Privacy Policy

Last updated: 18th October, 2022

This Privacy Policy contains important information about how we process your personal data. Inparticular, we explain how we process any Health Data you provide to us in Section 6.

1. Introduction

1.1. We respect your privacy and are committed to protecting your personal data. This policy relates to your use of (and to any related communications with us about) the Hearology website(s) listed below (Websites), as well as the services provided to you in our clinics (Services):

2. Important information and who we are

2.1. Hearology Limited (“Hearology“, “we”, “us” or “our”) is the controller responsible for processing your data in connection with the Websites and Services.

2.2. We have appointed a data privacy manager. If you have any questions about this privacy policy, or about how we use your data, please contact them using the details set out below:

Email address: dataprotectionofficer@hearology.uk  

We appreciate the opportunity to answer any questions you may have in the first instance. You also have the right to make a complaint at any time to the Information Commissioner’s Office (ICO).

3. Changes to the privacy policy and your duty to inform us of changes

3.1. We keep our privacy policy under regular review. It may change and, if it does, these changes will be posted on this page.

3.2. Please keep us informed if your personal data changes during our relationship with you.

4. Third party links

4.1. Our Websites may, from time to time, contain links to and from the websites of our partner networks, advertisers and affiliates. Please note that these websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies, norfor any personal data that may be collected through these websites or services, nor for any transactions that may occur between you and these other providers. Please check these policies before you submit any personal data to these websites or use these services.

5. The data we collect about you

5.1. We may collect, use, store and transfer different kinds of personal data about you as follows:

  1. Identity Data: including first name, last name, online account username or similar identifier, date of birth, gender.
  2. Contact Data: including contact address, delivery address, email address and telephone number, and the name and address of your GP or other health practitioner.
  3. Financial Data: where applicable, information on your private healthcare insurance or other relevant insurances / arrangements.
  4. Profile Data and Transactions Data: including your username and password, sign-up information, purchases or orders made by you on the Websites, any  interests or preferences you express whilst interacting with our Websites, feedback and survey responses, details of products and services you have purchased from us and items in your shopping basket.
  5. Technical Data and Usage data: details of your visits to our Websites.
  6. Health Data: including the data described in Section 6 below.
  7. Marketing and Communications Data: including your preferences in receiving marketing from us and our third parties and your communication preferences.

5.2. We may also collect, use and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific Websites feature. However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.

5.3. Save for the data set out in Section 6 below, we do not intend to collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, genetic and biometric data) (Special Category Data). Nor do we collect any information about criminal convictions and offences. Please do not provide us with any copies of special categories of personal data, save as set out in Section 6 below.

6. Special Category Data

6.1. We request a top line indication of the symptoms that require our services and you have the option to provide more detail because we need to know relevant details about your health in order to provide you with our services.

6.2. To the extent any of your personal data constitutes Special Category Data, we will only process that Special Category Data where the processing is:

  1. necessary for the provision of health care or treatment, provided such treatment is provide to you by a health professional (as defined in the Data Protection Act 2018), such as a registered nurse;
  2. in your vital interest (in situations where you are incapable of giving consent);
  3. necessary to establish, make or defend legal claims or court action;
  4. of data that has already been made public by you;
  5. in the substantial public interest, as permitted by applicable laws; or
  6. to the extent that sub-Sections (a)-(e) above do not apply, performed in accordance with your consent (as described in Section 18.1 below).

6.3. As part of your treatment, we may obtain your consent to the treatment itself. This consent is not the same as a consent granted by you to process personal data. How is your personal data collected?

6.4. We will collect and process the following data about you:

  1. Information you give us. This is information you give to us by registering to use the Websites or our Services and the information you give us when you purchase our products or services, or by corresponding with us (for example, by email, social media or chat). It also includes information you provide when making purchases, enter a competition, promotion or survey, or report a problem with the Websites or our Services. If you contact us, we will keep a record of that correspondence.
  2. Information we collect about you and your device. Each time you visit the Websites we will automatically collect personal data including Device, Content and Usage Data. We collect this data using cookies and other similar technologies. This data is aggregated and is in no way linked to your personal identity. Please see our cookie policy for further details.
  3. Information we receive from other sources including third parties and publicly available sources. We will receive data about you from various third parties as set out below:
    1. Device Data from analytics providers such as Google;
    2. Contact Data from third party referrals, such as private practice general medical practitioners or third party private medical insurance providers.

7. Cookies policy

7.1. We use cookies to distinguish you from other users of the Websites and to remember your preferences. This helps us to provide you with a good experience when you use or browse the Websites and also allows us to improve the Websites. We use cookies to enable the smooth operation of our websites and also for analytic and marketing purposes. You can choose not to accept any cookies – or to adjust cookie settings – using the consent management options that are offered to you when you load our websites.

8. How we use your personal data

8.1. We will only use your personal data when the law allows us to do so. Most commonly we will use your personal data in the following circumstances:

  1. where you have consented before the processing;
  2. where we need to perform a contract we are about to enter or have entered with you;
  3. where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests; or
  4. where we need to comply with a legal or regulatory obligation.

8.2. Please see “Lawful Basis” at Section 18 below to find out more about the types of lawful basis that we will rely on to process your personal data. You have the right to withdraw that consent at any time by contacting us. Where we rely on consent as our lawful basis you have the right to withdraw your consent at any time by contacting us.

9. Purposes for which we will use your personal data when using the Websites (and in related communications with us) 

Purpose/ActivityType of dataLawful basis for processing
To register you as a customerIdentity

Contact
Performance of a contract with you
To process and deliver your order including managing payments, fees and chargesIdentity

Contact

Financial

Transaction
Performance of a contract with you; and/or

Necessary for our legitimate interests (to recover debts due to us)
To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to leave a review or take a survey

(c) Sending you updates and marketing communications  
Identity

Contact

Profile

Marketing and Communications
Your consent; Performance of a contract with you; Necessary to comply with a legal obligation; and/or Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services)
To enable you to partake in a prize draw, competition or complete a surveyIdentity

Contact

Profile Usage

Marketing and Communications
Your consent;

Performance of a contract with you; and/or

Necessary for our legitimate interests (to raise awareness about our products/Services and to develop them and grow our business)
To administer and protect our business and the Websites (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) Identity

Contact

Technical
Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise); and/or

Necessary to comply with a legal obligation
To deliver relevant Websites content to you and measure or understand the effectiveness of the advertising we serve to youIdentity

Contact

Profile

Usage

Marketing and Communications

Technical
Necessary for our legitimate interests (to raise awareness about our products/Services and to develop them, to grow our business and to inform our marketing strategy)
To use data analytics to improve our Websites, products/services, marketing, customer relationships and experiencesTechnical

Usage
Necessary for our legitimate interests (to define types of customers for our products and services, to keep our Websites updated and relevant, to develop our business and to inform our marketing strategy)

10. Purposes for which we will use your personal data when using our Services in one of our clinics

Purpose/ActivityType of dataLawful basis for processing
To register you as a customer and provide you with our ServicesIdentity

Contact

Health Data
Performance of a contract with you; and

The basis for processing Special Category Data set out in Section 6.
To process and deliver your order including:

(a) Manage payments, fees and charges

(b) Collect and recover money owed to us
Identity

Contact

Financial

Transaction

Marketing and Communications
Performance of a contract with you; and/or Necessary for our legitimate interests (to recover debts due to us)
To ensure you are kept up-to-date with your treatment, order or other non-marketing communications from usIdentity

Contact

Health Data
Performance of a contract with you; and

The basis for processing Special Category Data set out in Section 6.
To enable you to partake in a prize draw, competition or complete a survey or provide feedbackIdentity

Contact

Marketing and Communications
Your consent;

Performance of a contract with you; and/or

Necessary for our legitimate interests (to raise awareness about our products/Services and to develop them and grow our business)

11. Disclosures of your personal data

11.1. We may share your personal data for the purposes set out in the tables above with the parties set out below.

  1. Internal Third Parties and External Third Parties as set out in the Glossary.
  2. Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets.

11.2. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

12. Marketing

12.1. We strive to provide you with choices regarding our use of your personal data, particularly around marketing and advertising.

12.2. We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services and offers may be relevant for you (we call this marketing).

12.3. You will receive marketing communications from us if you have requested information from us or purchased goods or services from us and you have not opted out of receiving that marketing. You can ask us or third parties to stop sending you marketing messages at any time by contacting us at any time.

12.4. Where you opt out of receiving these marketing messages, this will not apply to personal data provided to us as a result of a product/service purchase, product/service experience or other transactions.

13. Data security

13.1. All the information you provide to us, including any payment transactions carried out by us or our chosen third-party provider of payment processing services, is processed and stored securely. You are responsible for keeping allof your passwords or other security information confidential.

13.2. Once we have received your information, we will use procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.

13.3. You may communicate with us publicly, for example via social networking platforms or review features. You must ensure when doing so that you do not submit any personal data that you do not want to be seen, collected or used by other users.

13.4. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

14. Data retention

14.1. We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

14.2. To determine the appropriate retention period for personal data, we consider:

  • the amount, nature and sensitivity of the personal data;
  • the potential risk of harm from unauthorised use or disclosure of your personal data;
  • the purposes for which we process your personal data and whether we can achieve those purposes through other means; and
  • and the applicable legal, regulatory, tax, accounting or other requirements. For more information on how long we hold your personal data please contact us.

15. Your legal rights

15.1. You have the right to:

  1. Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
  2. Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
  3. Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
  4. Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
  5. Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
    1. if you want us to establish the data’s accuracy;
    2. where our use of the data is unlawful but you do not want us to erase it;
    3. where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
    4. you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
  6. Request the transfer of your personal data to you or to a third party. We will provide to you (or a third party you have chosen) your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
  7. Withdraw consent at any time where we are relying on to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent.

15.2. You also have the right to ask us not to continue to process your personal data for marketing purposes.

15.3. You can exercise any of these rights at any time by contacting us at: dataprotectionofficer@hearology.uk

Glossary

16. Lawful basis

16.1. Consent means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.

16.2. Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.

16.3. Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.

16.4. Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.

17. Third parties

17.1. Internal third parties

  1. Other companies owned or controlled by Hearology (or under mutual control of Hearology), which may act as joint controllers or processors and who are based in the UK and provide services to you or us.

17.2. External third parties

  1. Service providers acting as processors who provide IT and system administration services and website development services, including Dijisoft (web development), and Timely (client-relationship management software).
  2. Service providers acting as processors who provide marketing support services such as Solja Ltd.
  3. Suppliers and collaborators, such as providers of bespoke medical items, delivery companies, and debt collectors.
  4. Payment processing service suppliers, including Stripe and Square.
  5. Third party healthcare providers, such as consultants or private hospitals or private providers of medical insurance, but only to the extent necessary for your care and as permitted under applicable laws (as further described in Sections 6 and 18).
  6. Professional advisers acting as processors including lawyers, bankers, auditors and insurers based in the UK who provide consultancy, banking, legal, insurance and accounting services.
  7. HM Revenue and Customs, regulators and other authorities acting as processors based in the UK who require reporting of processing activities in certain circumstances.
  8. Social networks, such as Instagram, Twitter, Facebook, and YouTube, but only in so far as is necessary to provide features on our Websites, such as widgets, buttons or plug-ins.
  9. Advertising and marketing partners for marketing on our behalf. This will always be in line with our Cookies Policy. For example, we may share Usage Data with Google (in conjunction with Google Analytics, Google Tag Manager and Google Ad Manager). You can also opt-out of these activities through your device and/or browser settings or third-party tools, such as the Network Advertising Initiative opt-out.