Privacy Policy

Genwell Health – Client Privacy Policy

Last updated: 05 March 2026

Introduction

This Privacy Policy describes how we will collect, use, share and otherwise process your personal data in connection with your use of:

  • Our website at genwell.co.uk (Website).
  • The Genwell Health mobile application software available via the Apple App Store and Google Play (App).
  • Any of our services that are accessible through the Website or App (Services).

We treat your personal data with care and confidentiality. We collect only what is necessary and never sell your personal data. We comply with the common law duty of confidentiality for client information.

The App and Services are not intended for children (users must be 18+) and we do not knowingly collect data relating to children.

Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

Important information and who we are

Genwell Health Ltd is the controller and is responsible for your personal data (Genwell, we, us or our in this Privacy Policy).

We have appointed a Data Protection Officer (DPO). If you have any questions about this Privacy Policy, please contact them using the details set out below.

Contact details

Our full details are:

  • Full name of legal entity: Genwell Health Ltd
  • Privacy lead: our DPO (Data Privacy Services)
  • Email address: info@dataprivacyservices.co.uk
  • Postal address: Genwell Health Ltd, 3rd Floor, 86–90 Paul Street, London, EC2A 4NE, United Kingdom

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (in line with our Complaints Policy).

The data we collect about you

Personal data means any information about an individual from which that person can be identified.

We collect, use, store and transfer different kinds of personal data about you. To make it easier for you to use this Privacy Policy, we group these into the following categories. Each of these categories is described in more detail at the “Description of categories of personal data” section at the end of this Privacy Policy.

  • Identity Data.
  • Contact Data.
  • Profile Data.
  • Health Data.
  • Audio/Visual Data.
  • Financial Data.
  • Transaction Data.
  • Device Data.
  • Content Data.
  • Usage Data.
  • Security Data.
  • Cookies Data.
  • Direct Marketing Data.
  • Feedback Data.
  • Personalisation Data.

We will collect data relating to criminal offences through the measures we take to secure and protect our Website, App and users. Further details can be found at the “Criminal offence data” section below.

We also collect, use and share aggregated data such as statistical or demographic data, which is not personal data, as it does not directly (or indirectly) reveal your identity. For example, we may aggregate individuals' Usage Data to calculate the percentage of users accessing a specific Website or App feature in order to analyse general trends in how users are interacting with our Website or App, to help improve the Website, App and our Services.

How is your personal data collected?

We collect your personal data in the following ways:

  • Registration. We collect your Identity, Contact, Profile, Financial, Transaction, and (optionally) Direct Marketing Data when you register your account with us.
  • Assessments. We collect your Health and Audio/Visual Data when conducting eligibility for our Services and in order for our doctors, and other healthcare professionals, to provide you with the most suitable care plan. This includes the initial eligibility check we conduct upon registration.
  • Communications. When you communicate with us via email, telephone, one of our online forms or chat we collect your Contact Data. If you contact us through the App using the chat function, we also collect Device and Cookies Data to operate our chat function and respond to your messages. If the communication relates to an error or problem you are having with the Website, App or one of our Services, we will also collect Usage Data for diagnosis and improvement.
  • Information you generate when using our Website, App and Services. Each time you access and use our Website, App or Services we collect Content, Device, Cookies, Personalisation and Usage Data. We collect Content Data where you upload it to the App or interact with the content available on the App. We collect Device, Cookies, Personalisation and Usage Data using cookies and other similar technologies. Please see our Cookie Policy for further details.
  • Information we collect through monitoring the use of our Website, App and Services. Each time you access and use our Website, App and Services we collect information about that access and use, being Device, Content, Cookies, and Usage Data.
  • Direct Marketing. We collect and record Direct Marketing Data when we add you to our marketing database, you request to change your direct marketing preferences, or you interact with our direct marketing communications.
  • Information we receive from third parties. We will receive personal data about you from the third parties set out below:
  • Health Data from your General Practitioner (GP), the NHS or your employer, where such third party refers you to us;
  • Device and Cookies Data from analytics providers (such as PostHog, based outside the UK); and
  • Contact, Financial and Transaction Data from providers of technical, payment and delivery services (such as Stripe, based outside the UK).

Cookies

We use cookies (small files placed on your device) on our Website and App to improve your experience and the development of our Website, App and Services. For detailed information on the cookies we use, the purposes for which we use them and how you can exercise your choices regarding our use of your cookies, see our Cookie Policy.

Refusing/withdrawing consent to cookies will not affect your access to the core clinical service (although some analytics-driven personalisation may be unavailable in the App).

How we use your personal data

We will only use your personal data when we have a lawful basis to do so. Our lawful basis for each purpose for which we use your personal data is specified below. Most commonly, we will use your personal data in the following circumstances:

  • Consent. Where you have freely consented before the processing in a specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by using our cookie banner or contacting us (see “Your legal rights” section below).
  • Performance of a contract. Where we need to process your personal data to perform a contract with you or where you ask us to take steps before we enter into a contract with you. Where we rely on performance of a contract and you do not provide the necessary information, we will be unable to perform your contract.
  • Legitimate interests. Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
  • Legal obligation. Where we need to use your personal data to comply with a legal or regulatory obligation. Where we rely on legal obligation and you do not provide the necessary information, we may be unable to fulfil a right you have or comply with our obligations to you, or we may need to take additional steps, such as informing law enforcement or a public authority or applying for a court order.

Providing our Website, App and Services (including purchases you make on them)

Purpose or activity

Type of personal data

Lawful basis for processing

To register you as a new client and permit you to install the App

Identity Data

Contact Data

Profile Data

Financial Data

Transaction Data

Device Data

Performance of a contract

To provide you with the App and personalise it for you

Identity Data

Device Data

Personalisation Data

Performance of a contract

To take steps towards providing you with the goods and services that you request, to process and fulfil orders/purchases and deliver goods and services to you, including managing payments and sending you service communications

Identity Data

Contact Data

Financial Data

Transaction Data

Device Data

Performance of a contract

To enforce our terms and conditions, including to collect money owed to us

Identity Data

Contact Data

Transaction Data

Legitimate interests (to recover debts due to us)

Direct marketing

Purpose or activity

Type of personal data

Lawful basis for processing

To send you direct marketing communications via email and/or push notification

Identity Data

Contact Data

Device Data

Direct Marketing Data

Consent

Troubleshooting, improvement and security

Purpose or activity

Type of personal data

Lawful basis for processing

To administer, monitor and improve our business, Services, Website and App including troubleshooting, data analysis, system testing and maintenance

Identity Data

Contact Data

Device Data

Usage Data

Legitimate interests (for running our business, provision of administration and IT services, network security, maintaining the security of our Website, App and Services, providing a secure service to users and preventing fraudulent and other misuse of our Website and App)

Applying security measures to our processing of your personal data, including processing in connection with the Website and App

All personal data under this Privacy Policy

Legal obligation (applying appropriate technical and organisational measures under Article 32 of the UK GDPR)

Otherwise monitoring use of the Website and App and deploying appropriate security measures

Contact Data

Security Data

Transaction Data

Legitimate interests (running our business, provision of administration and IT services, network security, maintaining the security of our Website, App and Services, providing a secure service to users and preventing fraudulent and other misuse of our Website and App)

Legal compliance

Purpose or activity

Type of personal data

Lawful basis for processing

To comply with our other legal obligations, including compliance with tax and medical legislation, judicial, law enforcement and government authorities' requests

All personal data under this Privacy Policy

Legal obligation

Cookies

Purpose or activity

Type of personal data

Lawful basis for processing

To deploy and process personal data collected via Cookies that are strictly necessary, as set out in our Cookie Policy

Cookies Data

Legitimate interests (delivering and securing the App and our Services)

To deploy and process personal data collected via Cookies that are not strictly necessary, as set out in our Cookie Policy

Cookies Data

Consent

Other communications

Purpose or activity

Type of personal data

Lawful basis for processing

To notify you of changes to the Website, App, Services, your purchases and our terms and conditions

Identify Data

Contact Data

For ongoing or prospective contracts, Performance of a contract

Otherwise, Legitimate interests (in servicing our users and prospective users)

To notify you of updates to this Privacy Policy

Identify Data

Contact Data

Legal obligation (to inform you of our processing under Articles 13 and 14 of the UK GDPR

To respond to your requests to exercise your rights under this Privacy Policy

As relevant to your request

Legal obligation (complying with data subject requests under Chapter 3 of the UK GDPR

To ask you to complete a feedback survey and process your responses

Identify Data

Contact Data

Legitimate interests (to analyse how users use our products or Services and to develop them and grow our business)

Unless you have previously opted out, where we will rely on Consent

To otherwise respond to your enquiries, fulfil your requests and to contact you where necessary (including via the chat function in the App or when contacting our customer support team)

As relevant to your enquiry or request

Legitimate interests (service our users and prospective users)

Automated decision making and profiling

We do not make decisions (including any clinical decisions) based solely on automated processing or profiling that produce legal effects concerning you (or have similarly significant effects).

We do use a service provider to conduct a fraud/identity risk check on our behalf in order to protect our Services. This may involve an automated decision but does not produce a legal or similarly significant effect on you. Contact us using the details under the “Contact details” section above to request human review if you believe an automated assessment was made in error.

Criminal offence data

We do not intentionally collect criminal offence data about you. However, we may process data relating to criminal offences in monitoring the use of our Website and App for security purposes, where we suspect you may have committed a crime, such as attempting to make a fraudulent purchase or claim or circumvent the security of the Website, App or Services. In such circumstances, we will provide that information to law enforcement and/or use it to establish, exercise or defend a legal claim. In those circumstances, according to the type of activity and purpose, we will rely on legitimate interests (protecting our business, employees and other users) and legal obligation (where required by legal, judicial or law enforcement to disclose or process that information). UK law authorises that processing under the Data Protection Act 2018 and although the appropriate authorisation will depend on a case-by-case basis, monitoring for criminal behaviour through the use of our Website and App is in the Substantial public interest (preventing or detecting unlawful acts) and processing information related to suspected criminal activity for legal claims is permitted under the additional condition of legal claims.

Special categories of personal data

Given the nature of our Services, we do process the following special categories of personal data about you.

Purpose or activity

Type of personal data

Lawful basis for processing

Processing condition

To register you as a new client and conduct an eligibility check for our Services

Health Data.

  • Specifically: your height, weight, waist circumference and personal health goals; any current medications; details of any relevant medical conditions, including allergies.
  • Potentially based on eligibility: medication dosage, prescription, including lab test results (e.g. cholesterol, HbA1c, sleep study reports).

Audio/Visual Data. Specifically: pictures/videos of your body.

Identify Data. Specifically, your ethnic background.

Performance of a contract

and

Health or social care purposes under

Art. 9(2)(h) of the UK GDPR

Health or social care purposes under

Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018

To conduct an identification verification check as part of registering you as a new client

Identify Data. Specifically: your ID, such as passport or driving licence

Contact Data (this is not special category data)

Consent

-

To provide the clinical and wellness aspects of our Services to you (including doctor and other healthcare professional appointments, curating your care plan and prescribing medicines)

Health Data

Audio/Visual Data

Performance of a contract

and

Health or social care purposes under

Art. 9(2)(h) of the UK GDPR

Health or social care purposes under

Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018

Combining the information we collect about you to create and maintain a single Electronic Health Record (EHR)

Health Data

Identify Data. Specifically, your ethnic background.

Contact Data (this is not special category data)

Performance of a contract

and

Health or social care purposes under

Art. 9(2)(h) of the UK GDPR

Health or social care purposes under

Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018

To aid you in managing your personal health goals in the App

Health Data (specifically personal health goals/milestones you add to the App)

This is voluntary and not required by us to deliver the App or our Services.

Legitimate interests (to deliver a more personalised service to you)

and

Health or social care purposes under

Art. 9(2)(h) of the UK GDPR

Health or social care purposes under

Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018

To prevent serious harm to yourself or others in an emergency situation

Health Data

Identify Data. Specifically, your ethnic background.

Contact Data (this is not special category data)

Vital interests

and

Reasons of substantial public interest

Art. 9(2)(g) of the UK GDPR

Safeguarding of individuals at risk purposes under

Schedule 1, Part 2, paragraph 18 of the Data Protection Act 2018

To respond to your enquiries and fulfil your requests (including via the chat function in the App or when contacting our customer support team)

As relevant to your enquiry or request

This may include Health Data

Legitimate interests (to service our users)

and

Health or social care purposes under

Art. 9(2)(h) of the UK GDPR

Health or social care purposes under

Schedule 1, Part 1, paragraph 2 of the Data Protection Act 2018

Disclosures of your personal data

We may share your personal data with the following third parties:

  • External third parties.
  • Your Appstore Provider and mobile network operator to allow you to install the App.
  • Certain social media platforms (such as Instagram and LinkedIn), where you opt to share an update with these platforms via the App sharing function.
  • Service providers acting as processors based in the UK, EU or USA who provide IT and system administration services (including Semble, our EHR software provider), hosting services for our Website and App, delivery and logistics services, payment processing (including Stripe), fraud and identity verification providers (including LexisNexis), customer service support (including HubSpot), email delivery and administration, and data storage and analysis.
  • Healthcare professionals (including doctors/your GP, wellbeing coaches, emergency services) and other key stakeholders in supporting your care (e.g. your insurance provider), all based in the UK. This includes our pharmacy partner Day Lewis in order to fulfil your prescriptions, also based in the UK.
  • Our professional advisors acting as controllers based in the UK including lawyers, auditors, insurers, and consultants who provide legal, accounting, insurance and other services.
  • Your service providers that you have appointed and we need to contact to fulfil your requests, such as your banking or payment card provider to process your transactions.
  • Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Policy.
  • HM Revenue and Customs, regulators (such as the Medical and Healthcare Product Regulatory Agency (MHRA) and the Care Quality Commission (CQC)), law enforcement, public authorities or other third parties acting as controllers based in the UK where necessary to exercise our rights or comply with a legal obligation.

Duty of confidentiality

We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:

  • You’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses).
  • We have a legal requirement (including court orders) to collect, share or use the data.
  • On a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example, sharing information with the police to support the detection or prevention of serious crime).
  • If in England or Wales, the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied.
  • If in Scotland, we have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.

International transfers

We primarily host/process data in the UK or European Economic Area (EEA).

Where we transfer your personal data between the UK and the EEA those transfers are made pursuant to the UK government's adequacy decision in favour of countries in the EEA.

Whenever we transfer your personal data out of the UK/EEA area, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data.
  • Where we use certain service providers located outside the UK/EEA area, we use specific contracts approved by the UK which give personal data the same protection it has in the UK (such as the International Data Transfer Agreement or Standard Contractual Clauses).

Please contact our DPO using the details under the “Contact details” section above if you want further information on the specific mechanism used by us when transferring your personal data out of the UK/EEA area.

Data security

All information you provide to us is stored on our secure servers and located in the UK/EEA area. Any payment transactions carried out by us or our chosen third-party provider of payment processing services (such as Stripe) will be encrypted using Secured Sockets Layer (SSL) technology. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our Website, App or Services, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Once we have received your information, we will use strict procedures and security features to protect your personal data from loss, unauthorised use or access, including:

  • HTTPS/TLS is applied when your personal data is in transit.
  • Encryption measures are applied to your personal data when it is stored at rest on our servers.
  • Role-based access controls are applied when our staff access your personal data.
  • Multi-Factor Authentication (MFA) is used (when available) by our staff when accessing your personal data.
  • Our staff receive confidentiality and privacy training.
  • We conduct suitable due diligence on our suppliers that process your personal data.
  • We conduct proportionate and regular security testing to ensure the appropriate level of security measures are applied to your personal data.

We will collect and store personal data on your device using application data caches, browser web storage (including HTML5) and other technology. Please see our Cookie Policy for more information.

We have put in place procedures to detect and respond to personal data breaches and notify you and any applicable regulator when we are legally required to do so.

Data retention

Details of retention periods for different aspects of your personal data are available in our retention policy, which you can request by using the details under the “Contact details” section above. It is worth specifically noting that:

  • As a provider of clinical/prescribing services, your medical records form part of a regulated care service and must be retained by us for a minimum of 8 years under UK clinical record retention standards. They cannot be deleted on request where retention is required by law.
  • By law, we have to keep basic information about our customers (including Contact, Identity, Security and Transaction Data) for six years after they cease being customers for tax purposes.

In some circumstances, you can ask us to delete your data: see the “Your legal rights” section below for further information.

Once we no longer have a legal right to hold your personal data, we will delete or, in some circumstances, we will anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

If you do not use the App for a period of 24 months, then we will treat the account as expired and will delete your personal data.

Your legal rights

You have the following rights under data protection laws in relation to your personal data.

  • Access. Request access to and/or a copy of the personal data we process about you (commonly known as a data subject access request). This enables you to check that we are lawfully processing it.
  • Correction. Request correction of any incomplete or inaccurate data we hold about you. (We may need to verify the accuracy of the new data you provide to us.)
  • Deletion. Request us to delete or remove personal data where there is no good reason for us continuing to process it. You can also ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we have processed your information unlawfully or where we need to erase your personal data to comply with the law. In some cases, we may need to continue to retain some of your personal data where required by law. If these apply, we will notify you at the time of our response.
  • Objection. Object to us processing your personal data where (a) we are relying on legitimate interests as the lawful basis and you feel the processing impacts on your fundamental rights and freedoms, or (b) the processing is for direct marketing purposes. In some cases, we may refuse your objection if we can demonstrate that we have compelling legitimate grounds to continue processing your information which override your rights and freedoms.
  • Restriction. Request that we restrict or suspend our processing of your personal data:
  • if you want us to establish the data's accuracy;
  • where our use of the data is unlawful, but you do not want us to erase it;
  • where we no longer require it, but you need us to hold onto it to establish, exercise or defend legal claims; or
  • you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to use it.
  • Data portability. Request we transfer certain of your personal data to you or your chosen third party in a structured, commonly used, machine-readable format. This right only applies to information processed by automated means that we process on the lawful bases of consent or performance of a contract.
  • Withdraw consent. Withdraw your consent at any time where we are relying on consent to process your personal data. Please know that this does not affect the lawfulness of any processing carried out before you withdraw your consent, and after withdrawal, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.
  • Complain to the UK data protection regulator. If you are unhappy with how we process your personal data, you should contact us first using the details under the “Contact details” section above in line with our Complaints Policy so that we have the chance to put it right. However, you also have the right to make a complaint to the ICO at any time.

You can exercise any of these rights at any time by contacting us at dpo@genwell.co.uk.

You can also use the Cookies banner to give or withdraw your consent to or disable our processing of your Cookies Data.

No fee is usually required. You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we could refuse to comply with your request in these circumstances.

What we may need from you. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

Time limit to respond. We try to respond to all legitimate requests within one month. Occasionally, it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

​​Third party links and sites

Our Website, App and Services may, from time to time, contain links to and from the websites of third parties, such as: Gov.uk, cqc.org.uk. Please note that these websites (and any services accessible through them) are controlled by those third parties and are not covered by this Privacy Policy. You should review their own privacy notices to understand how they use your personal data before you submit any personal data to these websites or use these services.

Changes to the Privacy Policy and your duty to inform us of changes

We keep this Privacy Policy under regular review.

This version was last updated as of the “Last updated” date at the top of this Privacy Policy. It may change and, if it does, those changes will be posted on this page and notified to you by email, a notification in-App or when you next start the App or log onto your account. The new notice may be displayed on-screen and you may be required to read and acknowledge the changes to continue your use of the App or the Services.

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you. Please visit the “Account details” section of your profile in the App to update your details, or you can contact us to make the updates for you.

Description of categories of personal data

  • Identity Data: first name, last name, date of birth, sex assigned at birth, your ID (such as passport or driving licence) and Profile Data.
  • Contact Data: contact address, email address, telephone numbers, your communication preferences and copies of the communications between you and us.
  • Profile Data: your email address, username and password.
  • Health Data: this includes everything we store in your EHR including: height, weight, waist circumference, body mass index (BMI), personal health goals/milestones, current medication you are taking and dosage, the details of the care plan we propose to you (including medications and their amount, dosage and frequency), copies of your prescriptions, the name of your primary doctor and wellbeing coach, the date and time of your primary doctor and wellbeing coach appointments, your GP practice’s name and address, details of any relevant medical conditions including lab test results (e.g. cholesterol, HbA1c, sleep study reports), allergies, doctor’s and wellbeing coach’s consultation notes and hospital/health specialist clinical letters or discharge summaries.
  • Audio/Visual Data: pictures/videos of your body, your telephone and video calls with your primary doctor. This may require access to your device’s camera and/or microphone (Audio/Visual Data may include Health Data).
  • Financial Data: payment card details.
  • Transaction Data: billing and delivery addresses, history of your payments, purchases, deliveries, returns and refunds and the applicable terms and conditions of your purchases.
  • Device Data: the type of device you use, your unique device identifier, your mobile operating system, the type of mobile browser you use, IP address and time zone setting.
  • Content Data: information that you store or generate in the App, being check-ins, posts and messages.
  • Usage Data: logs and detail of your use of our Website, App and Services, being the dates and times on which you download, access and update the Website, App and our Services, any error or debugging information, and the resources that you access and the actions we and you take in relation to them and Cookies Data.
  • Security Data: information we collect about your use of the App, our Services and our Sites in order to ensure your and our other users' safety and security, being Usage, Device and Cookies Data and the information provided to us by our payment processing provider.
  • Cookies Data: the information collected through the cookies and similar technologies listed in our Cookie Policy.
  • Direct Marketing Data: your direct marketing preferences, consents for receiving direct marketing from us and/or our third parties and the history of the direct marketing communications we have sent to you.
  • Feedback Data: your feedback and survey responses.
  • Personalisation Data: Cookies, Device, Content, Transaction and Usage Data and the preferences we have inferred you have and use to personalise the Website, App and Services, being the preferences noted in your account.