked then you should opt out of Nell Health's marketing emails which you can do at the bottom of every email you receive.
13. Surveys and Contests
From time to time our site may request information from users via surveys, contests or for a particular service (e.g. newsletter). Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose this information. Information requested will include contact information (as supplied to the site during registration) and supplementary information on your interests, opinions and preferences (e.g. feedback on the Nell Health service). We will use the contact information to notify winners. We will not publish winners' details on the site though on request we will provide details of any winner's name. If the survey or contest has a sponsor then we may share information given by entrants with the sponsor, but only with the user's consent.
14. Payment Processing
In order to process payments online our external payment provider, Stripe, requires your credit card details. For details of how this information is used, please see https://stripe.com/gb/privacy.
15. Your rights
You have a number of rights under applicable data protection legislation. Some of these rights are complex, and not all of the details have been included below. Further information can be found here
- Right of access: You have the right to obtain from us a copy of the personal data that we hold for you.
- Right to rectification: You can require us to correct errors in the personal data that we process for you if it is inaccurate, incomplete or out of date.
- Right to portability: You can request that we transfer your personal data to another service provider.
- Right to restriction of processing: In certain circumstances, you have the right to require that we restrict the processing of your personal information.
- Right to be forgotten: You also have the right at any time to require that we delete the personal data that we hold for you, where it is no longer necessary for us to hold it. However, whilst we respect your right to be forgotten, we may still retain your personal data in accordance with applicable laws.
- Right to stop receiving marketing information: You can ask us to stop sending you information about our services, but please note we shall continue to contact you in relation to any matters relating to your report.
We reserve the right to charge an administrative fee if your request in relation to your rights is manifestly unfounded or excessive.
If you have any complaints in relation to this Privacy Policy or otherwise in relation to our processing of your personal data, please tell us. We shall review and investigate your complaint and try to get back to you within a reasonable time. You can also contact the Information Commissioner, see https://ico.org.uk/ or if you are based outside of the United Kingdom, please contact your local regulatory authority
16. Retention of personal data
Subject to the provisions of this Privacy Policy, we will retain personal data in accordance with applicable laws and industry practice in the health sector.
All test reports are stored in a secure and encrypted environment. Any sample you provide to us will be retained for up to 3 months, but you can contact us at any time to ask us to destroy it and we shall do so.
We endeavour to keep personal data only for as long as is necessary. However, we have legitimate interests for retaining your personal data after we have sent the report including:
- to deal with any follow up queries or questions that you might have;
- to establish, exercise or defend any legal claim that may arise.
We may also be required to retain personal data for a particular period of time to comply with legal, auditory or statutory requirements, including requirements of HMRC in respect of financial documents.
Please note that if you ask us to remove you from our marketing list, we shall keep a record of your name and email address to ensure that we do not send to you marketing information.
17. General
If any provision of this Privacy Policy is held by a court of competent jurisdiction to be invalid or unenforceable, then such provision shall be construed, as nearly as possible, to reflect the intentions of the parties and all other provisions shall remain in full force and effect.
This Privacy Policy shall be governed by and construed in accordance with English law and you agree to submit to the exclusive jurisdiction of the English Courts.
Last updated: February 2019