top of page

Privacy

By continuing to use our website, apps and services, you are deemed to agree to our terms and conditions and this Privacy Policy for the collection and processing of your personal data. Please note that any consent that is given for the purposes of medical consultation or examination is a separate consent from that granted for the processing of your personal data.

 

This Privacy Policy sets out our use of any and all data collected by us in relation to your use of our service, website, platform and apps, (“Service”). The Website is operated & owned by PASTEL HEALTH Ltd (”Pastel”, “Pastel Health”, “we”, “us” and “our”). Our Registered Office is 23b Eastfield Road, London, England, E17 3BA and our Company Registration Number is 15708330. 

 

Data processing by Pastel is subject to English law and as applicable, European law i.e. GDPR. Pursuant to applicable data protection regulations (UK GDPR, UK DPA 2018, etc.), we work to ensure Pastel users have appropriate protection of their privacy and personal data.

 

For the purposes of processing your personal data, we are the data controller (as set out under EU General Data Protection Regulation 2016 - GDPR). We are committed to protecting your privacy, both online and in the real world. In this policy we explain how we collect information, what we do with it and what controls you have over our processing of your information.

 

This Policy should be read in conjunction with our Terms and Conditions which can be found here.

We may amend or update this Privacy Policy from time to time as set out in clause D. of the Terms and Conditions and will publish revised versions on this website. This Privacy Policy is current from May 2024.

 

Legal Basis for Processing
​

Under GDPR, we will ensure that your personal data is processed lawfully, fairly, and transparently, without adversely affecting your rights. We will only process your personal data if at least one of the following bases applies:

 

you have given consent to the processing of your personal data for one or more specific purposes,

 

processing is necessary for the performance of a contract to which you are a party or in order to take steps at the request of you prior to entering into a contract processing is necessary for compliance with a legal obligation to which we are subject,

 

processing is necessary to protect the vital interests of you or of another natural person,

processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller, and/or

 

processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

 

Unless otherwise specified, any processing of personal data undertaken by us or by one of our authorised subcontractors including healthcare providers (HCP) and business associates, relating to providing our healthcare services to a customer, an Authorised User of our Service (or their dependants) is processed on the basis of our contractual relationship (or in anticipation of a contractual relationship). Where we do not have, or are not anticipating, a contractual relationship with a data subject (for example where processing personal data relating to a child or other dependant), we will generally be processing that data on the basis of legitimate interests.

In addition, where the personal data that we will be processing is “special data” which should be given additional safeguards, such as health information, we will only process that information if there is a valid special condition for processing (as set out in Article 9 of the GDPR). For the purposes of health data, we will rely on Special Condition Article 9(2)(h) (processing of health data where there are adequate safeguards and confidentiality obligations in place).

 

If we are processing personal data for the purposes of marketing, we will only do so if we have express consent of the data subject. You have the choice to opt in or out of being contacted by Pastel for marketing via post or email. If you decide to opt in, you will occasionally receive our email newsletters. If you decide you no longer want to receive this newsletter, you can click on the link at the bottom of any email we have sent you to opt out on that particular type of email.

 

All data used by Pastel for research purposes are aggregated.

 

Our product and services are only available to patients over 18 years old. If you have any knowledge of a child accessing the app and providing personal data, without parental consent please report this to Pastel using the contact details available at the end of this privacy policy.


1. Information we may collect from you

​

We may collect and process the following information about you:

 

Personal Information such as names, address, date of birth, National Health Service number, email address, and mobile number (in order to provide you with Services), we may also collect optional personal data such as race, sex, ethnicity, etc. to best tailor our Services to you.

 

Payments and purchases: details of any transactions made by you through the Service while logged into your account will be recorded.

​

Technical information: including the type of mobile device you use, mobile network information, your mobile operating system, the type of mobile browser you use (Device Information), Internet Protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform, information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from Our Site(s), (including date and time); product you viewed or search for; page response times, download errors, length of visits to certain pages, page interaction information, and methods used to browse away from the page. 

 

When you contact us: communications you send to us, for example to report a problem or to submit queries, concerns or comments regarding the Service, and any phone number used to call our customer service number

 

Research and surveys: information from surveys that we may, from time to time, run as a part of our Service for research purposes, if you choose to respond to them.

 

Usage & Activity Data: details of your visits to the websites or apps as part of the Service, the resources you access and any data you download (log information)

 

Health data: medical information about you including your medical history, conditions, prescriptions, allergies, height, weight and other medical information which you might discuss with a HCP as part of your use of the Service. When Pastel is providing NHS Services, personal data is exchanged between Pastel and referring NHS healthcare professionals (e.g. your GP practice) for the purposes of caregiving and safeguarding. We also record the notes, video and telephone conversations of your consultations with our HCP. You are under no obligation to provide any such information. During those calls, your personal data may be processed for the purposes of delivering the services, training our staff, fact verification and quality management. However, if you should choose to withhold requested information, we may not be able to provide you with certain services and may refer you to a more appropriate health service.

 

You can opt out at any time of any of our data processing activities by contacting us via our website or by sending an email to [TO ADD] except if these activities are necessary for compliance with the UK regulatory codes of practice on records management and health data management laws. We are required to maintain a detailed record of the medical care you receive. It also allows our medical professionals to safely provide future care based on your medical history.

 

No user data will be shared for purposes not disclosed or reasons not mentioned in this privacy policy.

 

2. Uses made of your information
 

We will use the information you provide to:

enable us to provide you with the services and information offered and which you request from us, for example to arrange a consultation. This may include sharing your data with one of our third-party service providers such as our HCP or technology partners

 

provide and administer your access and to our website and your account with us, verify and carry out financial transactions in relation to payments you make online, verify your identity, respond to communications from you, supply you with email, for example newsletters, alerts that you might have subscribed to.

 

We need to use your personal information for those purposes to provide our services to you. In some cases, the collection of data may be a requirement and we will be limited in the services that we can provide to you without your consent to be able to use such data.

 

We also collect, store and use the personal information listed above to:

 

audit the downloading of data to improve our service,

learn and improve the layout and/or content of our website or apps and better customise them for users,

 

identify users of the Service, carry out research on our user demographics, and tailor the information we send to you on the basis of the health data that you submit to us.

 

We have a legitimate interest in using your personal information for these purposes, so that we can constantly improve our Service, and to ensure that we are only sending you information that is going to be useful or relevant to you.

 

Finally, we use your personal information to send you information we think you may find useful or which you have requested from us, including information about our products and services or those of carefully selected third parties (such as information on relevant treatment and care offered by third parties), provided you have consented to being contacted for these purposes,

 

You can tell us not to contact you with information regarding our products and services or those of third parties or to share your details with third parties so that they can send you information regarding their products and services. This is done via our website or by sending an email to kushalrkpatel@gmail. Where you do not wish us to continue to use your information in this way, you can follow the unsubscribe instructions on any communications sent to you. You can also exercise the right at any time by contacting us using the contact details at the end of this privacy policy.

 

Note that as a digital service, Pastel will be using emails to share and collect personal information. All communications sent from Pastel are secure. However, we cannot guarantee that your email service provider has implemented the necessary measures to keep your emails safe. The following risks must also be taken into account when using email:
 

1) Email may be forwarded, printed and stored in paper and electronic forms and be received by unintended recipients. 2) Email may be sent to the wrong address by any sender or receiver. 3) Email service providers have a right to store and inspect emails. 4) Copies of email may exist even after the sender or the receiver has deleted his or her copy. 5) Email may be intercepted, altered, or used without detection or authorisation. 6) Email may spread computer viruses. 7) Email delivery is not guaranteed.
 

3. Information shared with others

 

We may disclose your personal information to business partners, suppliers, sub-contractors and third party services providers to deliver the contracts and services you have requested.

 

Information that identifies you

We will only share personal information, from which you can be identified, in certain limited circumstances as described below. Note that at Pastel we commit to only collect the minimum amount of personal information that will allow us to deliver our Services.

 

Our healthcare staff

We may share medical information about you, including your medical history, illnesses and prescriptions, with our healthcare staff. All our HCP are registered with the appropriate body. We share your medical information with our healthcare staff in order to enable them to better assess health conditions, advise you and deliver our services.

We ensure that all data transferred to our HCP is protected by proper and appropriate safeguards and our healthcare staff are all bound by contractual obligations, which incorporate the European Commission's Model Clauses, to ensure all staff keep the personal information they receive safe, confidential and only use it for the purposes for which it is provided to them.

 

Business associates

We provide some aspects of our Healthcare Services through contracts with business associates for whom we are legally responsible. Examples of our business associates include companies for secure cloud hosting, management consultants, quality assurance reviewers, accreditation agencies, and billing and collection services. We may disclose your personal information to our business associates so that they can perform the jobs that we have asked them to perform. To protect your personal information, we only work with business associates who are compliant with the GDPR legislations.

 

Information that does not identify you

We may disclose aggregate statistics about users of the Service, visitors and sales in order to describe our services to prospective partners, investors, advertisers, sponsors and other reputable third parties and for other lawful purposes, but these statistics will include no personally identifiable information.

 

We will not disclose, sell or rent your personal information to any third party unless you have consented to this first. If you do consent but later change your mind, you may contact us, and we will cease any such activity. However, in the event that we undergo re-organisation or are sold to a third party, you agree that any personal information we hold about you may be transferred to that re-organised entity or third-party.

 

We may also disclose your personal information if required to do so by law or if we believe that such action is necessary to prevent fraud or cyber-crime or to protect the Service or the rights, property or personal safety of any person.

 

4. Our use and storage of medical information
 

All medical and other health information collected and supplied to Pastel will be treated as strictly confidential and all such data will be held strictly in accordance with, and as long as required, under UK regulatory codes of practice on records management and data privacy laws.

 

All information you provide to Us is stored on secure servers held in both the European Economic Area (EEA) and GDPR-compliant international data processors only. Where international data processors are used, all appropriate technical and legal safeguards will be put in place to ensure that you are afforded the same level of protection as within the EEA.

 

Where we have given you (or where you have chosen) a password which enables you to access certain parts of our technology, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

 

 

How long we keep your medical data

All health records are retained in digital form by Pastel in a secure and encrypted environment and are confidentially stored in accordance with the retention periods set out in the NHS code of practice on records management, which may be updated from time-to-time.

A copy of the code can be found here. We also maintain our own internal Data Retention Policy, on which our staff are trained, which is regularly reviewed to ensure compliance with industry best practices. Note that all data with a limited retention period are automatically erased following the expiration of the retention period. This retention period can vary depending on NHS contracts & retention standards

 

What we do with consultation notes

Audio and video records

Pastel may make audio and video recordings of your Appointment for training, quality, clinical governance and account management purposes which will be treated as confidential and will be held safely and securely and strictly in accordance with, and as long as required, under UK regulatory codes of practice on records management. These recordings will not be made available to any other party without your prior written consent. Anytime a recording is in process, you will be warned beforehand.

 

Sharing information with GPs

We will be sharing information with your GPs or other HCP involved in your care after collecting your consent, as outlined in our terms & conditions. We may refer you to another more appropriate health service if you fail to do so.

 

Security and encryption

Pastel runs in a HTTPS secure mode - and encrypts all audio, video and text information shared during your consultation. There are clear procedures in place to ensure paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage. Nevertheless, electronic transmissions sent via the internet are never completely private or secure and there is a risk, therefore, that any such electronic communications sent may be intercepted and potentially read by others. You should ensure that any computer or telephone you use to access your online patient record is suitably protected from potential interception.

 

5. Additional information
 

When you visit the Website, we may automatically collect additional information about you, such as the type of internet browser you use, the Website from which you have come to the Website and your IP address (the unique address which identifies your computer on the internet) which is automatically recognised by our web server. You cannot be identified from this information and it is only used to assist us in providing an effective service on the Website and to collect broad demographic information for aggregate use.
 

6. External links
 

The Service may, from time to time, use links to external sites affiliated to us or run by independent third parties. Please note that this Privacy Policy applies only to the personal information that we collect through this website and we cannot be responsible for personal information that third parties may collect, store and use through their website and we are not responsible for the privacy policies or the content of such sites. You should always read the privacy policy of each website you visit carefully.

 

7. Payment processing
 

Payments made to the Service are made through our payment solutions provider. You will be providing your email address and your credit or debit card information directly to the payments solution provider, which operates a secure server to process payment details, encrypting your credit/debit card information and authorising payment. Information which you supply to the payments solution provider is not within our control and is subject to payments solution provider’s own privacy policy and terms and conditions available at payments solution provider’s website.

 

8. Security
 

We place great importance on the security of all personally identifiable information associated with our users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control. Our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal information.

Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it from occurring.

 

You should bear in mind that submission of information over the internet is never entirely secure and whilst we take appropriate technical and organisational measures to safeguard the personal information you provide, we cannot guarantee the security of information you submit to the Service whilst it is in transit over the internet and any such submission is at your own risk.

You should always close your browser when you have finished your user session to help ensure others do not access your personal information, particularly if you use a shared computer or a computer in a public place.

 

9. Storage of your information
 

Information that you submit to the Service and that we collect while providing our services is sent to and stored on secure servers located in the EU (except for the specific exceptions set out in this policy, including certain recorded data processed and stored by our communications software provider). This is necessary in order to process the information in accordance with this policy and our internal privacy policy.

 

10. Your rights regarding your personal data

​

Under data protection legislation, data subjects have the following rights with regards to their personal information:
 

  • the right to be informed about the collection and the use of their personal data – the right to access personal data and supplementary information

  • the right to have inaccurate personal data rectified, or completed if it is incomplete – the right to erasure (to be forgotten) in certain circumstances

  • the right to restrict processing in certain circumstances

  • the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services

  • the right to object to processing in certain circumstances

  • rights in relation to automated (computer-made) decision making and profiling

 

 

Where we are processing your personal data on the basis of consent, you may withdraw your consent for Pastel to use your personal data as set above at any time by contacting Pastel using the details below. Subject to the regulatory and legal requirements for Pastel to retain certain information on your medical history and your consultation notes, you can withdraw your consent to our use of any of your personal information at any time by emailing [TO ADD]

 

You also have the right to lodge a complaint at any time about our treatment of your personal information with a relevant supervisory authority (including, the Information Commissioner's Office in the UK). The different ways to contact the ICO’s office can be found on the ICO's website.

 

Note that Pastel commits to respond to any requests to exercise your rights within 2 months.

 

Contact Us

​

Please submit any questions, concerns or comments you have about this privacy policy or any requests concerning your personal information you can contact our  Data Protection Officer by emailing kushalrkpatel@gmail.com or write to us at: Pastel Health Ltd, 23b Eastfield Road, London, England, E17 3BA.

bottom of page