Last updated: December 7th, 2023
The type of information about you that we collect
How that information is used
Who will have access to that information
How long we will hold your personal information for
Our security measures for protection of that information
How our processing of your personal data is lawful
Your rights under the Data Protection Laws.
Personal Data We Collect
The personal data we collect depends on how you interact with us, the services you use, and the choices you make.
We collect information about you from different sources and in various ways when you use our services, including information you provide directly, information collected automatically, information from third-party data sources, and data we infer or generate from other data.
Information you provide directly. We collect personal data you provide to us. For example:
General enquiries or complaints. If you submit a general enquiry or make a complaint, we collect:
your first or first and last name
your contact details (address, phone number, email address), and
the contents of your enquiry or complaint.
Account details. We collect the following information to create and maintain your account and enable the services provided to you:
your first and last names,
your email address, username, and password,
your date of birth (so that you can request age-restricted products),
your phone number, and
your marketing preferences.
Purchase of prescription products. If you make a purchase from us, we collect the following information about you to administer the purchase:
your contact and delivery details (phone number, email address, postal address),
your purchase information (product, date, quantity), and
information about your prescription for the product issued by a GP, if you purchased a prescription product.
Payment information. We collect your payment information on behalf of Stripe Payments Europe, Ltd. but we do not store your payment information or associate it with your account. Stripe notifies us whether a transaction is successful or not.
Surveys. We may from time to time ask you to provide feedback on the quality of our service. If you participate in a survey about our services, we collect your:
contact details (address, phone number, email address), and
information concerning how you learned about us, how you have experienced our services, and how you think we can improve our services.
Sensitive personal information.
Health Information: As a health and wellness platform, we process information concerning your health and/or sex life or sexual orientation for a variety of purposes. We collect biometric information for identity verification. If you request a prescription-only product, you must complete our medical questionnaire through which we collect medical information about you. If you participate in a medical consultation with Hims, this may also include photographs you submit in connection with that consultation. A GP uses medical information about you to assess whether you can be safely prescribed the product you want. Your purchase of products through our services may constitute information about your health, sex life, or sexual orientation, and your browsing activity on certain pages may also constitute sensitive information.
Ethnic Origin: We may request information about your ethnic origin, either to help provide our services or to improve our services.
Information we collect automatically. When you use our services, we collect some information automatically. For example:
Identifiers and device information. When you visit our websites or use our services, we automatically log your Internet Protocol (IP) address and information about your device, including device identifiers (such as MAC address); device type; and your device’s operating system, browser, and other software including type, version, language, settings, and configuration. As further described in the ‘Cookies, Mobile IDs, and Similar Technologies’ section, our websites and services store and retrieve cookie identifiers, mobile IDs, and other data.
Geolocation information. Depending on your device and app settings, we collect geolocation data when you use our apps or online services. This information may include precise geolocation data, meaning data derived from a device and that is used to locate you within a circle with a radius of 1,850 feet or less.
Usage data. We automatically log your activity on our websites and apps, including the URL of the website from which you came to our sites, pages you viewed, how long you spent on a page, access times, and other details about your use of our website.
Information we create or generate. We infer new information from other data we collect, including using automated means to generate information about your likely preferences or other characteristics (‘inferences’). For example, we infer your general geographic location (such as city, county, and country) based on your IP address, and we or our contracted medical providers use the medical information you provide to determine a diagnosis.
Information we obtain from third-party sources. We also obtain the types of information described above from third parties. These third-party sources include, for example:
Co-branding/marketing partners. Partners with which we offer co-branded services or engage in joint marketing activities.
Service providers. Third parties that collect or provide data in connection with work they do on our behalf, for example companies that determine your device’s location based on its IP address.
Publicly available sources. Public sources of information such as open government databases.
When you are asked to provide personal data, you may decline. And you may use web browser or operating system controls to prevent certain types of automatic data collection. But if you choose not to provide or allow information that is necessary for certain services or features, those services or features may not be available or fully functional.
Our Use of Personal Data
General enquiries, complaints, and communications. To respond to your general enquiries, handle your complaints, and send you information (such as confirmations, security alerts, and support messages).
Account details. To administer your account, verify your age and identity, provide you with information about Hims and our business, products and services, and enhance your experience and enjoyment using our services.
Product and service delivery. To process your payments for products and services, and administer your purchase of products and services.
Business operations. To operate our business, including billing, accounting, improving internal operations, securing our systems, detecting fraudulent or illegal activity, and meeting our legal obligations.
Treatment. For example, to disclose to healthcare providers who will assess whether you can safely use the medical product(s) you requested, and who may issue a prescription based on that assessment.
Surveys and product development. To improve our products and services our marketing and/or promotional efforts; and to create new products, services, marketing and/or promotions for Hims.
Marketing and advertising. To communicate with you about new services and offers, and to display advertising to you. See the ‘Choice and Control’ section of this Policy for information about how to change your preferences for promotional communications, and the ‘Cookies’ section for information about personalised advertising and your advertising choices.
We combine data we collect from different sources for these purposes and to give you a more seamless and consistent experience.
We rely on different lawful bases for collecting and processing personal data about you, for example, with your consent and/or as necessary to provide the services you use, operate our business, meet our contractual and legal obligations, protect the security of our systems and our customers, or fulfil other legitimate interests.
Our Disclosure of Personal Data
Hims discloses personal data to Hims’ service providers with your consent or as we determine necessary to complete your transactions or provide the services you have requested or authorised. Subsequent processing by Hims’ service providers is necessary for the services they provide for us. Where we have a contract with a third party, we take steps to ensure they treat your data in accordance with the law, only use it in accordance with our contract with them, and keep it secure.
In addition, we disclose personal data to the types of third parties described below, for the following business purposes:
Service providers. We provide personal data to vendors or agents working on our behalf for the purposes described in this Policy. For example, companies we’ve hired to provide customer service support or issue prescriptions for requested product(s) may need access to personal data to provide those functions.
Financial services & payment processing. When you provide payment data, such as to make a purchase, we will disclose payment and transactional data to banks and other entities as necessary for payment processing, fraud prevention, credit risk reduction, analytics, or other related financial services. For example, Stripe Payments Europe, Ltd. processes payment data for your transactions with Hims.
Medical Providers: We contract with medical providers who evaluate your health conditions and, where appropriate, provide a prescription to facilitate your purchase of prescription products.
Corporate transactions. We may disclose personal data as part of a corporate transaction or proceeding such as a merger, financing, acquisition, bankruptcy, dissolution, or a transfer, divestiture, or sale of all or a portion of our business or assets.
Legal and law enforcement. We will access, disclose, and preserve personal data when we believe doing so is necessary to comply with applicable law or respond to valid legal process, including from law enforcement or other government agencies.
Security, safety, and protecting rights. We will disclose personal data if we believe it is necessary to:
protect our customers and others, for example to prevent spam or attempts to commit fraud, or to help prevent the loss of life or serious injury of anyone;
operate and maintain the security of our services, including to prevent or stop an attack on our computer systems or networks; or
protect the rights or property of ourselves or others, including enforcing our agreements, terms, and policies.
Third party analytics and advertising companies also collect personal data through our website and apps including identifiers and device information (such as cookie IDs, device IDs, and IP address), geolocation data, usage data, and inferences based on and associated with that data, as described in the ‘Cookies’ section of this Policy. These third-party vendors may combine this data across multiple sites to improve analytics for their own purpose and others. For example, we use Google Analytics on our website to help us understand how users interact with our website; you can learn how Google collects and uses information at www.google.com/policies/privacy/partners.
Other third-party analytics and advertising providers we use on our websites include, for example:
Manage Settings (opt-out)
Please note that some of our services also include integrations, references, or links to services provided by third parties whose privacy practices differ from ours. If you provide personal data to any of those third parties, or allow us to share personal data with them, that data is governed by their privacy statements.
Hims & Hers UK Limited is part of the Hims and Hers Health, Inc. corporate family, a United States-based corporation. We disclose personal information within our corporate entity for uses consistent with this policy.
Finally, we may disclose de-identified information in accordance with applicable law.
Location of Personal Data
The personal data we collect may be stored and processed in your country or region, or in any other country where we or our affiliates, subsidiaries, or service providers process data. Currently, we primarily use data centers in the United Kingdom and the United States. The storage location(s) are chosen to operate efficiently and improve performance, as well as to enable our US-based employees to provide services and support to Hims UK Limited. We take steps to process and protect personal data as described in this Policy wherever the data is located.
Location of Processing European Personal Data. We transfer personal data from the United Kingdom (UK) to other countries, some of which may have not been determined by the UK Government to have an adequate level of data protection. When we do so, we use an International Data Transfer Agreement in a form approved by the UK Information Commissioner's Office to help ensure an adequate level of protection of the data. To learn more about the ICO position on data transfers, please visit https://ico.org.uk/for- organisations/data-protection- and-the-eu/data-protection- and-the-eu-in-detail/adequacy/. Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
Retention of Personal Data
We retain personal data for as long as necessary to provide the services and fulfill the transactions you have requested, comply with our legal obligations, resolve disputes, enforce our agreements, and for other legitimate and lawful business purposes. The list below provides details about how long we retain personal data.
General enquiries or complaints. For general enquiries, the information is retained until the enquiry has been completed and no further responses are received for a reasonable period. If you are an existing customer, the enquiry may be added to other information that we hold about you as a customer. For complaints, the information is retained for a period of up to 6 years after resolution of the complaint. If you are an existing customer, the complaint and its resolution may be added to other information that we hold about you as a customer.
Account details. During the course of your account and for 6 years after you close your account with us.
Purchase of prescription products. For 6 years after the purchase.
Medical Information. 7 years after purchase.
Prescriptions. 6 years after the purchase.
Surveys. During the course of your account and for 1 year after you close your account with us.
Note that we do not store payment information. Payment information is stored by our service provider Stripe Payments Europe, Ltd.
Security of Personal Data
Hims implements reasonable and appropriate technical and organisational measures to help protect the personal information we hold from unauthorised access, use, disclosure, alteration, and destruction. We also aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We do this by following recognised industry practices for protecting our IT environment and physical facilities. For example, we encrypt the transmission of information through the website and app by using secure socket layer (SSL) technology and utilise AWS and Aptible to provide ISO 27001, and SOC2 compliance for the personal data that we store on your behalf.
Cookies, Mobile IDs, and Similar Technologies
What are cookies and similar technologies?
Cookies are small text files placed by a website and stored by your browser on your device. A cookie can later be read when your browser connects to a web server in the same domain that placed the cookie. The text in a cookie contains a string of numbers and letters that may uniquely identify your device and can contain other information as well. This allows the web server to recognise your browser over time, each time it connects to that web server.
Web beacons are electronic images (also called single-pixel or clear GIFs) that are contained within a website or email. When your browser opens a webpage or email that contains a web beacon, it automatically connects to the web server that hosts the image (typically operated by a third party). This allows that web server to log information about your device and to set and read its own cookies. In the same way, third-party content on our websites (such as embedded videos, plug-ins, or ads) results in your browser connecting to the third-party web server that hosts that content. We also include web beacons in our email messages or newsletters to tell us if you open and act on them.
We, and our analytics and advertising partners, use these technologies in our websites, apps, and online services to collect personal data (such as the pages you visit, the links you click on, and similar usage information, identifiers, and device information) when you use our services, including personal data about your online activities over time and across different websites or online services. This data is used to store your preferences and settings, enable you to sign-in, analyse how our websites and apps perform, track your interaction with the site or app, develop inferences, deliver and tailor interest-based advertising, combat fraud, and fulfill other legitimate purposes. We and/or our partners also share the data we collect or infer with third parties for these purposes. For more information about the third-party analytics and advertising partners that collect personal information on our services, please see the ‘Our Disclosure of Personal Data’ section of this Policy.
Strictly necessary: These cookies are necessary for the operation of our site, such as enabling you to login or use our shopping cart.
Analytics and performance: allow us to track the use of our site and, in turn, improve it.
Advertising: these cookies help us show relevant advertisements to you across the web, and may include information about your browsing activity.
What controls are available?
There are a range of cookie and related controls available through browsers, mobile operating systems, and elsewhere. See the ‘Choice and Control of Personal Data’ section for details.
Choice and Control of Personal Data
We provide a variety of ways for you to control the personal data we hold about you, including choices about how we use that data. In some jurisdictions, these controls and choices may be enforceable as rights under the Data Protection Laws.
Some of these choices are specific to the device or browser you are using. If you access our services from other devices or browsers, take these actions from those systems to ensure your choices apply to the data collected when you use those systems.
Rights under the Data Protection Laws. We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months. Please be aware that there are exemptions in relation to some of these rights which we will apply in accordance with the Data Protection Laws. Note that we do not carry out automated decision-making or profiling using personal data.
Right to access and obtain a portable copy of your personal data: If you wish to access, copy, or download personal data we hold about you, you may request to do so by emailing email@example.com. If we approved your request based on applicable law, we may provide you with:
a copy of personal data we hold about you,
details of the purpose for which it is being or is to be processed,
details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers,
the period for which it is held (or the criteria we use to determine how long it is held), and
any information available about the source of that data.
Right to rectification: If you wish for us to correct any mistakes in your information, you may request to do so free of charge by emailing firstname.lastname@example.org.
Right to erasure (‘the right to be forgotten’): You may request that we delete your personal data in the below circumstances. To exercise this right, email your request to email@example.com.
If you have previously given us consent to process your data, you withdraw that consent, and we cannot otherwise legally process your data.
You object to our processing and we do not have any legitimate interests to process your personal data.
You believe your personal data has been processed unlawfully or was not erased when it should have been.
Right to restrict processing: You may request that we temporarily stop processing your personal data in the below circumstances. To exercise this right, email us at firstname.lastname@example.org.
You believe your personal data is inaccurate. We will resume processing once we have confirmed the personal data is accurate or amended it to be accurate.
You believe your personal data has been processed unlawfully, but do not want us to erase your personal data.
You believe we no longer need to retain the personal data for our processing purposes, but you need the data to establish, exercise or defend legal claims.
Right to object to processing of your personal data: You may object to us processing your personal data for purposes where we rely on a legitimate interest as our lawful basis for processing. To exercise this right, email us at email@example.com. If you object to us processing your personal data, we must demonstrate compelling grounds for continuing the processing.
To make such requests, please use the contact information at the bottom of this Policy. When we are processing data on behalf of another party that is the ‘data controller,’ you should direct your request to that party. You also have the right to lodge a complaint with a supervisory authority, but we encourage you to first contact us with any questions or concerns. Our supervisory authority is the UK Information Commissioner’s Office (ico.org.uk).
Communications preferences. You can choose whether to receive promotional communications from us by email, SMS, and telephone. If you receive promotional email or SMS messages from us and would like to stop, you can do so by following the directions in that message or by contacting us as described in the ‘Contact Us’ section below. If you receive a sales call from us, you can ask to be placed on our do-not-call list. These choices do not apply to certain informational communications including surveys and mandatory service communications.
Targeted advertising. To opt-out from or otherwise control targeted advertising, you have several options. First, you can use the controls available through our website cookie banner to decline advertising-related cookies. Second, you can use the opt-out controls offered by the European organisations our advertising partners may participate in, which you can access via the European Digital Advertising Alliance (http://www.youronlinechoices.com/).
Browser or platform controls.
Cookie controls. Most web browsers are set to accept cookies by default. If you prefer, you can go to your browser settings to learn how to delete or reject cookies. If you choose to delete or reject cookies, this could affect certain features or services of our website. If you choose to delete cookies, settings and preferences controlled by those cookies, including advertising preferences, may be deleted and may need to be recreated.
Mobile advertising ID controls. iOS and Android operating systems provide options to limit tracking and/or reset the advertising IDs.
Email web beacons. Most email clients have settings that allow you to prevent the automatic downloading of images, including web beacons, which prevents the automatic connection to the web servers that host those images.
Please direct any privacy concerns, complaints, or questions you may have to any one of the following:
By post: Hims & Hers UK Limited with a subject line containing ’Data Protection’ at 107 Kirkgate, Leeds, England, LS1 6DP
By email: firstname.lastname@example.org, with a subject line containing ’Data Protection’.