Last updated: 18 June 2025

1. INTRODUCTION

The HeliosX group of companies are committed to protecting your privacy. This Privacy Notice describes how and why we collect, use and share your information when you use our services. It also outlines your rights and choices with respect to your Personal Data, and how to contact us if you have any queries or concerns.

We recommend that you read this Privacy Notice in full to ensure you are completely informed about your personal data.

Across each of the services we provide, we are dedicated to maintaining the confidentiality and rights to privacy of all our patients, service users, and other individuals we engage with.

We take our responsibilities in relation to data protection and information rights seriously and maintain robust processes for safeguarding the Personal Data we hold in order to carry out our services and provide easy access to the information rights of individuals.

2. PURPOSE

This Privacy Notice explains the situations where we may Process your Personal Data and the steps we take to protect it. We also use this Privacy Notice to give you information about how we handle information about you when you visit our websites, mobile apps, services and health services (the "Services").

3. SCOPE AND RESPONSIBILITIES

This Privacy Notice is published by HeliosX on behalf of itself and its subsidiaries (together "HeliosX"). The "controller" of your Personal Data for the purposes of the UK GDPR and the EU GDPR will depend on the HeliosX service you interact with as follows:

4. PERSONAL DATA WE COLLECT

We may collect and Process Personal Data about you in the ways outlined below. Where applicable, we indicate whether and why you must provide us with your Personal Data, as well as the consequences of failing to do so. If you do not provide Personal Data when requested, you may not be able to benefit from our services if that information is necessary to provide you with them or if we are legally required to collect it.

Information provided by you

• Registration. When you register to receive a service provided by HeliosX (e.g., when you create an account on a website, sign up to an app or contact us by other means), we will collect Personal Data to provide you with access to the services you require. The information we collect may include your name, address, email, date of birth and phone number.
• Account and Profile information: Where you have an account with us, we will process your login information (email and password) and your profile information (which will include your registration information) as well as additional information you include in your account (for example, details on your current weight or goals, or your skincare routine), as applicable to the Service.
• Requesting Healthcare Services. If you request healthcare services from us including prescription-only medication, we may ask you to "Complete a consultation", or to otherwise provide us with information about you. We will collect sensitive Personal Data (special category data) about you when you complete this form of consultation, including information about your body composition, medical conditions (including previous diagnoses you've received), current medications and allergies.
• Ordering Goods from Us. If you order goods or services from us, we will collect information we require to complete your purchase, including your name, title, payment details, billing and delivery address, email, date of birth and other contact details.
• Contacting Us. If you contact us via social media, email, telephone, chat functions or otherwise, we will collect any Personal Data you choose to disclose to us. We will keep a copy of that correspondence and use this information to help us respond to your comments, questions, or feedback.
• Feedback requests/reviews: If you provide us with feedback or reviews (either automatically via analytics) or directly to us. This may be about our products themselves, the Services or the functionality of the websites and apps. This will include details you include in your feedback as well as any photos or screenshots you provide.
• Responding to Surveys and Prize Draws. We may collect information about you if you respond to surveys on our site, or otherwise enter any competition, prize draw, promotion or survey we run.

This information may be combined with other information you provide to us.

Some of the personal data that you provide includes sensitive personal data, such as health-related information or information about your race or ethnicity, which we need to provide some of the Services. For example, where it is necessary for your medical diagnosis or for the provision of your healthcare or treatment or your weight will be required to use the MedExpress App or where you enquire about symptoms (either directly or where you engage with content on our Services).

Information we receive from other sources

We also work closely with third parties (including, for example, business partners, service providers, advertising networks, analytics providers, and search information providers) and may receive information about you from them. If you chose to sign in using a third party (for example your gmail account), we will also receive information from them.

This may be combined with other information you provide to us, as described above.

Information about other people

If you provide information to us about any person other than yourself, you confirm that you have made that person aware of how we may collect, use, and disclose their information, the reason you have provided it, how they can contact us, the terms of this Privacy Notice and that they have consented to such collection, use and disclosure.

Information collected via automated means

We use cookies and similar technologies (collectively "cookies") to ensure that our Services function properly, to improve our products and services, for analytics and marketing purposes. Cookies are small pieces of information that are stored by your browser on your computer's hard drive and are used to record how you navigate this website on each visit.

These may include technical information about your computer or device, internet connection and browser as well as the country, where your computer or device is located, your IP address, your ISP, operating system, the app platform used to download the app, device type, unique device ID, the pages viewed during your visit, content you engage with, clicks on the Services including the advertisements you clicked on, any search terms you may enter on our website, your log-in information, duration of use, functional information on the Services performance and other information about your visit and how you used our website to deliver the best possible web experience. Where your device allows and as permitted by law, we will also collect location information.

To find out how we use cookies on this site, see our Cookie Policy https://www.medexpress.co.uk/cookies

5. HOW WE WILL USE YOUR PERSONAL DATA

All Personal Data that we obtain about you and/or any other person whose details you provide will be Processed in accordance with applicable data protection legislation, our Terms and Conditions, our Cookie Policy and this Privacy Notice.

Purposes for Processing your Personal Data

We will primarily use your Personal Data for the following purposes:

• In order to use the Online Health Services, you will be required to register with us and create a personal secure online patient record.
• To manage and administer your account across our Services and to use our apps, you will be required to login with your Online Health Services account details.
• To verify your identity.
• To create and maintain your patient record once you have registered.
• To process and fulfil any orders that you place with us (through our website). If we don't collect your personal data during checkout, we won't be able to process your order.
• To respond to any queries, refund requests or complaints. Handling the information you submit to us enables us to respond effectively. We keep a record of these queries to demonstrate how we communicated with you throughout. We do this based on our contractual obligations, legal obligations, and our legitimate interests as a business in providing you with the best service.
• To utilise third party suppliers/ software for the dispensing of your prescribed medication.
• To carry out market research so that we can improve the services we offer (where you consent).
• We may use your Personal Data, preferences, and details of your transactions to keep you informed by email, web/social media, text and telephone. We also include relevant products and services including special offers, discounts, promotions, events, surveys, and competitions tailored to you. This may include marketing and promotions offered by other entities in the HeliosX group of companies. You can opt out of hearing from us about these at any time.
• To train our AI models. We may use your Personal Data to train our AI models which we use to provide our services. For example, we use AI to spot fake pictures uploaded by our customers to our pharmacists. We will always anonymize your Personal Data before we input this information for training.
• For clinical research. We may use your Personal Data for the development of products used to diagnose and treat your symptoms. We will always anonymize your Personal Data where possible.
• To allow you to participate in interactive features of our services when you choose to do so.
• Personalise and customise your experience on the Services.
• To promote and administer any prize draws that we run.
• To improve our products. For example, we may capture your product reviews when you buy goods and services from us by following up with an enquiry about your experience of the product to help us gauge customer satisfaction. We may also conduct customer surveys or otherwise conduct market research. You are not obligated to leave reviews or complete surveys, but this facility would enable you to get your views of the product across should you wish to do so.
• To continuously improve our service to our customers by monitoring telephone calls which we receive at our call centres for the purposes of staff training, quality control and service improvement.
• To track and analyse activity on our Services and manage our use of tracking technologies to improve our Services and develop new products and services.
• To create analytics and insights about the engagement with and use of the Services.
• To communicate with you in the event that any services requested are unavailable or it there is a query or problem with your order.
• To notify you about any changes to our services and to send you service emails relating to the activities you have asked us to undertake on your behalf.
• To administer and maintain our websites and App and our IT systems (including monitoring, troubleshooting, data, analysis, testing, system maintenance, repair and support, reporting and hosting of data).
• As part of our effort to keep our website, app and services safe and secure.
• Manage compliance with the relevant terms of service and related internal reporting.
• To comply with applicable law and regulatory obligations. For example, in response to a request from a court or regulatory body, where such request is made in accordance with law.
• Protect our legal rights (including where necessary, to share information with law enforcement and others), for example to defend claims against us and to conduct litigation to defend our interests.

If you provide us with a testimonial, which may include Personal Data such as your name or alias, location, age, treatment details, and photographs, we will retain this data for as long as necessary to fulfil the purposes for which it was collected. We will always process this data in accordance with our data retention policies, and you may be contacted after a certain period to ask if you wish to provide an updated testimonial.

The primary purpose of collecting and using testimonials (including related photographs, and data) is for marketing purposes. This may include displaying the materials on our website, social media platforms (including but not limited to Facebook, Instagram, and Reddit), and within marketing emails. Additional marketing channels may also be utilised as part of our broader marketing strategy and business needs.

Subject to your consent, we may also provide you with marketing including special offers, promotions and discounts from HeliosX entities.

Lawful grounds for Processing

To Process your Personal Data, we rely on one or more of the following legal grounds:

• Your consent to Processing activities. For example, where you have consented to us using your information for marketing purposes, or as part of your use of the Services (i.e. when providing your health information to track your progress). You may withdraw your consent at any time by contacting us.
• Contractual necessity: For example, the request for content, products or services including Processing of your Personal Data to be taken prior to entering a contract with you and any Processing that is necessary for the performance of such contract.
• Legitimate interests we or a third party pursue as a business, except any overridden by your interests and fundamental rights. We may rely on this legal ground to, for example, keep business records, assert our legal rights and obtain professional advice.
• Compliance with any legal or regulatory obligation to which we are subject. For example, we may Process your Personal Data to comply with tax and accounting obligations.

For health data, HeliosX, its pharmacists and other medical staff also Process your Personal Data on the basis that it is necessary for your medical diagnosis or for the provision of your healthcare or treatment. We never hold more health data than we need for these purposes and we have assessed that processing this data is a reasonable and proportionate way of providing your healthcare. Without this information, we would not be able to diagnose or prescribe you with your medication.

Disclosing your Personal Data

In order to provide our products and services, we may, occasionally, appoint other organisations to carry out some of the Processing activities on our behalf. We will not share your Personal Data with any organisation other than those directly involved in delivering these services.

We may also share your personal data

• Business entities within the HeliosX group where that business entity is providing a specific service as part of our service to you (including to dispense and deliver medicines you have ordered) or data processing services to support the service delivery.
• Our advertising partners who enable us to deliver personalised ads to your devices or similar advertising.
• Our outsourced service providers or suppliers to facilitate the provision of our products and/or services to you.
• Our marketing partners, who may contact you by post, email, telephone, SMS or by other means. If you do not wish to be contacted, you may unsubscribe by clicking "unsubscribe" in the message concerned.
• Analytics and search engine providers that assist us in the improvement and optimisation of our website and app. Your Personal Data is generally shared in a form that does not directly identify you.
• Our data centre provider for the safe keeping of your Personal Data, webhosting provider through which your Personal Data may be collected.
• Third party service providers and consultants in order to protect the security or integrity of our business, including our databases and systems and for business continuity reasons.
• Our Group companies who may contact you by email, phone or post about other products and services (including those from other organisations) in which you may be interested (where you have consented to such communication).
• Another legal entity, on a temporary or permanent basis, for the purposes of a joint venture, collaboration, financing, sale, merger, reorganisation, change of legal form, dissolution, or similar event. In the case of a merger or sale, your Personal Data will be permanently transferred to a successor company.
• Public authorities where we are required by law to do so;
• If required, in order to receive legal advice.
• Any other third party where you have provided your consent.

Security of Personal Data

We take the security of your Personal Data seriously.

HeliosX uses security technology, including firewalls, Secure Socket Layers and Web Application Firewalls to protect information submitted through this website and has procedures in place to ensure paper and computer systems and databases are protected against unauthorised disclosure, use, loss and damage.

International Transfers of Personal Data

In the course of our operations, your personal data may be Processed within our group of companies located in the United Kingdom (UK).

Some of our partners to whom we may disclose Personal Data are located within the European Economic Area (EEA). For transfers within the EEA and UK, we rely on adequacy decisions made by the United Kingdom Government or the European Commission, confirming that the data protection standards in those countries are sufficient.

For transfers to third countries outside the UK and EEA and which are not covered by an adequacy decision, such as the United States, we ensure that appropriate safeguards are in place. These safeguards include using the UK's International Data Transfer Agreement (IDTA) or Standard Contractual Clauses (SCCs) approved by the UK Secretary of State or the European Commission, the UK International Data Transfer Addendum (UK Addendum) or other mechanisms permitted under Article 46 of the UK or EU GDPR (, which now include self-certification to the EU-U.S. Data Privacy Framework or UK-US Data Bridge.

Retention of Personal Data

We take measures to delete your Personal Data, or keep it in a form that does not permit identifying you when this information is no longer necessary for the purposes for which we Process it, unless we need to retain certain information where we have a continued legitimate and lawful purpose to do so; as required by law, including to comply with tax requirements; or for as long as is reasonably necessary to meet regulatory requirements, resolve disputes, prevent fraud and abuse or enforce our terms and conditions.

When determining the specific retention period, we take into account various criteria, such as the type of service provided to you, the nature and length of our relationship with you, and mandatory retention periods provided by law and the relevant statute of limitations. For example, we retain your medical records for 8 years after we initially collect the data. These records contain personal and medical data, contact details and messages exchanged with clinicians and patient advisory teams. If you wish for your medical record to be closed before the 10-year retention period, we will deactivate your account which means access will be revoked.

Your Rights

• Right to Make Subject Access Request (SAR)

You may request a copy of the Personal Data we hold about you. For example, this could include a copy of your medical record, a transcript of a phone call, and so on.

If you would like to make a SAR (i.e., a request for copies of the Personal Data we hold about you), you may do so by emailing hello@medexpress.co.uk

• Right to rectification.

You may request that we rectify any inaccurate and/or complete any incomplete Personal Data.

• Right to erasure.

You may request that we erase your Personal Data and we will comply, unless there is a lawful reason for not doing so. For example, there may be an overriding legitimate ground for keeping your Personal Data, such as, a legal obligation that we have to comply with, or if retention is necessary for us to comply with our legal obligations.

• Right to restrict and withdraw consent.

You may, as permitted by applicable law, withdraw your consent to the Processing of your Personal Data at any time. Such withdrawal will not affect the lawfulness of Processing based on your previous consent. Please note that if you withdraw your consent, you may not be able to benefit from certain service features for which the Processing of your Personal Data is essential.

• Right to data portability.

In certain circumstances, you may request that we provide your Personal Data to you in a structured, commonly used and machine readable format and have it transferred to another provider of the same or similar services. We will comply with such transfer where required by law as far as it is technically feasible. Please note that a transfer to another provider does not imply erasure of your Personal Data which may still be required for legitimate and lawful purposes.

• Right to object to Processing.

You have the option, as permitted by applicable law, to request that we stop Processing your Personal Data. In certain situations where our service may not be suitable for you, we use automated Processing and profiling to support our clinical team. Occasionally, this involves automated decision-making without direct input from a clinician. You have the right to object to this Processing and request that a clinician reviews the decision.

Your right to log a complaint with the supervisory authority

We suggest that you contact us about any questions or if you have a complaint in relation to how we Process your Personal Data.

However, you do have the right to contact the relevant supervisory authority directly. To contact the Information Commissioner's Office (ICO), the supervisory authority in the United Kingdom, please visit the ICO website for instructions.

6. UPDATES TO THIS PRIVACY NOTICE

We may amend this Privacy Notice at any time. Any changes we may make will be posted on this page, so please check back frequently. Your continued use of our website and our services after posting will constitute your acceptance of, and agreement to, any changes.

You can see when this Privacy Notice was last updated by checking the "last updated" date displayed at the top of this Privacy Notice.

7. HOW TO CONTACT US