Privacy Policy

Effective Date: September 2025
Last Updated: September 2025

  • Virty Privacy Policy
    • 1. About This Policy
    • 2. Who We Are
    • 3. What Data We Collect
    • 4. How We Use Your Data
    • 5. Legal Basis for Processing
    • 6. Family Circles and Proxy Access
    • 7. How We Share Your Data
    • 8. Data Security
    • 9. How Long We Keep Your Data
    • 10. Your Rights
    • 11. Children and Vulnerable Users
    • 12. Automated Decision-Making
    • 13. Cookies and Analytics
    • 14. International Transfers
    • 15. Updates to This Policy
    • 16. Contact Us

1. About This Policy

This Privacy Policy explains how Virtually Health Systems Ltd (“Virtually”, “we”, “us”, or “our”) collects, uses, shares, and protects your personal information when you use the Virty app and related services. It also describes your rights under UK data protection law.

Because we handle your health information, which is classed as ‘special category’ data, we take extra steps to protect your privacy. This policy sets out clearly how we use your data, your rights, and the tools you have to control it.

2. Who We Are

Virty is the trading name of Virtually Health Systems Ltd, a UK-registered company (Company No. 08246684) regulated by the Care Quality Commission (Provider ID: 1-13361326440) to provide online diagnostic, screening, and treatment services.

If you have questions or concerns about how your personal data is handled, you can contact our Data Protection Officer:

Email: privacy@virty.health
Post: Virtually Health Systems Ltd, Northern Health Centre, 580 Holloway Road, London, England, N7 6LB
Phone: [Insert Support Number]

3. What Data We Collect

Depending on how you use Virty, we may collect the following types of personal data:

  • Identity and Contact Data: Name, date of birth, NHS number, contact details, emergency contacts.
  • Health Data (Special Category Data):
    • Wearable data: Heart rate, oxygen saturation, sleep, steps, etc.
    • NHS data: Health record content accessed via NHS Login.
    • Self-entered data: Food diaries, medication records, alcohol intake, etc.
  • Clinical Records: Consultation notes, prescriptions, diagnoses, alerts, care plans.
  • Proxy and Family Circle Data: Relationship to other users, permissions, dependants.
  • Technical Data: IP address, app usage, device identifiers, system logs.

How we collect this data:

  • Automatically from wearable devices synced to the app.
  • From your connected NHS account via NHS Login (with your permission).
  • Through data you or your proxy enter into the app.
  • During video or phone consultations with clinicians.

4. How We Use Your Data

We use your personal data to provide safe, personalised, and responsive digital healthcare. This includes:

  • Monitoring and analysis: Our Patient Observatory uses real-time data to detect health trends and trigger clinical review where needed.
  • Clinical decision support: A Virty doctor may contact you for consultation if your data indicates a potential issue.
  • NHS record access: With your consent, we review relevant medical history to guide your care.
  • Long-term condition management: We provide tailored plans for conditions such as diabetes, obesity, heart disease, and mental health.
  • Family and proxy access: We enable authorised users to manage and view health data, in line with age and capacity rules.
  • Health improvement support: Including motivational messages, coaching, and progress tracking.
  • Emergency support: We may contact you or your nominated contact if urgent medical concerns arise.

We do not use your data for marketing without your explicit consent.

5. Legal Basis for Processing

We process your personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Our legal bases include:

  • Contractual necessity (UK GDPR Article 6(1)(b)): To deliver your healthcare services.
  • Legal obligation (6(1)(c)): To meet clinical or regulatory requirements.
  • Public interest in healthcare (6(1)(e) and 9(2)(h)): For diagnosis, treatment, and health protection.
  • Explicit consent (6(1)(a) and 9(2)(a)): For specific uses, such as proxy access or data sharing within a family circle.

These legal bases mean we only use your data where we have a valid reason — either to deliver your care, comply with the law, or because you’ve clearly said yes.

6. Family Circles and Proxy Access

Virty allows members to manage health within a “family circle,” where family members or carers may act as proxies.

We support the following access models:

  • Children under 11: Access by verified parents or legal guardians only.
  • Children aged 11–15: Access requires the child’s consent (Gillick competence).
  • Users aged 16+: Full control, including ability to authorise or revoke proxy access.
  • Adults lacking capacity: Access granted to authorised proxies with appropriate documentation (e.g. LPA, GP letter).

All proxy relationships are subject to strict verification and documentation requirements. Users can manage permissions, revoke access, or change settings at any time from their account.

7. How We Share Your Data

We only share your data when necessary to deliver your care or meet legal obligations. This may include:

  • Clinicians and health professionals: For diagnosis, treatment, and monitoring.
  • NHS systems: If you enable NHS Login, we may access or share relevant record data.
  • Authorised family members or carers: Only with your consent or lawful authority.
  • Technology partners: Such as hosting providers or identity verification services, under strict data processing agreements.
  • Emergency services: If we detect a clinical concern that poses serious risk.
  • Regulators or authorities: Where required by law (e.g. the Care Quality Commission).

We never sell your data. All third-party access is carefully controlled and audited.

8. Data Security

Your health information deserves the highest level of protection. We implement robust technical and organisational measures including:

  • End-to-end encryption for all data in transit and at rest.
  • Role-based access control and two-factor authentication.
  • Integration with NHS Login for secure identity verification.
  • Immutable logs of all data access, including by proxy users.
  • Regular security testing and ISO/IEC 27001:2022-aligned controls.

We are committed to transparency and continuous improvement of our security model.

9. How Long We Keep Your Data

We retain your personal data for:

  • As long as you remain an active member;
  • A minimum of 8 years for clinical records, in line with UK medical recordkeeping guidance;
  • Longer if required for regulatory or legal reasons.

You may request deletion of your account and data at any time. We will confirm what data can be deleted and what we must retain by law.

10. Your Rights

Under the UK GDPR, you have the right to:

  • Access the personal data we hold about you.
  • Correct any inaccurate or incomplete data.
  • Request deletion of your data where applicable.
  • Restrict or object to certain types of processing (e.g. family sharing).
  • Withdraw your consent, where it was required.
  • Receive your data in a portable format.
  • Complain to the Information Commissioner’s Office (www.ico.org.uk).

To exercise any of these rights, contact us at privacy@virty.health. We will respond within one month.

11. Children and Vulnerable Users

We handle children’s and vulnerable users’ data with particular care. Proxy access is granted only after identity and legal authority are verified. Our app also includes:

  • Age-based consent workflows (e.g. 11–15 age trigger for consent).
  • Clear, age-appropriate privacy notices.
  • Tools to adjust proxy permissions or withdraw access.
  • Capacity review mechanisms for users who may regain decision-making ability.

We believe in supporting independence and safeguarding equally.

12. Automated Decision-Making

We use automated tools to monitor trends in your data (e.g. elevated heart rate or unusual glucose levels). These tools may trigger clinical alerts or prompt review by a Virty doctor.

However, automated systems do not make clinical decisions, all medical judgments are made by qualified professionals. You can request an explanation of any automated assessment applied to your data.

13. Cookies and Analytics

Our website and app may use cookies or analytics technologies to:

  • Measure app usage and performance.
  • Improve service features.
  • Debug issues or errors.

You can manage cookie settings via your browser or device. No tracking is done for advertising or profiling purposes.

Read our Cookie Policy here.

14. International Transfers

We store and process your data in the UK or European Economic Area (EEA). If data must be transferred outside these regions (e.g. for technical services), we ensure safeguards are in place, including standard contractual clauses approved by the ICO.

15. Updates to This Policy

We may update this policy to reflect changes in law, our services, or how we process your data.

If we make material changes, we will notify you via email or in-app messages, and seek your consent where required.

16. Contact Us

Virtually Health Systems Ltd
Data Protection Officer
Email: privacy@virty.health
Post: Northern Health Centre, 580 Holloway Road, London, England, N7 6LB
Phone: [Insert Support Number]
Regulator: Information Commissioner’s Office (www.ico.org.uk)

Ready for Better Health?

Join Virty for Doctor-Led Care and Lasting Results.

Join the waitlist