This Privacy Notice is designed to help you understand how CheqUp Health Limited collects, uses, and protects your personal data, and what your legal rights are. This website is not intended for children under the age of 18. We do not knowingly collect data relating to children and our services require age verification as part of our onboarding process. If there is anything in this notice you do not understand, or if you wish to ask any questions, please contact us using the details in Section 12. This notice covers our activities as a Data Controller for data associated with our staff, customers, and patients who choose or are referred to our services. It should be read alongside our Terms and Conditions and any other privacy or fair processing notices we may provide on specific occasions.
1. Who We Are. Full legal name: CheqUp Health Limited. Registered company number: 12570252. Registered pharmacy (GPhC No. 9012707). Email: help@chequp.com. Postal address: Turnpike House, Methuen Park, Chippenham, Wiltshire, SN14 0GF. CheqUp Health Limited is the Data Controller responsible for your personal data. We are a registered pharmacy with the General Pharmaceutical Council (GPhC No. 9012707) and are subject to the legal and regulatory obligations that apply to registered pharmacies, including the Human Medicines Regulations 2012 and GPhC standards. You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). We would, however, appreciate the opportunity to address your concerns first — please contact us in the first instance. Definitions: Controller — the entity that determines the purposes and means of processing personal data. CheqUp Health Limited is the Controller. Data Protection Laws — the UK GDPR and the Data Protection Act 2018. UK GDPR — the retained UK law version of the General Data Protection Regulation (EU) 2016/679. Special Category Data — personal data revealing racial or ethnic origin, health data, biometric data, and other categories afforded heightened protection under UK GDPR Article 9. Cookies — small text files placed on your device when you visit our website. UK and EU Cookie Law — the Privacy and Electronic Communications (EC Directive) Regulations 2003.
2. Why We Collect and Process Personal Data. We collect personal data for the following purposes: to manage our business and staff; to maintain professional relationships with customers and prospective customers; to provide clinical and pharmacy services, including assessing eligibility for prescription-only medication, prescribing, and dispensing; to verify the identity of patients accessing prescribing services, using our third-party identity verification provider, Persona Identities, Inc.; to fulfil orders for non-prescription products, including food supplements; to improve our services and evaluate their effectiveness; and to comply with our legal and regulatory obligations as a registered pharmacy. We only collect personal data where it is necessary for these purposes and where we have a lawful basis to do so under the Data Protection Laws.
3. The Data We Collect. We may collect the following categories of personal data: Identity Data (first name, last name, username, title, date of birth, gender); Verification Data (information collected during identity verification, including identity document images, selfie, photo, video and liveness check data, device and technical identifiers, and the outcome of the verification process — this may include biometric data where you have given explicit consent); Contact Data (billing address, delivery address, email address, telephone numbers); Financial Data (payment card details, processed securely by our payment provider); Transaction Data; Technical Data (IP addresses, login data, browser type, time zone, plug-ins, OS); Profile Data (username, password, purchase history, preferences, feedback); Usage Data; Marketing and Communications Data. Special Category Data — where you engage with our clinical or pharmacy services and have given us consent, we collect: health information (weight, height, BMI, and medical history); ethnicity (used solely to apply the correct clinical eligibility threshold per NICE guidelines); biometric data (a scan of facial geometry, processed by Persona for identity verification, where you have provided explicit consent); body measurement data (photographs and video footage to support clinical assessment of BMI and physical health, reviewed by qualified healthcare professionals). We do not collect information about criminal convictions or offences. We do not require Special Category Data for supplement-only purchases. We do not currently use automated or algorithmic processing to analyse body measurement data; if we introduce such processing in future, we will update this notice and seek any additional consents required.
4. How We Collect Your Data. Direct Interactions: you may provide data directly when you enquire about or sign up to our weight loss services; complete our weight loss or clinical questionnaire; create an account or access our online portal; purchase supplements or other non-prescription products; request marketing communications; or contact us with feedback or queries. Automated Technologies: as you interact with our website, we may automatically collect Technical Data using cookies, server logs, and similar technologies — see our Cookie Policy at https://chequp.com/cookie-policy/ for details. Third Parties: we may receive personal data from analytics providers and search information providers (Technical Data); payment and delivery service providers (Contact, Financial, and Transaction Data); and Persona (Verification Data), where you complete identity verification as part of accessing our prescribing and pharmacy services.
5. How We Use Your Personal Data. We use your personal data only where the law permits. Our primary lawful bases are: Performance of a Contract (Article 6(1)(b)) — to deliver our services, including consultations, prescribing, dispensing, and fulfilment of orders. Legal Obligation (Article 6(1)(c)) — to comply with pharmacy regulations, including the Human Medicines Regulations 2012 and GPhC requirements. Legitimate Interests (Article 6(1)(f)) — to improve patient care, service quality, and operational efficiency. Consent (Article 6(1)(a) and Article 9(2)(a)) — for Special Category Data, including health data and biometric data. Legal Basis for Health Data: Article 6(1)(c) Legal Obligation (to retain patient records); Article 6(1)(f) Legitimate Interests (to store and analyse patient data to provide effective healthcare); Article 9(2)(h) Healthcare Provision (to collect and process medical information to assess suitability for medication and ensure patient safety). Biometric Data and Identity Verification: where you are required to complete identity verification, we use Persona. Before you are directed to Persona’s platform, we will present you with a separate, explicit consent step. You must provide this consent before we proceed. Eligibility Screening: we use a rules-based eligibility screening process to assess whether the information you have provided suggests you may qualify for weight management treatment, based on clinical criteria including BMI thresholds and medical history. This initial screen follows NICE clinical guidelines — it is not a final clinical decision. Supplements and Non-Prescription Products: when you purchase supplements, we process your data on Article 6(1)(b) and 6(1)(f) bases. Supplement purchases do not involve medical consultation, prescribing, or healthcare provision. We do not routinely collect Special Category Data for supplement-only purchases. Marketing: we will only send you marketing communications where you have explicitly consented. You can withdraw consent at any time.
6. Who We Share Your Data With. We share personal data only where necessary and with appropriate safeguards. We require all third parties to respect the security of your data and to comply with applicable data protection law. Service Providers and Partners: Persona (identity verification) acts as our data processor. Medical practitioners: doctors and clinicians who provide medical oversight and prescribing services. Nutrition and physical activity practitioners: who may provide dietary and exercise information to support your care. WeightWatchers: where you choose to connect your CheqUp account with the WW nutrition app, we will share your CheqUp customer ID, full name, and email address with WeightWatchers to link your accounts. This sharing occurs only at your request. We do not share any health, medication, or clinical information with WeightWatchers. Payment, delivery, and technical service providers: to process payments and fulfil orders. Regulatory and Healthcare Authorities: including the General Pharmaceutical Council, Care Quality Commission, and NHS England, where legally required. Healthcare professionals involved in your care and oversight. Pharmacy partners: where your medication is dispensed by another licensed pharmacy, we share only the information necessary to fulfil your prescription. Business Transfers: in the event that we sell or reorganise our business, we may transfer personal data to a new provider, ensuring your interests are protected. Non-Prescription Products: for supplement orders, we may share limited personal data with suppliers, manufacturers, warehouses, payment providers, and delivery partners solely for fulfilment. We do not sell personal data or share personal health data with third parties for marketing or commercial purposes.
7. Where Your Data Is Stored. We use DigitalOcean, OVH Cloud, and Google Cloud Platform (GCP) to store data securely. These services store data within the United Kingdom. We are currently migrating our primary database from OVH Cloud to GCP; during and following this migration, all data continues to be held within the UK. Where you complete identity verification, Verification Data is processed by Persona on our behalf. Persona may store and process this data outside the UK, primarily in the United States and Germany. See Section 8 for details of the safeguards in place for these international transfers.
8. International Transfers. Some of your personal data may be transferred and processed outside the UK where we use service providers that operate internationally. Where this occurs, we ensure that appropriate safeguards are in place. In particular, Verification Data processed by Persona may be stored and processed in the United States and Germany. For transfers to the United States, we rely on the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, as applicable, to ensure your data receives the same level of protection as it does in the UK. We will only transfer personal data to countries that have been deemed to provide an adequate level of protection by the UK, or where appropriate contractual safeguards are in place.
9. How Long We Keep Your Data. We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Retention periods: Clinical and prescription records — 8 years from last interaction. Identity verification data (PII) via Persona — 3 years from date of verification. Identity verification data (outcome only, non-PII) — 8 years. Supplement and non-prescription purchase data — 6 years from transaction date. Marketing consent records — 6 years from date of withdrawal of consent. Active marketing data following unsubscribe — deleted within 30 days of unsubscribe. Website analytics and technical data — 26 months. Raw server logs — 90 days. Prospective customers (enquired but did not purchase) — 12 months from last interaction. Staff personal data — 6 years post-employment. Right to Erasure: you have the right to request deletion of your personal data. Where your data is subject to a mandatory retention period (for example, prescription records retained under the Human Medicines Regulations 2012), we will acknowledge your request and restrict processing for non-essential purposes such as marketing. We will securely delete or anonymise your data once the applicable retention period has expired.
10. Data Security. We have implemented appropriate technical and organisational security measures designed to protect your personal data against accidental loss, unauthorised access, alteration, or disclosure. Your data is stored in encrypted databases located within the UK, and access is strictly limited to authorised healthcare professionals and staff on a need-to-know basis. We regularly review our security controls to guard against unauthorised access, data breaches, and unlawful processing. Where we engage third-party service providers who process data on our behalf, we ensure that appropriate data processing agreements and technical and organisational security measures are in place. In the event of a personal data breach, we will follow our breach response procedures, including notifying the ICO within 72 hours where required by law, and notifying affected individuals where appropriate.
11. Your Rights. Under UK data protection law, you have the following rights in relation to your personal data: Right of Access — you may request a copy of the personal data we hold about you. Right to Rectification — if the data we hold about you is inaccurate or incomplete, you may ask us to correct it. Right to Erasure — you may ask us to delete your personal data, subject to our legal retention obligations (see Section 9). Right to Restriction of Processing — you may ask us to restrict how we use your data in certain circumstances. Right to Data Portability — you have the right to receive personal data you have provided to us in a structured, commonly used, machine-readable format, and to have that data transferred to another provider of your choosing. Right to Object — you have the right to object to processing of your personal data carried out on the basis of legitimate interests, including for direct marketing. Right to Withdraw Consent — where we process your data on the basis of consent, you may withdraw consent at any time. Right to Complain — if you are unhappy with how we have handled your data, you have the right to complain to the ICO at www.ico.org.uk or by calling 0303 123 1113. We will not charge a fee for responding to your request unless it is clearly unfounded, repetitive, or excessive. We will aim to respond to all legitimate requests within one month.
12. Contact Us. If you wish to exercise any of your rights, or if you have any questions about this privacy notice or how we handle your data, please contact us: CheqUp Health Ltd, Turnpike House, Methuen Park, Chippenham, Wiltshire, SN14 0GF. Email: help@chequp.com. Data Protection Officer: Toby Nicol. For data protection queries, please email help@chequp.com with the subject line “FAO Data Protection Officer”. We may need to collect some personal data in order to respond to your queries. We will use this information only to respond to your request, provide relevant services, process orders, administer our obligations to you, or resolve issues with services supplied to you. We do not share this information with any other party.
13. Third-Party Websites. This notice applies to CheqUp Health Ltd only. Our website may contain links to third-party websites, plug-ins, and applications. We are not responsible for the privacy practices of those sites. When you leave our website, we encourage you to read the privacy notice of every site you visit.
14. Changes to This Notice. We may update this privacy notice from time to time. Where we make material changes, we will notify you by email or through a prominent notice on our website. The date at the top of this notice reflects when it was last updated. It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us.
