Privacy Notice  |  Suvera Ltd

About us

We are Suvera Ltd and we are located at Second Home, 68 Hanbury Street, London, E1 5JL.
We are registered Companies House under number 12237910 and with the ICO under number ZA567382
If you need to contact us about your data, you can email us at privacy@suvera.co.uk

What we do

Suvera Ltd operates a virtual clinic with health professionals that virtually manage patients with long-term conditions, such as hypertension, diabetes, asthma, COPD, depression and anxiety.

Privacy and information governance are essential to the provision of trusted technology services, particularly in healthcare. At Suvera, we put this at the heart of what we do, not just because of our legal obligations, but because we, our friends and our families are all patients too. We all want to experience high quality healthcare whilst being in control of our data and how it is used.

Our role

Typically, we act as a processor on behalf of your GP. This will be when your GP surgery has invited you to use our service, rather than you signing up of your own accord and asking us to share data for you with your GP. When we are a processor of your data, then all data is processed in line with your GP practice’s privacy notice and you should contact them for any queries.

This privacy notice applies to the data that we process when we are a controller of personal data. That will usually be the data of potential and existing employees, suppliers, direct patients, website users and then technical data when you use Suvera.
Being a controller means that we are trusted to look after and deal with your personal information in accordance with this notice. We determine the ways and means of processing your data and must therefore, be accountable for it.

How we process your data

The best way to understand how we process your data is to click on the role that best describes you.

I have signed up on your website to register an interest in your service

Data that we process
If you have registered your details on our website then the only data we process is the data you gave us (your name, GP practice and email address). We use this data so we can

a) let you know when Suvera becomes available for general release
b) we use the GP practice name so we can tell the practice the aggregated number of their patients potentially interested in using the service.

Lawful basis for processing
We rely on legitimate interest to process this data, based mainly on the fact that you showed an interest in our service so we do not think this processing outweighs your rights and freedoms.

Retention period
We hold your data only until such time as we have told you that Suvera is available with your GP. We have no reason to keep it any longer for this purpose, and we hope that you then continue to use our products and services via your GP.

Data Sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. If data is transferred from the UK to the EEA then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy).
We do not sell your data to anybody.

I am using your service

Data that we process
If you need to understand how your health and identify data is processed, then you need to speak directly to your GP practice. We operate only on their instruction when providing our virtual clinic services.
When you use Suvera and create an account with us, we process usage data, such as when you open and close our software, what product features you use and what device you are using. This allows us to improve our software by better understanding your workflows, to provide you with usage data, to monitor the functioning of our software and to prevent fraud, cyberattacks and other dishonest behaviour.

Lawful basis for processing
We collect usage data, we ask for your consent via the cookie banner.

Retention period
This data is retained for a year, after which we either anonymise it or delete it from our systems. If you withdraw consent to capture this data then anything that can personally identify you is deleted. Anonymised data is not considered personal data so will not be deleted.

Data Sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have data processing agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example standard contractual clauses. If data is transferred from the UK to the EEA then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy). We do not sell your data to anybody.

I am a GP

If you have entered into a contract with us to provide services to your patients then the only personal information we will hold are your contact details, name of the practise where you work, and your signature if it was you that signed the contract with us. We will also have a correspondence between us, but this is unlikely to contain personal data; only commercial. We also use your email address to keep you up to date with any news about Suvera that we think is relevant. You can opt out of these emails at any time.

Our lawful basis for processing this data is the fulfilment of a contract with you or legitimate interest for using the data for marketing emails.

We retain your data for the length of our contact and then 7 years in case of any legal disputes (which we hope there aren’t any!)

If you are a Health Care Professional that has not signed a contract with us, but we believe may be interested in our services then we will likely hold your contact details with a view to introducing our services to you. We would have gathered this information from external sources such as NHS websites and Wilmington Healthcare. We will abide by our obligations of the GDPR to inform you that we have this data, ideally within 30 days of receiving it, and let you know why we will be processing the data and to give you the chance to opt out of communications with us.

Our lawful basis for processing is legitimate interest (we believe that you will be interested in our service and we need to be able to communicate with GPs to grow our business). When we email, we do so under the ICO guidance on direct marketing and PECR regulations; where we are able to send relevant marketing emails to businesses as long as we give you the chance to opt out at any time. A link to unsubscribe will be available in every email we send.

We retain this data for these purposes until you unsubscribe (in which case we will move you to a suppression list so we don’t accidentally contact you again), or if you have not expressed an interest in our product after an interaction between us.

Data Sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have data processing agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example standard contractual clauses. If data is transferred from the UK to the EEA then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy).
We do not sell your data to anybody.

I have applied for a job with you

Data that we process
As a potential employee we hold the following data on you:
Contact details, CV, email correspondence with you, pictures, videos and information from Facebook and LinkedIn-accounts, answers to questions asked through the recruiting, title, education and other information the User or others have provided through the Service. If you are successful in gaining employment with us then you will fall under the employee privacy notice going forward which will be provided to you when you sign a contract with us.We also carry out pre-employment checks, as legally obligated to do so by HMRC and various visa requirement bodies..

Lawful basis for processing
Our lawful basis for processing your data is a combination of contract, legitimate interest and consent. When you applied for a job it was with a view to entering into an employment contract with us. If we decide not to go forward with your application then we use legitimate interest to retain the data should the chosen candidate not work out or another role become immediately available. We use consent if we want to keep your contact details for longer than our usual retention period.

Retention period
For unsuccessful candidates we will keep your data on our database for a year after your application. This is in case another more suitable role opens up, or in case the position becomes re-available. If we want to keep the data longer than this then we will ask for your consent.

Data Sharing and transfers
We do not sell your data to anybody

I have agreed to join your feedback program

Data that we process
If you have agreed to provide us with feedback then Suvera will process your name, your phone number, and the feedback you give us. We use these contact details to send you a gift voucher as a gesture of appreciation.

Lawful basis for processing
We rely on legitimate interest to process this data, based mainly on the fact that you showed an interest in providing feedback so we do not think this processing outweighs your rights and freedoms. Because you may give us health information, we ask for your consent to process this data at the start of each feedback session and also ask your consent for us to record the call.

Retention period
We delete the call recordings after 6 months. All feedback is then anonymised after 6 months and aggregated.

Data Sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have data processing agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example standard contractual clauses. If data is transferred from the UK to the EEA then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy).

We do not sell your data to anybody.
If you wish us to share your feedback with your GP then we can do, but we do not do this routinely.

I am a supplier of yours

Data that we process
As a supplier, we hold the contact and payment details required to carry out our contract with you and data to manage our relationship with you. This data would have been sourced from you directly, although your contact details may have been sourced from a recommendation or another source, with the intention of entering into a contact with you.

Lawful basis for processing
Our lawful basis for processing your data is contract; all data is used to enable us to fulfil our contract with you, including paying you and managing our relationship with you.

Retention period
We hold your data for the length of time you are a supplier to us and for 7 years afterward in case of any disputes and for accounting purposes.

Data sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have data processing agreements in place with these providers. Where data is transferred outside of the EEA, we ensure that appropriate protection and mechanisms are in place, for example standard contractual clauses. We do not sell your data to anybody. If data is transferred from the UK to the EEA then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy).

We may share your contact details if someone asks us for a recommendation. We will always contact you before we do this unless it is your company name and switchboard phone number that we share.

I am just visiting your website (Cookie Policy)

We ask for your consent before we drop any third party or unnecessary cookies. For strictly necessary cookies, we rely on legitimate interest as we need these for our website to work.

“Cookies” are small text files placed on your device (e.g. computer, phone or tablet) when viewing certain pages in our software. Cookies allow us to keep track of some of your browsing preferences and optimise our software for your personal use. Cookies also allow us to automatically track certain information about how you navigate through, and interact with, our software, which helps us to measure its performance and to improve its design and functionality.

For more information on cookies, please visit www.allaboutcookies.org

We use the following cookies:
Strictly necessary cookies. These are cookies that are required for the operation of our software. They include, for example, cookies that enable you to log into your account.Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our software when they are using it. This helps us to improve the way our services works, for example, by ensuring that users are finding what they are looking for easily.Functionality cookies. These are used to recognise you when you return to our software. This enables us to personalise our content for you and remember your preferences (for example, so we can remember the state of your questionnaire if you reload the page while filling it in).Targeting cookies. These cookies record your visit to our software, the pages you have visited and the links you have followed. We will use this information to make our software and the advertising displayed on it more relevant to your interests.

Your rights

As a data subject you have rights in respect of our processing of your personal data.

  • Your right of access - you have the right to ask us for copies of your personal information.
  • Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing - you have the right to object to our processing your information if the legal basis is legitimate interests.
  • Your right to data portability - this only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under a contract, or in talks about entering into one, and the processing is automated.

If you want to exercise any of these rights, please just contact us on privacy@suvera.co.uk

You also have the right to lodge a complaint about our processing with a supervisory authority — in the UK that is the ICO whose details are here: https://ico.org.uk/make-a-complaint/

Security measures

Technical and operational security measures
All of our employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects.
Our offices have physical security in place, All data is password protected, access controlled by two-factor authentication, backed up securely and encrypted when appropriate. Data privacy by design and default is an integral part of our development processes. We have a range of internal agreements and policies in place for information governance, network security, information handling, remote working, business continuity, confidential information, incident reporting, access control and staff confidentiality. We review these policies at least annually and will update them if a product or business change necessitates.

Business changes

What happens if our business changes hands?
We may, from time to time, expand or reduce your business and this may involve the sale and/or the transfer of control of all or part of your business. Any personal data that you have provided will, where it is relevant to any part of your business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.

In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

Changes to our privacy notice

We may change this privacy notice from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up-to-date.

If we make any material changes to the manner in which we process and use your personal data, we will contact you to let you know about the change.

Data sharing and transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the UK and EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses. If data is transferred from the UK to the EEA then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy).

We do not sell your data to anybody.