Effective and updated 1st April 2024

1. Who we are

Mahi.health is a website and service operated by Pink Green Health Limited. The Company is registered with the ICO as a data controller and processor under the registration ZB540350. The Company is registered in England and Wales under company number 14240050. The registered office is 85 Great Portland Street, London, W1W 7LT.
 
In this policy, ‘we’, ‘us’ and ‘our’ refers to Mahi Health and ‘You’ means the person the information relates to. We are required by law to tell you how we use any personal information we hold on you. The policy can be accessed at mahi.health/privacypolicy. This policy sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us and how you can get access to this information. In the European Economic Area (EEA) or the United Kingdom (UK) ‘personal information’ means any information relating to an identified or identifiable individual. Please review it carefully.
 
2. Purpose of the Policy

“We” provide you the “user” access to online services which may also be accessed by your mobile/cell phone. This includes but is not limited to mahi.health and all associated domains (the “website”), and future services including mobile/cell phone apps. This also includes any healthcare tracking technology. Collectively we call this the “website”. This policy is designed in accordance with numerous national and international regulation frameworks, including (but not limited to) the General Data Protection Regulation (“GDPR”), the UK Data Protection Act 2018 (“DPA2018”) and the UK General Data Protection Regulation (“UKGDPR”).
 
3. Personal Information we hold

We may collect personal information including demographics including but not limited to personal data such as your name, address, email address, contact information, financial information, health and lifestyle details that are relevant to the services you are interested in and device identifiers including internet protocol (IP) address and; Special Category Data such as information relating to your health, medical history, treatments both current and to be prescribed. Specific information may include but is not limited to; smoking status, body mass index (BMI), ethnicity, height, weight and blood pressure (BP). Information collected includes monitoring system visits and resources you access including but not limited to, traffic data, location data, health information articles, logs of communication within the platform and any resources you access.
 
4. Where this information comes from

This information comes from the following sources but is not limited to: using our website or mobile application, registration to use certain services, placing orders for services, products and medication available on the website, providing information on the website, using medical or coaching services, written or verbal communication via telephone or email, downloading our mobile applications or using our website, which allow us to collect information about any devices or software you use to access our services and your IP address, using and managing your account once registered (we may take information such as the date, amount and payment history), other service providers such as payment platforms, advertising and analytics and giving information to us at any other time, including through social media.
 
If you do not provide us with certain information that we request, you may be restricted in the services that you are able to access. If connected to the website we may be able to access health-related data from health tracking technology. Information stored includes routine data analytics regarding your use of the website including, but not limited to, link clicks, non-sensitive text, mouse movement, operating system type, version, browser or app version, time zone setting and usage of iphone and android apps. Your information may be provided to us in the form of an electronic patient record referral or through a secure online platform in order to refer to our services via the NHS or GP surgery. These partners will ask for your consent before providing information to us.
 
5. Purposes for Processing

Under data protection laws, whenever we process your personal information, we must have a legal basis for doing so. We currently rely on these legal bases to process the activities we carry out. The performance of a contract between “you” and "us” or in order to take steps at the request of “you” prior to entering into a contract with “us”. Article 6(1)(b) of the GDPR regulation. Except for Direct Marketing for which we gain clear consent. Article 6(1)(a) of the GDPR regulation.
 
Special Category data: outlined in Article 9 of the GDPR: Article 9(1) - which includes data concerning health and biometrics, as processing is necessary for: Article 9(2)(h) - medical diagnosis, the provision of health care and/or treatment and/or management of healthcare systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3: Article 9(3): personal data referred to in point a, may be processed for the purposes of point b, when those data are processed by, or under the responsibility of a professional or another person subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies.
 
We only process your personal information under a valid ‘legal basis’ in the EEA and UK which includes:

You have consented to the use of personal information, for example to send marketing information or use cookies. Out of contractual necessity. We need your information to provide you with services. We have a legal obligation to use personal information for certain processes e.g. tax and accounting. There may be legitimate interests in using personal information with us or third-parties. For example in product development and internal analytics. We may use it to improve the performance, safety and quality of services. A third party may be required only to process your information provide they are not overridden by your rights and interests.
 
6. How we use your information

We take the use of, and protection of your data seriously. We aim to ensure the privacy, quality and integrity of your personal information. We have policies, procedures and safeguards in place to help protect personal information from improper use and disclosure. We use your information principally to provide you a service and deliver our contract to you. We may collect and use your personal information, including your special category data if you have given us specific consent. All personal data and information is used for but not limited to, internal operations, planning and other activities that assess and improve service quality and cost-effectiveness. This information may be used to communicate with you and to complete tasks required for providing you a service. We may use automated-decision making tools as part of the service.

Our policies are based on a Minimum Necessary Access principle. Any required disclosure of identifiable information is minimised. There are specific examples in which we may disclose information. This list is not exhaustive but it is representative of how information may be processed. Certain disclosures may require your authorisation. Information on disclosures is provided in section 7
 
7. Sharing your information with others

We may share information to ensure we can provide a service to you. We may use the information to communicate with you in the event of product unavailability, disruptions to service, queries, complaints or to obtain feedback. We may use the information to carry out security checks such as confirming identity. We may use this information to manage your account on the website, for research and statistical purposes, to keep you informed of any products or services you use on the website, to improve on the services and products available to you, to develop a more personalised service.
 
Whilst we will ensure that your information is kept protected, we may need to share your information, for purposes set out in this policy, with: Our partners in delivering services or products to you and other service providers, agents and their subcontractors. Examples of disclosures: Disclosure at your request: relating to your use of the website when requested by you as the user. Payment: We do not store your details. These are managed by our third party processor, Stripe. They store your information and transaction details. Evidence of transactions are stored on secure servers.
 
Operations, reminders and notifications: Persona information may be used for internal operations, including administration, planning and improving quality of the service. This might include internal training, customer services, surveys to improve quality. You may receive communications frok us as reminders for interaction or to complete actions.
 
Third party service providers: We may share information with third-party service providers who are providing services on our bhehalf including those acting as data processors. Third-parties are are subject to privacy and security obligations consistent with our privacy policy, and within legal data protection frameworks. They are only able to use and process information as specified by us. Service providers may include secure web servers in the EU and US, search engine website providers, and other service providers who enable us to allow service provision, collect information or assist you with an issue.
 
Anonymised information may assist us in marketing and advertising activities or improving our service and website. These services are used to enhance and improve the user experience and to perform any other function that Mahi Health believe in good faith is required to protect and ensure the proper functionality and security of the website.
Third party medical professionals: With your consent we may disclose personal information to a third-party medical professional nominated by you: e.g. GP or local NHS service. This may be in the form of a discharge letter or an electronic disclosure to an electronic patient record.
 
Threat to health and safety and safeguarding: Information may need to be provided without consent if there is an immediate threat or high risk threat to your health and safety or that of another individual including minors under the age of 18. Any disclosure would be done within legal frameworks, protect individuals and/or prevent a threat.
 
As required by law: Certain laws permit or require use and disclosure of personal information, for example, for public health activities and law enforcement. We may be required to disclose personal information for these and other compliance purposes. If this is required by applicable laws and regulations, requested by judicial process or government agencies. We will only use or disclose personal information that the law requires.
 
Research and publicity purposes: Personal information may be used for internal and external publicity and research purposes. This information will remain non-identifiable unless express consent has been obtained by the user. This information may be used for provision of public information of academic research. Transfer of business assets: If Mahi Health or substantially all of its assets are acquired by a third party, personal information held by it about its customers will be one of the transferred assets.
 
Except as described above, we will never share your personal information with any other party without your consent.
 
8. Sharing your information outside the European Economic Area (EEA)

On occasions, we may need to process your information outside of the EEA. We do this by: An approved mechanism in line with GDPR requirements called pseudonymisation which means that any identifiable information such as your name, address, etc is replaced with a pseudonym. Including conditions in our contracts with other service providers that they protect your information to the standard required in the EEA or equivalent.
 
9. Where we store your information and important storage security information

Mahi Health stores information in Amazon Web Services where data is stored within the EEA and US and is protected under the Privacy Shield frameworks. Our software is compliant with certifications including SOC 2, CSA, ISO 27001. Vulnerability testing is built into the website including OWASP Top 10 and continuous monitoring technologies. We use AWS RDS’s AES-256 encryption to encrypt data at rest. We utilise these technologies through third-parties for your data protection.
 
We have made reasonable efforts to protect your information by using physical and electronic safeguards designed to improve and maintain the security of information we retain and maintain. No electronic transmission or storage can be entirely secure against threats so we can make no guarantees as to the security or privacy of information.
 
10. Data retention

Under ICO principle 5 and article 5 of GDPR and UK GDPR we retain personal information no longer than is necessary for the purpose we obtained it for. With the context that your personal information may be used for research purposes we will retain any information held on individuals for up to 10 years after that individual ceases use of the system. At this point individual’s information is deleted. You may request that we delete your information at any time. If you have concerns that any of your rights regarding personal information retention, maintenance or use by us, employees, agents or third-parties related to us please do contact us. 

Special category medical information is required by law to archive electronic patient records including your personal information, communication and treatments indefinitely for the foreseeable future. Please note that this data is stored but not used in any way.
 
11. Children & Adolescent Privacy

We do not knowingly collect, maintain or user personal information for any individual under 18 years of age. No part of our service is directed to children. If you are aware a child has provided us personal information then do alert us at the earliest opportunity by using our contact forms. 
 
12. Your Rights

You have rights to the way we use your information: You have the right to ask us for a copy of the information we hold on you. You have the right to ask us to correct or update any information you think is incorrect or incomplete. (We will correct what we believe to be incorrect or incomplete. You have the right to object to your information being used for research, statistical and direct marketing purposes and/or withdraw consent.
 
You have the right to ask us to stop using your information. We will stop using your information if there is no legal reason for us to continue to hold or use it. You have the right to object to any automated decision making. This could affect your ability to fully access our products and services. You have the right to ask us to stop using your information for marketing purposes by opting out during the registration process or updating your preferences once registered. You have the right to ask us to transfer certain personal information or a copy of some of your information to you or to another organisation, including service providers, in a format they can use where this is technically possible, known as the ‘right to data portability’.
 
You have the right to withdraw any permission you have previously given us to use your information. To use the rights set out as above, go to the ‘contact us’ section for the various methods by which you exercise those rights.
 
13. Cookies

We may obtain personal information about your usage of the website by using a cookie file which is stored on the hard drive of your device. Cookies help us to give you a smooth user experience, improve the website and deliver better services. They enable us to recognise when you return to the website, maintain personal information you have entered, speed up searches, understand usage patterns and store information about your preferences. They may allow us to customise the site according to your preferences.

We and third-parties may use different types of cookies including google analytics cookies to inform, optimise and serve ads based on past visits to the website via other sites known as remarketing. Opting out can be donje by using your Google Ads preferences manager. Below is an overview of types of cookies that may be used.
 
Strictly necessary cookies may be necessary to make the services available to you. Without these we cannot provide services to you. Functional cookies are used to recognise you when returning back to access services. Our content may be adapted to you and remember your preferences e.g. language or region. Analytical or performance cookies may bemused to operate, maintain and improve services. Third party analytics providers may be used to support the service. Where required by applicable law, we obtain consent to use cookies. You can refuse to accept cookies by changing your device settings. If you select this you may not be able to access all parts of the system. Our system may issue cookies unless you change specific settings within your browser.
 
14. Other information

Our website may contain links to external websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.
 
15. Contact us

Options:
Use our online contact forms.
E-mail directly to info@mahi.health
Write to us at: Pink Green Health Limited, Mahi Health, 1st Floor, 85 Great Portland Street, W1W 7LT
 
16. Policy amendments

We reserve the right to revise this policy and to make the revised policy effective for all personal information prior to the effective date of the revised policy. If we make any changes to this notice or change how we use your information, we will post a notification update on our website. In certain cases we may email you directly using the information we have information stored on the system.