Last updated on 17th of January 2024
At Embla Health UK Limited ("Embla", "we", "us" or "our") we give high priority to data protection, confidentiality and data security. This Privacy Policy applies to our processing of personal data in relation to activities covered by our website www.joinembla.com (the "Website") and our app "Embla" (the "App") (collectively referred to as the "Platform"). This Privacy Policy sets out the guidelines for Embla's way of processing your personal data as permitted by the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) and the Data Protection Act 2018 (DPA 2018) (”UK GDPR”).
At the same time, this Privacy Policy provides you with the information you are entitled to receive in accordance with applicable data protection legislation. You must read this Privacy Policy before submitting your personal data to Embla.
The data controller of your personal data is:
Embla Health UK Limited
Company number: 14312585
Address: 34-35 Clarges Street, Mayfair, London, United Kingdom, W1J 7EJ
Email: [email protected]
Embla collects information directly from you in the following ways:
• When you use the App
• When you use of the Website
• When you contact us or communicate with us via the Platform (e.g. online video consultation) • When you contact us or communicate with us via email
Your interaction, purchase of services and, in some cases, consents provided by you will determine which parts of this clause 2 “Types of personal data, purposes, lawful basis and deletion” of this Privacy Policy are relevant to you.
We process the following personal data about you when you receive online healthcare treatment via the Platform as a result of your purchase of one or more of our services:
Standard personal data
• Name
• Email address
• Job title
• Age
• Sex
• Birthday
• Telephone number
• Correspondence
Special category personal data
• Health data that is necessary to process in order to provide healthcare professional treatment (e.g. medicines, symptoms and diseases).
Embla makes an initial assessment of what healthcare professional treatment you need. We do this to assess how your further treatment/course should be organised and to provide you with the correct online health care, coaching, teaching and advice. In addition, we process personal data in order to print the correct prescriptions.
The processing of your personal data for healthcare purposes takes place in order to fulfil, or in order to take steps at your request prior to entering, the contract concluded with you (Article 6(1)(b) of UK GDPR).
When processing special category personal data for record-keeping purposes we do so as processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems pursuant to a contract with a health professional and under the responsibility of that professional who is subject to the obligation of professional secrecy (Article 9(1)(h) of UK GDPR).
Personal data covered by medical record requirements are stored for 10 years from the last record in accordance with the Access to Health Records Act 1990. Records that are the subject of complaint, supervision or compensation cases are deleted after the final conclusion of the case if the case extends beyond the 10-year period.
We process the following personal data about you when we need to enter your information in the health journal: Standard personal data
• Name
• Email address
• Job title
• Age
• Sex
• Birthday
• Telephone number
• Correspondence
• Social registration number (confidential personal data)
Special category personal data
• Health data that is necessary to process in order to provide healthcare professional treatment (e.g. medicines, symptoms and diseases)
We process the above personal data in order to comply with our legal obligation (Article 6(1)(c) UK GDPR) to keep patient records in accordance with the Access to Health Records Act 1990. We are subject to this obligation as the treatment and advice are carried out by our doctors.
When processing special category personal data for record-keeping purposes we do so as processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems pursuant to a contract with a health professional and under the responsibility of that professional who is subject to the obligation of professional secrecy (Article 9(1)(h) of UK GDPR).
Information covered by the record requirements is stored for 10 years from the last record in accordance with the relevant legislation. Records that are the subject of complaint, supervision or compensation cases are deleted after the final conclusion of the case if the case extends beyond the 10-year period.
We process the following personal data about you when you keep a log of your health via the App:
• Diet and liquid
• Exercise
• Sleep
• Medicine
• Symptoms
• Weight
• Body measurements
• Status
In some cases, this personal data constitutes health data (special category personal data).
We process the above information in order for you to be able to follow your health on an ongoing basis via the logbook. When we process standard personal data as part of your use of the logbook of your health via the App we this takes place in order to fulfil, or in order to take steps at your request prior to entering, the contract concluded with you (Article 6(1)(b) UK GDPR).
When processing special category personal data for record-keeping purposes we do so as processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems pursuant to a contract with a health professional and under the responsibility of that professional who is subject to the obligation of professional secrecy (Article 9(1)(h) of UK GDPR).
Information through your logbook may also be processed for other purposes and with another legal basis as set out elsewhere in this Privacy Policy.
We prioritize the protection of your privacy, and as a general practice, we do not share your personal data with third parties. However, we may engage in the sharing of anonymized and aggregated data for statistical analysis and research purposes. This data sharing is conducted with statisticians or research professionals who are bound by confidentiality agreements and ethical standards.
The anonymized data is used to derive insights into overall trends, patterns, and behaviors, contributing to the improvement of our services and the advancement of scientific understanding. Rest assured, any data shared in this manner is stripped of personally identifiable information, maintaining your anonymity and privacy.
Request to delete app data
If you wish to request the deletion of your app data, please follow the steps outlined below:
- Send an email to our dedicated privacy email address: [email protected].
- Use the email address that is associated with your account on our platform.
- Clearly state "Request for Deletion of App Data" in the subject line of your email.
Our team may reach out to you to verify your identity before proceeding with the deletion request. This is to protect your privacy and ensure that only authorized individuals can request data removal.
Please allow a reasonable amount of time for our team to review and process your deletion request. We strive to handle such requests promptly, and your patience is appreciated.
Important Note: Deleting your app data may result in the loss of certain account information and preferences. This action is irreversible, and we advise users to carefully consider the consequences before making a deletion request.
We process the following personal data about you via your journal or logbook for the purpose of quality assurance, compiling statistics and analyses as well as to improve the Platform:
Standard personal data
• Name
• Job title
• Age
• Sex
• Birthday
• Fluid intake
• Diet
• Sleep
• Social registration numbers (confidential personal data)
Special category personal data
• Health information (e.g. medication, symptoms, details of exercise carried out and combination of general personal data that may lead to discharge about my health).
When processing data about you via your journal or logbook for the purpose of quality assurance, compiling statistics and analyses as well as to improve the Platform Embla anonymises your information as soon as possible after extraction from your journal.
We process the following personal data about you if it is necessary to comply with our legal obligations under health legislation (including reports, etc.):
Standard personal data
• Name
• Email address
• Job title
• Age
• Sex
• Birthday
• Telephone number
• Correspondence
• Social registration number (confidential personal data)
Special category personal data
• Health data
The processing of your personal data is carried out for the purpose of complying with our legal obligations, cf. Article 6(1)(c) (standard personal data) and Article 9(2)(g) of UK GDPR, cf. health legislation (for special category personal data).
We may process the following personal data about you if it is necessary to establish, defend and assert legal claims.
Standard personal data
• Name
• Email address
• Job title
• Age
• Sex
• Birthday
• Telephone number
• Correspondence
• Social registration number (confidential personal data)
Special category personal data
• Health data
The processing of your personal data is carried out as a result of our legitimate interest in being able to establish, defend and assert legal claims, cf. Article 6(1)(f) (general personal data). Where we process special category personal data for this purpose we do so as it is necessary for the establishment, exercise or defence of such claims Article 9(2)(f) (UK GDPR).
Records that are the subject of complaint, supervision or compensation cases are deleted after the conclusion of the case, if the case extends beyond the 10-year retention period.
We process the following personal data about you when you purchase healthcare services from us via our Platform or over the phone:
• Name
• Address
• Telephone number
• Information about your purchase and payment
We process this personal data in order to enable us to perform the contract, or in order to take steps at your request prior to entering into a contract, between us (Article 6(1)(b) of UK GDPR), , invoice you and to comply with our legal obligations Article 6(1)(c) of UK GDPR.
The above personal data may also be processed to enable us to perform the contract, or in order to take steps at your request prior to entering into a contract, between us or on the basis of our legitimate interest in sending you service messages, e.g., Article 6(1)(f) of UK GDPR and Article 6(1)(b) of UK GDPR.
The personal data in question will be processed in connection with the processing of the individual order, after which these will be stored in our bookkeeping book for 5 years from the end of the financial year in order to comply with the documentation requirements.
We process the following personal data about you if you contact us via the Platform or email, including for the purpose of booking a free interview:
• Name
• Telephone number
• Height and weight
• Information you provide in connection with your contact with us, including from where you have heard about Embla
We do not record information about your BMI (data concerning health) unless you become a customer of Embla. The above personal data is processed on the basis of our legitimate interest in being able to respond to your
inquiries, advise you and to better market our services, cf. Article 6(1)(f) of UK GDPR and, in some cases, for the purpose of concluding an agreement, cf. Article 6(1)(b) of UK GDPR.
If a contract is concluded, we will store your personal data as long as you have ongoing services with us. Record keeping information is stored as specified elsewhere in this Privacy Policy. If your contact does not lead to a customer relationship between you and us we will delete this personal data 3 years after our last contact with you.
We process the following personal data about you if you agree to the publication of your photo, video or/and statements for marketing purposes:
• Your name
• Your age
• Statements (e.g., to use on our blog)
• Your photo, video or/and opinion that may contain certain information about your health
Publication of your image and statements via the Platform or social media is based on your prior freely given, specific, and informed consent, cf. Article 6(1)(a) of UK GDPR (standard personal data) and Article 9(2)(a) of UK GDPR (if special category personal data) and. You can withdraw your consent at any time, and we will then remove your photo, video and/or statement from the Platform and/or social media.
We process this personal data until your consent is withdrawn or until we choose to revoke the publication of your photo, video and/or statement. However, the declaration of consent itself is stored for 5 years from the moment of withdrawal of the consent.
We process the following personal data about you if you consent to receive news and other marketing material from us:
• Name
We process your personal data for marketing purposes on the basis of our legitimate interest, cf. Article 6(1)(f) of UK GDPR.
Your personal data and the associated consent will be deleted when the consent is withdrawn. However, the declaration of consent itself is stored for 2 years after withdrawal.
We process the following personal data about you if you choose to participate in a competition or event:
• Name
• Address
• Telephone number
We process the above personal data as a result of our legitimate interest in being able to register your registration in a competition or event and, in some cases, to be able to publish and notify you that you have won a prize and to comply with the competition conditions, cf. Article 6(1)(f) of UK GDPR and Article 6 (1) (b) of UK GDPR.
We delete your personal data 1 year after the event or competition you participate in ends. 2.12. Creating a user profile via the App
We process the following personal data about you if you choose to create a user profile via the App:
• Name
• Telephone number
• Password
• Username
The above information may also be obtained from Google, Facebook or Apple if you choose to create an Embla user profile via one of these media.
When creating a user profile, we process the above personal data in order to be able to create and manage your user profile at your prior request, cf. Article 6(1)(b) of UK GDPR. We will store your personal data until you choose to delete your user profile.
We process the following personal data about you if you choose to accept notifications (service messages) via the App or if other service messages are required by law or contract:
• IP address
• Email address
• Indication of whether notifications are requested
We process your personal data in order to be able to send notifications via the App as a result of our legitimate interest in fulfilling your request to receive these notifications in accordance with Article 6(1)(f) of UK GDPR and, in some cases, to comply with our legal obligations in accordance with Article 6(1)(c) of UK GDPR cf. health legislation and the Consumer Contracts Act as well as the contract entered into with you cf. Article 6(1)(b) of UK GDPR. You can unsubscribe from future notifications through the App at any time via the App and thus also object to this processing.
The information is processed for this purpose as long as there is an ongoing relationship between you and us, if we are legally obliged to send out service messages and, in certain cases, via the App as long as you have accepted receiving service messages through the App.
When you move around the Platform, personal data is collected via cookies in certain cases in the form of: • A unique ID number
• IP address
• Geographical position
• Digital tracks
• Which pages and places you visit
• Technical information
• Information about your behaviour and interests
For the above processing of your personal data, we are the independent data controller. The processing of personal data in relation to statistical and functional cookies takes place as a result of our legitimate interests in being able to offer you the best possible experience and services, cf. Article 6(1)(f) of UK GDPR. The processing of personal data in relation to marketing cookies, including on the basis of your preferences and interests, takes place on the basis of your prior consent, cf. Article 6(1)(a) of UK GDPR.
In addition, Embla always obtains permission (cookie consent) after the cookie order before collecting data and personal data. Your prior consent is also the required for the collection of personal data via cookies.
In order to process personal data in connection with cookies for the purposes mentioned above, we may provide access to your personal data to third parties who, on the basis of a contractual relationship with Embla, provide relevant services, e.g., IT suppliers, analysis companies and marketing providers. In addition, Embla discloses your information to third parties in certain cases. For information on the role of data protection law the third party, deletion deadlines and revocation of consent, etc., please refer to "cookie settings", which you can click on at the bottom left of our Website.
Embla and the relevant social media provider are joint data controllers for the processing of personal data collected in connection with your visit to Embla's profile or page on the relevant social media platform.
Embla has profiles or pages on the following social media:
Facebook (Meta Platforms, Inc.)
Facebook's privacy policy is available here
You can read the agreement on joint data responsibility here
You can customise your privacy settings on Facebook here
You can exercise your rights here
LinkedIn (LinkedIn Ireland Unlimited Company)
LinkedIn's privacy policy is available here
You can read the agreement on joint data responsibility here
You can customise your privacy settings on LinkedIn here
You can exercise your rights here
Collection of personal data
When you visit or interact with our social media profiles, Embla and the social media provider of that social media may collect, process and store the following types of personal data about you:
• Information available on your profile, including your name, gender, marital status, workplace, interests, photo and your city
• Whether you "like" or have used other reactions to our profile
• Comments you leave on our posts
• That you have visited our profile
The purposes of the processing
Embla processes your personal data for the following purposes:
• Improving our products and services, including our profiles and social media pages • Statistics and analysis
• To be able to communicate with you if you comment on a post, make a review or send us a message • Marketing in general
The social media providers process, among other things, your personal data for the following purposes: • Improving their ad system
• To provide embla statistics that the social media providers compile, among other things, on the basis of your visit to our profiles and pages
• Advertising and customising the activities on the page
Lawful basis
The processing of your personal data as joint controllers with social media providers is based on the following lawful bases:
• Legitimate interests: Embla bases the processing of your personal data on our legitimate interests in being able to communicate with and market Embla to you on our social media profiles, as well as our legitimate interest in improving our products and services (Article 6(1)(f) of UK GDPR).
The social media providers base the processing of your personal data on their legitimate interests, including their interest in improving their advertising system and providing statistics to Embla, which the
social media provider compiles, for example, on the basis of your visit to Embla's profile or social media page. In addition, social media providers have a legitimate interest in providing an innovative, individualised, secure and profitable service (Article 6(1)(f) of UK GDPR).
• Performance of contract: The social media providers may process certain personal data as part of performing the contract between you and them (Article 6(1)(b) of UK GDPR).
• Consent: The social media providers may process certain personal data in accordance with your consent, which you can withdraw at any time via your social media privacy settings (Article 6(1)(a) of UK GDPR).
Retention period
Your personal data will be stored until it is deleted via social media. You can always delete the information that you have provided yourself via comments and reactions. However, the information may be stored longer in anonymised form.
Please refer to the privacy policy of the social media provider of each social media for information on how long they keep your personal data.
Who do social media providers share your personal data with?
The social media providers may, among other things, share your personal data with the following categories of recipients:
• Other entities in the group the social media provider is part of
• External partners who provide analysis and survey services
• Advertisers
• Other individuals who visit our profile or social media page (to the extent that your information is publicly available)
• Scientists and other academics
You can find more information about who the social media providers share your personal data within the privacy policy of the individual providers.
The social media providers may transfer your personal data to recipients outside the UK and EU/EEA in accordance with applicable data protection legislation. You can read more in the privacy policies of the individual providers.
You can read more about who embla shares your personal data within section 3. "Disclosure and transfer of personal data to data controllers and data processors” of this Privacy Policy.
In order to fulfil the above purposes, Embla may provide third parties with access to your personal data who, on the basis of a contractual relationship with Embla, provide relevant services to Embla. Such service providers will only process personal data in accordance with our instructions under concluded data processing agreements. At present, Embla uses the following data processors or categories of data processors:
a. Record-keeping providers
b. Suppliers of email systems and IT solutions
c. Marketing providers
In certain cases, it will also be necessary to transfer your personal data to separate data controllers. These are the following categories of recipients on the basis of the following lawful bases:
a. Law offices, courts, and public authorities on the basis of our legitimate interest in establishing, defending and asserting legal claims (Article 6(1)(f) (standard personal data) of UK GDPR), Article 9(2)(f) of UK GDPR (health information)
Embla may also anonymise your personal data for the purposes of disclosure for marketing and sales purposes. Your personal data will be anonymised in accordance with our internal anonymisation rules. The processing of anonymous data can be done indefinitely and for all purposes, since in this case the data protection legislation does not apply. Healthcare data and Logbook data from our mobile app are never shared with marketing providers.
If your personal data is transferred to data processors or data controllers established in countries outside the UK and EU/EEA that do not have an adequate level of protection for personal data, such transfer will be based on approved standard contractual clauses. This will only be the cases in limited support situations from third counties viewed as not have appropriate levels protection for personal data and personal data will not be stored directly in such countries.
We protect the confidentiality, integrity and availability of your personal data. Therefore, we have implemented security measures to ensure that our internal procedures meet the established safety standards and applicable legal requirements.
In addition, Embla has developed and implemented internal rules on information security, which contain instructions and measures that protect your personal data from being destroyed, lost, altered, unauthorised disclosure, and against unauthorized access or knowledge of it. Our healthcare professionals are subject to statutory confidentiality. Your payment information will be processed by the third-party Stripe and we will not have direct access to card information.
• You have the right to access your personal data and to receive a copy of personal data that Embla processes about you, subject to certain statutory exceptions
• You have the right to have personal data that has become outdated or that is incorrect rectified • You have the right to request the restriction the processing or deletion of your personal data. However, Embla may be entitled or legally obliged to continue the processing
• In certain cases, you have the right to obtain the personal data that Embla has about you in a structured, commonly used and machine-readable format and to ask Embla to transmit this personal data to another data controller (data portability)
You have the right to withdraw any consents given, without prejudice to the lawfulness of the processing based on consent before its withdrawal at any time. To withdraw a consent, contact [email protected].
Our Platform may contain links to other websites and other apps. We are not responsible for the content of other companies' websites and apps or their associated privacy practices. When you visit other websites and other apps, you are encouraged to read the owner of the website and the app's privacy policy as well as other relevant policies.
If you have any questions about this Privacy Policy or if you wish to complain about the way we process your personal data, you are welcome to contact us via [email protected] and would welcome you doing so in the first instance.
If your complaint is not resolved by us and you want to proceed with the complaint, you can complain to the Information Commissioners Office:
Information Commissioner's Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Phone: +44 0303 123 1113
Information Commissioner's Office (ICO)
If we change or update the way we process your personal data, we will notify you in advance. This gives you the right to object to the new processing of your personal data. If you use the App, it will also appear in your profile section. You can always find the updated Privacy Policy on our Website and through the App.