Terms, Conditions and Privacy

This page tells you about:

  • What you’re agreeing to when you use our service
  • What information we collect about you
  • What we do with that information

This sort of information can be hard to understand. We have given some simple explanations to help. But the information outside the outlined boxes is what you’re agreeing to.

If you don’t understand anything or would like more information, you can Contact Us: [email protected]

The Doink condom service is part of SH.UK.

At SH.UK we are dedicated to safeguarding and preserving your privacy when visiting our site or using our services. This privacy policy, together with our Terms and Conditions of Use, provides an explanation as to what happens to any personal data that you provide to us, or that we collect from you.

We update this Policy from time to time so please do review this Policy regularly, and before consenting to future services.Importantly your information may be shared with third-parties (such as your local NHS Trust) who we partner with to deliver services such as your onward care. We try to ensure this is made clear to you when you use our service, and this is explained in more detail below.

You must be 13 years old or over to use the Doink service.

Any other parts of the SH.UK service are not intended for children, and we do not knowingly collect data relating to children. You must be 16 years and over to access and use the services provided via this website except for the Doink service.

What does this mean?

This information tells you who we are. It explains what information we collect from you and what we do with that information.

Sometimes the information on this page changes. When you use our service it’s a good idea to check this page so you know what you’re agreeing to.

We work with other organisations. The other organisations may be able to see your information. We always try and let you know who we are working with. There are more details below.

You need to be 13 or older to use the Doink service.

You need to be 16 or over to use all other SH.UK services.

1. Information About Our Organisation

SH.UK is operated by Preventx Limited, who is the data controller for the service.
Preventx and its partners make decisions on what data is processed and how this will be done.
These decisions are undertaken in accordance with the current data protection legislation.

Preventx is registered in England and Wales under Company number 06603066 and our registered office is at:

Meadowhall Business Park,
Carbrook Hall Road,
Sheffield,
South Yorkshire,
S9 2QE.

Preventx is registered with the Information Commissioner’s Office (ICO), which regulates data protection in the UK, and our registration number is Z1828250.

For all requests regarding the control of your data, please contact our Data Protection Officer:

[email protected]
Preventx Limited
Meadowhall Business Park
Carbrook Hall Road
Sheffield
S9 2QE

What does this mean?

The SH.UK service is owned and run by a company called Preventx.

It’s Preventx’s job to look after your data. We follow what the law says about collecting and storing your data.

If you need to ask us anything about your data you can contact us. Use the contact details above.

2. The Purposes of Processing

We process your data in order to deliver the SH.UK service to you, including the Doink service. We will only use your personal data for the purposes for which we collected it, as described in section 3 below, such as when you registered to use our services.

What does this mean?

We need to get information from you so that we can provide you with our service.

The below sections tell you what information we ask for and why we ask for it.

We only use your information for the reasons given below.

3. Lawful Basis for Processing

Consent - You are asked for your consent for us to process your data in order to register with us, enrol onto our services, receive condoms, dams or lube, receive test kits, return samples for testing, provide test results.

Public Interest - The processing of personal data is necessary for us to analyse the samples you return to us and to provide test results to you.

Prevention, diagnosis and treatment - In most cases we process your data in order to provide services for the prevention, diagnosis andtreatment of illness in line with the Health and Social Care Act (2012). This service is funded by your local authority or NHS Trust.

What does this mean?

We ask you to agree that we can collect and store information about you. This is so we can provide you with the service you want.

The services we provide through SH.UK are paid for by your local authority or by your local NHS Trust.

4. What Data We Collect

The information that we collect and store relating to you is primarily used to enable us to provide you with services that you haveexplicitly ordered or requested. For example, to request free condoms or a free sexual health test you will be asked a number of questions,including some personal questions. In some cases, you may opt-out of certain questions.

Personal Data - The information you give will be recorded and includes details such as your name, address, date of birth, contactinformation (e.g. telephone number).

Health Data - Special category data may also be collected, including data such as ethnicity, gender identity, responses to medical andsafeguarding screening questions, medical testing history, and details of attendance with health providers that may have provided treatment.

Technical Data - This includes your internet protocol (IP) address, your login data, browser type and version, time zone setting andlocation, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.

Preference Data - This includes your preferences on receiving communications from us.

Profile Data - This includes your username and password, orders made by you, feedback and survey responses.

Usage Data - This includes information about how you use our website and services.

Anonymous Data - We also use and share anonymous data such as statistical or demographic data for reporting or research purposes. Anonymous data could be derived from your personal data but is not considered personal data in data protection law as this data will not directly reveal your identity. This includes providing mandatory national anonymised or aggregated data to the UK Health Security Agency and Office for HealthImprovement and Disparities.

Cookie Data – The website will use cookies to retain session data and analytical information. Cookies should not contain sensitive information, and most are removed once your browser session ends.

What does this mean?

We ask questions about you so that we can provide you with the service you are asking for. We then store your answers.

You will need to answer most of these questions to use the service. In some cases, you may be able to choose not to answer.

Some examples of information we might ask for are on the left of the page.

We collect information about the device and browser you use when you use our service. Some examples are given above of the page.

We ask how you would like us to contact you. We store your contact details.

We store your account details. This includes your username and password and details about any orders you make.

We collect information about how you use our services.

We share some data with other organisations. This is to help them understand how our services are being used. We do not share any details that can identify you.

We use small data files called cookies to gather some information about how you use the website. A cookie does not tell us any of your personal details.

5. How Your Personal Data is Collected

We use different methods to collect data from and about you including through:

Direct Interactions – when you make contact with us by telephone, email, post, online or otherwise. This includes personal data you provide when you:

  • Use our services.
  • Create an Account.
  • Subscribe to receive communications or publications.
  • Request marketing information to be sent to you.
  • Complete a survey.
  • Give us feedback or contact us.

Automated Interactions - as you interact with our website, we will automatically collect technical data about your equipment, browsingactions and patterns. We collect this personal data by using cookies, server logs and other similar technologies.

Use of Cookies - a cookie is a small amount of data, which often includes a unique identifier that is sent to your computer or mobile phone(referred to here as a "device") browser from a website's computer and is stored on your device's memory.

We require cookies to be enabled so we can keep track of your progress through the request procedure. No personal or confidentialinformation is stored in cookies, and most are only active whilst you are visiting the site.

What does this mean?

There are different ways that we collect information about you. There is a list of these above of the page.

Ways we gather information about you include:

  • You contact us directly
  • You use one or more of our services
  • You use our website

Our website uses cookies. We need cookies to be enabled for the website to work properly.

6. Automated Decision-Making

We use automated decision-making to confirm eligibility for the services you may wish to access, for example based on your geographic postcode of residence and age.

We also use automated decision making, based on clinical input, to determine whether our services are appropriate for your individualcircumstance and to determine which type of service is most suitable for you.

If the automated decision-making process determines that you are not suitable for the service, you will be provided with informationabout accessing care from alternate locations and services.

What does this mean?

We use something called Automated Decision-Making. This means that we can decide whether a service is right for you based on the questions we ask and the answers you give.

If we can’t provide you with a service we will give you information about how else to get care.

7. How we Use your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Your data/record will be accessible by the NHS Trust, Sexual Health Service or Charity (also known as service providers) with whom we arepartnered with to manage service user testing through our service and who has directed you to our services. You will be made aware of yourService Provider who will have access to your personal data and who will be responsible for your ongoing care, for example if you requiretreatment, support or further testing, before your online consultation, or you may be able to derive your local service provider by visiting ourwebsite www.sh.uk which will enable you to check if we offer services in your area.
  • To receive, store and analyse your samples.
  • To receive, store, review and communicate your test results to you and to provide this through our website.
  • To provide you with your test result and where appropriate, relevant follow-up guidance.
  • To anonymise your personal data for service improvement, product or quality improvement and/or research, as relevant.
  • Other organisations such as the Department of Health (including the UK Health Security Agency and Office for Health Improvement andDisparities (formerly known as Public Health England)) may receive anonymised and/or aggregate data only.

Where you may require treatment or onward care, or in certain circumstances where our system determines you may need additional support (for example if we believe you may be at risk) our partners will make direct contact with you. If our partners are unable to contact you by phone or email, a letter may be sent to the address your kit was dispatched to. If our clinical partners really need to contact you regarding treatment or onward care and are unable to do so (i.e. after a number of unsuccessful attempts) they may contact your GP to ensure you can receive the care you need.

We will never reveal personal information about our service users to other parties not described above but we may, on occasion,provide them with aggregate or anonymous statistical information about our visitors.

What does this mean?

We always follow the law.

We use and share information about you in some of the following ways.

Your information will be seen and used by the organisation paying for our services. This is usually your local authority or your local NHS Trust. You will be told who this is before you use the service. They need to see your information so that they can give you any information or care you need.

SH.UK uses your information to provide you with our service. We also use it to contact you about the service if we need to.

We use your data to improve the service. When we do this we only use data that can’t identify you.

We may share data with other organisations so they know how the service is being used. We do not share anything that can identify you.

8. Recipients of your Personal Data

Both SH.UK and the NHS Trust, Sexual Health Service or Charity managing your results adhere to strict privacy guidelines in order to protect your data and all information will be treated in strict confidence by the current or future service providers.

These Service Providers can securely access your full personal record, test results and the services you are enrolled to. In some cases they may share your information but will always comply with data protection law. Some of these service providers will transfer your full personal record and test results to their own electronic health record system in order to manage any onward care that you may need.

Sometimes a service provider may share your data with a parent or related organisation, for example an NHS service may share data with other local NHS trusts, where a formal data sharing agreement is in place.

What does this mean?

SH.UK and any of our service partners will always keep your information confidential.

The organisation providing your care may store your information on their own health record system. They may also share your information with their own partner organisations.

9. Laboratory Testing

Your sample will be tested in Preventx's specialist laboratory and in accordance with the laboratories quality system. Standard testing carried out via the SH.UK service is accredited to international standards, and more information can be read in the Preventx Laboratory Services document(https://www.preventx.com/laboratory).

In some cases, we may use non-accredited tests to supplement your screening, however this would only ever be in agreement with doctors or clinicians of local sexual health service providers (with whom our services are contracted) (for example, specific sample and test combinations may be recommended but may fall outside of accreditation scope).

Please note that some test samples may be retained by the laboratory after testing. These samples may be used for internal studies, public health initiatives (such as surveillance work with the UK Health Security Agency (UKHSA) or for verification purposes (such as performing equipment validation). Samples used for these purposes will be anonymised so will always exclude personal data such as your name, date of birth, contact details, address and postcode.

What does this mean?

If you send us a sample to be tested for STIs it will be tested in our own lab to high standards.

After testing we may choose to keep your sample. If we do, it will not be stored with any information that could identify you.

10. Keeping Your Data Secure

We apply technical and organisational security measures to safeguard your personal data from accidental or unlawful destruction, loss, alteration or unauthorised disclosure and all personal data is stored in the UK on secure servers.

The effectiveness of our security controls are assessed and verified at least annually to standards set by the UK National Cyber Security Centre.

What does this mean?

We have systems in place to keep your information safe and secure.

All the information we hold is stored in the UK.

11. Why and When we Contact You

Depending on your contact preferences we may notify you by SMS, email, telephone or post:

  • Once that we have dispatched your self-sampling kit.
  • If you do not return your test kit promptly.
  • When your kit has arrived at the laboratory, and when your results are ready.
  • Once in the future to remind you to get tested again unless you have opted out.

We will send a text message to the mobile number used to register your account to let you know when information in your account has been updated, for instance, when results have been added to your account and are ready for you to view.

Where you may require treatment or onward care, or in certain circumstances where our system determines you may need additional support (for example if we believe you may be at risk) our clinical partners may make direct contact with you.

If we have an urgent need to speak to you regarding your results, we will telephone you using the mobile number registered to your account. If our clinical partners really need to contact you regarding treatment or onward care and are unable to do so (i.e. after a number of unsuccessful attempts) they may contact your GP to ensure you can receive the care you need.

We may need to contact you about the service you are using.

We usually contact you by text message. We need an up-to-date mobile number for you. Occasionally we may decide we need to contact you urgently by a phone call.

In some cases, you may get a phone call from the organisation providing your care.

If the organisation providing your care cannot contact you they may contact your GP. They will only do this if you need care and they cannot contact you another way.

12. Legal Disclosure

Sometimes we have a legal duty to provide personal information to other organisations.
We may also share your personal information where allowed under data protection legislation, known as exemptions, and it is more important than protecting your privacy. This doesn’t happen often, but in these circumstances, we may share your information:

  • to find and stop crime and fraud; or
  • if there are serious risks to the public, our staff or to other professionals; or
  • to protect a child; or
  • to protect adults who are thought to be at risk, for example if they are frail, confused or cannot understand what is happening to them.

For all these reasons, the risk must be serious before we can override your right to privacy.

If we are worried about your physical safety or feel we need to take action to protect you from being harmed in other ways, we or our partners will discuss this with you and, if possible, get your permission to tell others about your situation before doing so.

We may still share your information if we believe the risk to others is serious enough to do so. If this is the case, we will make sure that we record what information we share and our reasons for doing so. We will let you know what we have done and why, if we think it is safe to do so.

What does this mean?

Sometimes the law says we need to share your information with another organisation.

We may also need to share your information if we think you or someone else is in serious danger. If SH.UK or anyone involved in your care needs to share information about you, they will usually try and talk to you about this first.

We will always keep a record of what we have shared and why.

13. Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

In line with national clinical guidelines, your record will be retained for a minimum of 10 years after the last recorded entry. If you are under 18 your record will be retained for a minimum of 10 years after your 18th birthday.

After that point, we will remove personal information (e.g. name, house number, street name, telephone number and email) to provide an anonymised data set which is retained for statistical and research purposes only.

What does this mean?

We keep your data for at least 8 years. If you’re under 18 then we keep your data for at least 10 years after your 18th birthday. We may need to keep it for longer in some cases.

Once we do not need to keep your data we will delete any personal information we hold about you. We will keep information about how you used the service. Any information we keep cannot identify you.

14. Your Rights

The law gives you a number of rights in relation to what personal information is used by Preventx, and how it is used. These rights allow you to ask us to:

Request Access – to your personal data (or "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.

Request Correction - of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.

Request Erasure - of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request. For example, where the information we process is used to assist clinicians at your NHS Trust with your care we are not always able to fulfil deletion ("Right to be Forgotten") requests, and it is important you understand this prior to accessing the service.

Object to Processing - of your personal data where we are processing it for direct communications purposes.

Request Restriction of Processing - of your personal data where you may need us to hold the data even if we no longer require it as you may need to establish, exercise or defend a legal claim.

Request the Transfer - of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the data to perform a contact with you.

Withdraw Consent at any time - where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you. We will advise you if this is the case at the time you withdraw your consent. The right to withdraw consent and the right to erasure may not apply due to the nature of the services being provided and our basis in law for processing this data. We will consider requests to remove personal identifying information from your record to ensure that the data we do retain is anonymised, while enabling us to meet our statutory requirements.

As outlined above, we are not always able to fulfil erasure ("Right to be Forgotten") requests, and it is important you understand this prior to accessing the service. We are usually able to delete an account where there has been no clinical interaction (e.g. where you have not enrolled in a service and completed a consultation).

If you wish to exercise any of the rights set out above, please contact our data protection officer at [email protected]

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to assist us with our response.

We try to respond to all legitimate requests within one month. Occasionally it could take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you are not satisfied with how we are processing your personal data or with the response you have received from us, you have the right to lodge a complaint with a supervisory authority for the UK who is the Information Commissioner’s Office (ICO).

The ICO contact details are as follows:
Telephone: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/

What does this mean?

You can ask us what data we hold about you. If this is wrong you can ask us to change it.

You can ask us to delete information we hold about you.

We will always consider your request but we may not always be able to delete the information.

We will always tell you what information we cannot delete and why.

The section above tells you about some more rights that you have.

If you don’t understand anything or you want to ask us anything about the data we hold about you, contact us at [email protected]

We will reply to you as soon as possible. We always try to answer your query and give you any information you have asked for within 1 month. Sometimes it may take longer.

If you are not satisfied with how we are processing your personal data or with the response we send you, you can complain to the Information Commissioner’s Office (ICO).

The ICO contact details are:
Telephone: 0303 123 1113
Website: https://ico.org.uk/make-a-complaint/

15. Third Party Links

You may find links to third party websites on our website. These websites should have their own privacy policies which you should check. We do not accept any responsibility or liability for their policies whatsoever as we have no control over them.

What does this mean?

Sometimes we link to other websites. All websites have their own Privacy Policy. We have no control over how other websites collect, store or use information about you.