Privacy Policy (Including Cookie Policy)

Hims UK, Limited ("Hims", "we" or "us") respects the privacy of individuals. We are a "controller" for the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (EU) 2003/2426 (collectively referred to as the "Data Protection Laws").

This privacy policy contains important information about the following:

  • the type of information about you that we collect
  • how that information is used
  • who will have access to that information
  • how long we will hold your personal information for
  • our security measures for protection of that information
  • how our processing of your personal data is lawful, and
  • your rights under the Data Protection Laws.

The term "personal data" means any information from which a living individual can be identified such as name, contact details and photographs. "Special categories of personal data" relates to more sensitive types of personal data including (amongst others) racial or ethnic origin, physical or mental health or condition and sexual life. These terms are defined in the Data Protection Laws.

Categories of information collected

We will collect and hold these categories of personal data about you:

  • General enquiries or complaints: If you submit a general enquiry, or if you need to make a complaint, we will need to collect your:

    • name
    • contact details (address, phone number, email address), and
    • the details of your enquiry or complaint.
  • Account details: We collect the following information in order to create and maintain your account and enable the medical services provided to you:

    • your first and last names
    • your email address, username and password
    • your date of birth
    • your phone number
    • your marketing preferences.
  • Medical information: In order to assess whether you can be prescribed with the product you have requested, you need to complete our medical questionnaire which collects medical information about you. This is a special category of personal data and may include photographs that you submit in connection with your medical consultation.

  • Purchase of prescription products: We will collect the following information to administer any purchases you wish to make from us:

    • your contact and delivery details (phone number, email address and postal address)
    • your purchase information (product, date, amount)
    • The prescription issued by a GP. The GP who assesses your medical information will decide if you can be safely prescribed the product you want.
  • Payment information: We do not store your payment card details within your account as all payment is dealt with directly by Stripe Payments Europe, Ltd. Stripe notifies us whether a transaction is successful or not.

  • Surveys: We may from time to time ask you to provide feedback on the quality of our service. To do this we will need to collect your:

    • name
    • contact details (address, phone number, email address), and
    • information in relation how you came across us, how you have found us and how you think we can improve our services.
  • Information collected automatically: When you visit our site or use our services, we will automatically collect some information from the hardware and software you use at that time, which together with the other information we collect may constitute “personal data” for the purposes of the Data Protection Laws. If you are an unregistered user, we will still collect the following data (which alone is unlikely to constitute “personal data” for the purposes of the Data Protection Laws, but that we wish to be transparent about in any case):

    • your browsing history on our websites
    • the information provided by your device and browser, including referrer and tracking data, and
    • your ip address.

Use of information collected

Hims uses your personal data for the following purposes set out below. We are allowed to do so on certain legal bases (please see section "Lawful basis for processing your personal data" for further detail):

|Categories of information|Purpose|Legal basis| |---|---|---| |General enquiries or complaints|To respond to your general enquiries and handle your complaints|Legitimate interests| |Account details|To administer your account, to verify your age and identity as some of our products are only available for individuals aged 18 to 65 (inclusive) and provide you with information about Hims and our business, products and services|Contract| |Purchase of prescription products and payment information|To process your payments for products and administer your purchase of products|Contract| |Medical Information|To share with doctors who assess that you can safely use the medical products you have ordered, based on the responses that you give to the questionnaire and to issue a prescription|Consent| |Surveys|To improve our website, app and/or their respective content, features and/or services; the products, services, marketing and/or promotional efforts of Hims; and create new products, services, marketing and/or promotions for Hims|Legitimate interests|

Storage and sharing of information collected

Hims shares your personal information with Hims’ service providers who process your data as part of the services they offer to us. We take steps to ensure that our service providers treat your data in accordance with the law, only use it in accordance with our contract with them and keep it secure.

Like any business, we use many other providers to help us operate our business and who process your personal data as part of providing their services to us. Those providers fall into the following categories:

  • AWS (eu-west-2) – for data storage and hosting
  • Google Cloud – for web hosting
  • Braze – for customer engagement services including email and SMS storage
  • Google Analytics and Tag Manager – to analyse and develop our web services
  • Amplitude – to analyse and develop our product strategy
  • Facebook – for advertising and marketing
  • Google AdWords – for advertising and marketing
  • Looker – for our own business intelligence purposes

In addition, we share your personal data with the following organisations who act as separate controllers of your personal data. You should review their privacy policies to find out how they process your personal data. If you have any queries or complaints about how they process your personal data by them, please contact them separately using the contact information provided on their website.

  • Stadn Ltd. and its affiliated doctors who assess your medical information in order to prescribe the products
  • Health Counter Limited and its associated pharmacies – sells and delivers the prescription products to you
  • Stripe Payments Europe, Ltd. – takes payment for the products

We also share data as necessary to enforce our legal rights, defend legal claims and if required by law to disclose to courts, police, law enforcement agencies or regulators.

Transfers of your information out of the EEA

We may need to transfer your personal data to the USA and Canada which are located outside the European Economic Area, for the following purposes:

  • Our parent company, Hims, Inc., located in the USA, to manage our operations and provide general oversight.
  • Our service provider, Terminal, Inc., with locations in Canada, to provide certain support services to us from that country.

Any transfer of your data will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms.

Data Retention

The list below provides details about how long we will process your data.

|Categories of Information|Retention Period| |---|---| |General enquiries or complaints|For general enquiries, the information is retained until the enquiry has been completed and no further responses are received for a reasonable period. If you are an existing customer, the enquiry may be added to other information that we hold about you as a customer.
For complaints, the information is retained for a period of up to 6 years after resolution of the complaint. If you are an existing customer, the complaint and its resolution may be added to other information that we hold about you as a customer| |Account details|During the course of your account and for 6 years after you close your account with us| |Purchase of prescription products|For 6 years after the purchase| |Payment information|We do not store payment information. Payment information is processed by our service provider Stripe Payments Europe, Ltd.| |Medical Information|7 years after purchase| |Prescriptions|6 years after the purchase| |Surveys|During the course of your account and for 1 year after you close your account with us|

Security

Hims implements security measures to help protect the personal information we hold. We do this by implementing and using the appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing.

We also aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We do this by following recognised industry practices for protecting our IT environment and physical facilities: for example, we encrypt the transmission of information through the website and app by using secure socket layer (SSL) technology and utilise AWS and Aptible to provide ISO 27001, and SOC2 compliance for the personal data that we store on your behalf.

To help maintain the security of your personal information, We ask that you please notify us immediately of any unauthorised visit, access or use of the website or the loss or unauthorised use of your username or password using the contact information that appears below.

Lawful basis for processing your personal data

Hims is permitted to process your personal data and special categories of personal data for the following legal bases:

Account details, Purchase of prescription products, Payment information, Medical Information

| |Legal bases| |---|---| |Personal Data|Contract: Processing your personal data is necessary for our performance of our contract with you. These obligations include facilitating the process of obtaining a consultation with a doctor and purchasing prescription products from our associated pharmacy. If you do not provide your personal data to us, we will not be able to carry out our obligations under the terms of the contract.
Legal claims: We need to process your personal data to defend or establish a legal claim (for example, claims relating to our services under contract law).| |Special Categories of Data|Express consent: We process your special categories of personal data with your explicit consent for the purpose of facilitating your access to a doctor to obtain a consultation and potentially a prescription and purchase the relevant prescription product from our associated pharmacy. Please note that you have the right to withdraw this consent at any point. However, if you do withdraw your consent it means that we will not be able to carry out our obligations.
Legal claims: We need to process your personal data to defend or establish a legal claim (for example, claims relating to our Membership service under contract law).|

General enquiries or complaints and survey

| |Legal bases| |---|---| |Personal Data|Legitimate interests: We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in our interest. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. Our legitimate interest is to provide you with information you have requested, provide effective and helpful customer support and improve our products, services and marketing. You can object to the processing that we carry out on the grounds of legitimate interests. See the section "Your Privacy Rights under the Data Protection Laws" below to find out how.|

Our use of cookies

Our websites use cookies (small text files stored on your device) to distinguish you from other users. Some of these are set by us, and some are set by our approved third parties. We use the following types of cookies:

  • those that are strictly necessary for the operation of our site, including those that enable you to login to the user area, use the shopping cart or make purchases
  • analytical and performance cookies which allow us to track the use of our site before, during and after accessing them and in turn allow us to improve it
  • cookies that increase functionality and the user experience for you, including remembering you when you visit the site and personalising it based on your previous use and preferences, and
  • targeting cookies, which record your visit to our site, the pages visited and the links followed and are used to provide you relevant advertisements and information where possible.

At present, the following approved third parties may also set cookies when you use our services:

  • to show personalised advertisements: Facebook, Google AdWords and Bing
  • to carry out testing of our services: Visual Website Optimizer
  • for our own internal web analytics purposes: Google Analytics and Amplitude
  • for customer engagement purposes: Braze
  • for payment processing: Stripe

These cookies help us to provide you with a personalised experience and also to improve our services. You can block the use of cookies within your device’s browser settings, but doing so may prevent you from accessing or using our site properly. If you accept this privacy policy, then, in accordance with Data Protection Laws, you also accept our use of cookies.

Your privacy rights under the Data Protection Laws

You have the following rights under the Data Protection Laws. We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months. Please be aware that there are exemptions in relation to some of these rights which we will apply in accordance with the Data Protection Laws.

  1. Right to access your personal data: You may ask to see what personal data we hold about you and be provided with:

    • a copy
    • details of the purpose for which it is being or is to be processed
    • details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers
    • the period for which it is held (or the criteria we use to determine how long it is held)
    • any information available about the source of that data, and
    • whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling. To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
  2. Right to rectification: You can require us to correct any mistakes in your information which we hold free of charge. If you would like to do this, please let us know the information that is incorrect and what it should be replaced with.

  3. Right to erasure (‘the right to be forgotten’): You can ask us to erase your personal data where:

    • you do not believe that we need your data in order to process it for the purposes set out in this Privacy Policy;
    • if you had given us consent to process your data, you withdraw that consent and we cannot otherwise legally process your data;
    • you object to our processing and we do not have any legitimate interests to process your personal data; or
    • your personal data has been processed unlawfully or have not been erased when it should have been.
  4. Right to withdraw consent: For the uses of data specified in this Privacy Policy, you have the right to withdraw consent you have given us at any point. This is a vital and necessary aspect of consent. To withdraw your consent, you can contact us at the details in the 'Contact Us' section. Note that any processing carried out prior to the date of withdrawal of your consent will still be valid and any published personal data cannot be retracted.

  5. Right to restrict processing: You may request that we stop processing your personal data temporarily if:

    • you do not think that your data is accurate. We will start processing again once we have checked whether or not it is accurate;
    • the processing is unlawful but you do not want us to erase your data; or
    • we no longer need the personal data for our processing, but you need the data to establish, exercise or defend legal claims.
  6. Right to data portability: You may ask for an electronic copy of your personal data which you provide to us, which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.

  7. Right to object to processing of your personal data: You may object to us processing your personal data where we rely on a legitimate interest as our lawful basis for processing. If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section 'Lawful basis for processing your personal data'.

  8. Rights in relation to automated decision making: We do not make any automated decisions about you so this right does not apply.

If your rights under the Data Protection Laws are breached, you may be entitled to compensation for damage caused by contravention of the Data Protection Laws.

It is important that you ensure you have read this Privacy Policy - and if you do not think that we have processed your data in accordance with this notice - you should let us know as soon as possible. Similarly, you may complain to the Information Commissioner's Office, the data protection regulator in the UK. Information about how to do this is available on its website at www.ico.org.uk.

Modifications of this Privacy Policy

Hims may supplement, amend, or otherwise modify this Privacy Policy from time to time. We will alert you on the website and/or email you when changes are made.

Contact Us

Please direct any questions you may have about this privacy policy, our websites or apps or our services generally to any one of the following:

  • By post: Hims UK, Limited with a subject line containing “Data Protection” at 4 More London, Riverside, London SE1 2AU
  • By email: privacy@forhims.co.uk, with a subject line containing “Data Protection.”