Hims UK, Limited ("Hims", "we" or "us") respects the privacy of individuals. We are a "controller" for the purposes of the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (EU) 2003/2426 (collectively referred to as the "Data Protection Laws").
The term "personal data" means any information from which a living individual can be identified such as name, contact details and photographs. "Special categories of personal data" relates to more sensitive types of personal data including (amongst others) racial or ethnic origin, physical or mental health or condition and sexual life. These terms are defined in the Data Protection Laws.
We will collect and hold these categories of personal data about you:
General enquiries or complaints: If you submit a general enquiry, or if you need to make a complaint, we will need to collect your:
Account details: We collect the following information in order to create and maintain your account and enable the medical services provided to you:
Medical information: In order to assess whether you can be prescribed with the product you have requested, you need to complete our medical questionnaire which collects medical information about you. This is a special category of personal data and may include photographs that you submit in connection with your medical consultation.
Purchase of prescription products: We will collect the following information to administer any purchases you wish to make from us:
Payment information: We do not store your payment card details within your account as all payment is dealt with directly by Stripe Payments Europe, Ltd. Stripe notifies us whether a transaction is successful or not.
Hims uses your personal data for the following purposes set out below. We are allowed to do so on certain legal bases (please see section "Lawful basis for processing your personal data" for further detail):
|Categories of information||Purpose||Legal basis|
|General enquiries or complaints||To respond to your general enquiries and handle your complaints||Legitimate interests|
|Account details||To administer your account, to verify your age and identity as some of our products are only available for individuals aged 18 to 65 (inclusive) and provide you with information about Hims and our business, products and services||Contract|
|Purchase of prescription products and payment information||To process your payments for products and administer your purchase of products||Contract|
|Medical Information||To share with doctors who assess that you can safely use the medical products you have ordered, based on the responses that you give to the questionnaire and to issue a prescription||Consent|
|Surveys||To improve our website, app and/or their respective content, features and/or services; the products, services, marketing and/or promotional efforts of Hims; and create new products, services, marketing and/or promotions for Hims||Legitimate interests|
Hims shares your personal information with Hims’ service providers who process your data as part of the services they offer to us. We take steps to ensure that our service providers treat your data in accordance with the law, only use it in accordance with our contract with them and keep it secure.
Like any business, we use many other providers to help us operate our business and who process your personal data as part of providing their services to us. Those providers fall into the following categories:
In addition, we share your personal data with the following organisations who act as separate controllers of your personal data. You should review their privacy policies to find out how they process your personal data. If you have any queries or complaints about how they process your personal data by them, please contact them separately using the contact information provided on their website.
We also share data as necessary to enforce our legal rights, defend legal claims and if required by law to disclose to courts, police, law enforcement agencies or regulators.
We may need to transfer your personal data to the USA and Canada which are located outside the European Economic Area, for the following purposes:
Any transfer of your data will be carried out in accordance with the law to safeguard your privacy rights and give you remedies in the unlikely event of a security breach or to any other similar approved mechanisms.
The list below provides details about how long we will process your data.
|Categories of Information||Retention Period|
|General enquiries or complaints||For general enquiries, the information is retained until the enquiry has been completed and no further responses are received for a reasonable period. If you are an existing customer, the enquiry may be added to other information that we hold about you as a customer.|
For complaints, the information is retained for a period of up to 6 years after resolution of the complaint. If you are an existing customer, the complaint and its resolution may be added to other information that we hold about you as a customer
|Account details||During the course of your account and for 6 years after you close your account with us|
|Purchase of prescription products||For 6 years after the purchase|
|Payment information||We do not store payment information. Payment information is processed by our service provider Stripe Payments Europe, Ltd.|
|Medical Information||7 years after purchase|
|Prescriptions||6 years after the purchase|
|Surveys||During the course of your account and for 1 year after you close your account with us|
Hims implements security measures to help protect the personal information we hold. We do this by implementing and using the appropriate technical and organisational measures in order to protect your personal data against accidental or unlawful destruction, accidental loss or alteration, unauthorised disclosure or access and any other unlawful forms of processing.
We also aim to ensure that the level of security and the measures adopted to protect your personal data are appropriate for the risks presented by the nature and use of your personal data. We do this by following recognised industry practices for protecting our IT environment and physical facilities: for example, we encrypt the transmission of information through the website and app by using secure socket layer (SSL) technology and utilise AWS and Aptible to provide ISO 27001, and SOC2 compliance for the personal data that we store on your behalf.
To help maintain the security of your personal information, We ask that you please notify us immediately of any unauthorised visit, access or use of the website or the loss or unauthorised use of your username or password using the contact information that appears below.
Hims is permitted to process your personal data and special categories of personal data for the following legal bases:
|Personal Data||Contract: Processing your personal data is necessary for our performance of our contract with you. These obligations include facilitating the process of obtaining a consultation with a doctor and purchasing prescription products from our associated pharmacy. If you do not provide your personal data to us, we will not be able to carry out our obligations under the terms of the contract.|
Legal claims: We need to process your personal data to defend or establish a legal claim (for example, claims relating to our services under contract law).
|Special Categories of Data||Express consent: We process your special categories of personal data with your explicit consent for the purpose of facilitating your access to a doctor to obtain a consultation and potentially a prescription and purchase the relevant prescription product from our associated pharmacy. Please note that you have the right to withdraw this consent at any point. However, if you do withdraw your consent it means that we will not be able to carry out our obligations.|
Legal claims: We need to process your personal data to defend or establish a legal claim (for example, claims relating to our Membership service under contract law).
|Personal Data||Legitimate interests: We are permitted to process your personal data if it is based on our ‘legitimate interests’ i.e. we have good, sensible, practical reasons for processing your personal data which is in our interest. To do so, we have considered the impact on your interests and rights, and have placed appropriate safeguards to ensure that the intrusion on your privacy is reduced as much as possible. Our legitimate interest is to provide you with information you have requested, provide effective and helpful customer support and improve our products, services and marketing. You can object to the processing that we carry out on the grounds of legitimate interests. See the section "Your Privacy Rights under the Data Protection Laws" below to find out how.|
At present, the following approved third parties may also set cookies when you use our services:
You have the following rights under the Data Protection Laws. We will respond to any rights that you exercise within a month of receiving your request, unless the request is particularly complex, in which case we will respond within three months. Please be aware that there are exemptions in relation to some of these rights which we will apply in accordance with the Data Protection Laws.
Right to access your personal data: You may ask to see what personal data we hold about you and be provided with: - a copy - details of the purpose for which it is being or is to be processed - details of the recipients or classes of recipients to whom it is or may be disclosed, including if they are overseas and what protections are used for those oversea transfers - the period for which it is held (or the criteria we use to determine how long it is held) - any information available about the source of that data, and - whether we carry out an automated decision-making, or profiling, and where we do information about the logic involved and the envisaged outcome or consequences of that decision or profiling. To help us find the information easily, please provide us as much information as possible about the type of information you would like to see.
Right to rectification: You can require us to correct any mistakes in your information which we hold free of charge. If you would like to do this, please let us know the information that is incorrect and what it should be replaced with.
Right to erasure (‘the right to be forgotten’): You can ask us to erase your personal data where:
Right to restrict processing: You may request that we stop processing your personal data temporarily if:
Right to data portability: You may ask for an electronic copy of your personal data which you provide to us, which we hold electronically and which we process when we have entered into a contract with you. You can also ask us to provide this directly to another party.
Right to object to processing of your personal data: You may object to us processing your personal data where we rely on a legitimate interest as our lawful basis for processing. If you object to us processing your personal data we must demonstrate compelling grounds for continuing to do so. We believe we have demonstrated compelling grounds in the section 'Lawful basis for processing your personal data'.
If your rights under the Data Protection Laws are breached, you may be entitled to compensation for damage caused by contravention of the Data Protection Laws.