Privacy Policy
At Univa Health (Univa), we believe in being clear, honest, and transparent about how we use your personal information.
This privacy notice explains how and why Univa collects, uses, and stores your personal data when you access our services. It also outlines the rights you have in relation to your information. Your privacy matters to us. We are committed to using your data responsibly, securely, and only where it is necessary to support your care or improve our service.
This privacy notice is primarily written for adults, including parents and guardians of child users of our Services. If you are a child (under 18 years old) you are welcome to read this notice if you find it useful, but we recommend you discuss the contents of this privacy notice with your parent or your guardian.
Throughout this privacy policy, Univa Health Ltd is referred to as “Univa”, “Company”, “we”, “our”, or “us” and is a limited company with registration number 15541979 of 303 Goring Road, Goring-By-Sea, Worthing, England, BN12 4NX.
What is personal data?
Personal data is any information we have that can identify you, such as your name, date of birth, medical history or credit card details.
Our data retention period, which is the length of time we hold your personal data, is informed by the Department of Health, NHS England and professional bodies such as the British Medical Association and The Health and Care Professions Council.
We might also keep some information that doesn’t identify you to help improve our business and our services as well as helping with health research. We do this by removing your identifiable information (such as your name, date of birth, contact details) to form ‘de-identified’ data.
In accordance with national opt-out legislation, you can choose to opt out of your confidential information being used for research and planning. For more information on this, please visit the NHS data opt-out website.
The type of information we collect from you depends on how you engage with our Services or interact with us.
We collect personal information that you upload to the Univa Service when you set up your account on the Univa Service and become a ‘Member’, and that you provide directly to us when you communicate with us (including through email, phone or social media).
If you are a member, we also collect personal information that you upload to the Univa Service when you use the Univa Service Features and when you schedule and pay for a Session.
Most of the information that we collect is collected directly from you. Third parties acting on your behalf (for example, insurers, GPs or other health professionals etc.) may also provide us with personal information about you, subject to their own privacy policies.
For users of our Services and our website, we may collect personal information about you from:
- A family member or someone acting on your behalf;
- Your parent or guardian (if you’re under 18 years old);
- Doctors, clinicians, healthcare professionals, hospitals, clinics and other healthcare providers;
- Those paying for the Services we provide to you including the NHS, private clinics and health insurers.
- Your employer if you are using the Univa Service in a professional capacity to support patients and carers
Like most online services, we also collect certain personal information about you automatically when you use the Univa Service in order to understand how the Univa Service is used and how we can improve it.
We have set out the categories of personal information we collect and how we use them in detail below.
How to Contact Us
If you have any questions or concerns about how your personal information is used, or if you want to exercise your rights granted under the applicable data protection law, please contact us at: Univa Health Ltd, dataprivacy@univa.health
How and why do we use your personal information?
Under data protection law, we can only use your personal data if we have a legitimate reason to do so. For example:
- where you have given consent
- to comply with our legal and regulatory obligations
- for the performance of a contract with you or to take steps at your request before entering into a contract, or
- for our legitimate interests or those of a third party
A legitimate interest is when we or a third party have a business or commercial reason to use your information, so long as this is not overridden by your own rights and interests.
We are the data controller of the personal information we collect and use through the Univa Service as described in this Privacy Notice. This means that we determine and are responsible for how your personal information is used when you use the Univa Service or otherwise interact with us by email, phone or social media.
If the NHS is paying for your service with us, we are “Joint Data Controller” for your personal information in connection with providing you this service, along with the NHS Organisation who referred you to us. This means we make decisions together about how your personal data is used. You can contact either us or your NHS Organisation with questions.
We provide further details below about what we use your personal information for and why.
Processing of personal data
Univa processes personal data about you for the provision of our services to you. We do this, for example, when you create an account with Univa or when you decide to share personal data with us in the context of receiving healthcare consultations through us, using our App. Or where a third party (for example, your GP or psychiatrist, private clinic, an insurer or the NHS) has referred you to Univa for care, or they are paying Univa for your Service, we may collect certain personal information about you from them.
| Purposes of processing | Types of individuals | Types of Personal data | Lawful Bases |
| Providing health and care to NHS referred patients/carers | NHS Patients/CarersNHS healthcare professionals | Name, demographics, medical health data, video and/or audio recorded entries through Univa app features such as mood diaries, as well as recorded calls and emails to support teams regarding your service with us, health experience questionnaires.NHS healthcare professional name, role and contact details | Performing a task in the public interest [Article 6(1)(e)] and;The provision of health or social care or treatment [Article 9(2)(h)] |
| Providing health and care to private paying members | Private paying members | Name, demographics, medical health data, video and/or audio recorded entries through Univa app features such as mood diaries, as well as recorded calls and emails to support teams regarding your service with us, health experience questionnaires | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and;The provision of health or social care or treatment [Article 9(2)(h)] |
| Managingcontract withprivate payers | Privatepayingmembers and private healthcare professionals | Name, address,payment details | For compliancewith a legal obligation [Article6(1)(c)] |
| Private Payqueries which donot go to receiving a Univa Service | Privatepayingmembers and private healthcare professionals | Name, contact details | For compliancewith a legal obligation [Article6(1)(f)] |
| Communicatingregarding any concerns, queries or complaints | All members | Name, contact details, any relevant informationincluding health | Providingyou or planning forHealthcare services in our ‘legitimateInterest’ [Article6(1)(f)] and;Ensuring high standards of quality and safety of health care [Article 9(2)(i)] |
| Quality Assurance, quality improvement, training and security, including conducting peer reviews of consultations conducted by clinicians delivering Univa services | All members | Health data, recordedcalls and emails to support teams regardingyour service with us, Univa app usage data | Providing you or planning for healthcare services in our ‘legitimateInterest’ [Article 6(1)(f)] and; EnsuringHigh standards of quality and safety of health care [Article 9(2)(i)] |
| To conduct research | Members who register their interest and participate | Name, contact details, study ID, and health data,video and/or audio conversations recordedthrough Univa app features. We remove any details that could identify you from this information.This includes your name, address and contactinformation. | Providing you or planning for healthcare services in our ‘legitimateInterest’ [Article 6(1)(f)] and; For the public interest, scientific or statistical purposes [Article 9(2)(j)] |
| Further research purposes (see section “Helping with health research”) | All members | Health data, video and/or audio conversationsRecorded through Univa app features. We remove any details that could identify you from this information. This includes your name, address and contact information. As part of our research, we may use your contact details to invite you totake part in clinical trials. | Providing you or planning for healthcare services in our‘Legitimate interest’[Article 6(1)(f)] and; For the public interest, scientific or statistical purposes[Article 9(2)(j)] |
| Processing Personal Data from emergency contacts allows us to look after the wellbeing of our members in the event of an emergency | Emergency contacts | Name, email address, phone number and relationship to member | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] |
| Complying with our legal or regulatory obligations, and defending or exercising our legal rights where necessary or in the vital interests of thedata subject | All members | All personal data held byUniva where necessary | For compliancewith a legal obligation [Article6(1)(c) and (d) and Article 9(2) (c)(f)] and; For reasons of substantial public interest [Article9(2)(g)] |
| Supplier retention | All suppliers | Name, address, contact details and paymentinformation | Processing is necessary for the performance of a contract [Article6(b)] |
Where we rely on GDPR Article 6(1)(f) ‘legitimate interests’ are as follows:
- Providing health care to individuals
- Ensuring complaints and communications are handled appropriately
- Ensuring we provide and maintain a high level of quality of service
- Undertaking research to further improve our service
Helping with health research
When using your de-identified data to support health research, we aim to publish our
research results in peer-reviewed journals or by working with academics. We may
conduct research with partner organisations such as universities or other academic
institutions.
We may also use data that does not identify you personally as part of statistics that
we collect on certain types of illness, symptoms and conditions. This might include us
contributing medical data to our partners and organisations such as NHS England.
They will always be anonymised, which means you cannot be personally identified.
This is so we can improve our medical knowledge, help deliver better care and help
the general public.
Sharing your personal data
We will only share your personal data with organisations involved with your care (for
example your GP or NHS Trust), unless we have a legal obligation to share with
another party. Where personal data will be shared outside the purposes of providing
you care we will inform you unless the law restricts us from doing so.
Where we store and process your data
Your personal information is primarily processed within the UK and European Economic Area.
In some situations, your data may be processed or stored outside of the UK and the European Economic Area (EEA). This is because we sometimes work with other companies who help us deliver our services to you and they might have servers outside of the UK or EEA. This will always be in line with applicable data protection lawful mechanisms and protected by appropriate safeguards (such as EU-approved standard contractual clauses, a Privacy Shield certification, or a supplier’s Binding Corporate Rules). For further information on how we protect your data if we transfer it outside of the EEA, contact us by email at: dataprivacy@univa.health
Further uses of personal data for corporate purposes:
| Purposes of processing | Types of individuals | Types of Personal data | Lawful Bases |
| Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (eg tax or legal advice) | Members andCommissioners (payers) | Financial, contact details, name | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] and; For compliance with a legal obligation [Article 6(1)(c)] |
| Provide information in relation to new services offered by Univa as an existing member or potentialnew member, or to invite members to participate in service development activities | Members and mail list subscribers | Name, contact details | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] |
How to unsubscribe from our marketing communications
You may unsubscribe from our marketing communications by clicking on the “unsubscribe” link at the bottom of our emails or emailing dataprivacy@univa.health. Please note customers cannot opt-out of receiving transactional emails related to their account or service with Univa.
Website users and social media platforms
| Purposes of processing | Types of individuals | Types of Personal data | Lawful Bases |
| Collect analytics to understand user numbers accessing website, registering interest for our services and research | All individuals access Univa website and social media platforms that click on our adverts | IP address, device address, time of day, length of time, what screens are visited | Providing you or planning for healthcare services in our ‘legitimate interest’ [Article 6(1)(f)] |
For website users and social media platforms, where we rely on GDPR Article 6(1)(f) our legitimate interests are as follows: Marketing our products, services and research.
Cookies
If you are a visitor to our website, Univa will also process personal data using
cookies.
We use cookies on our website (www.univa.health) (“Site”) to help in order for the website to run and to provide a more personalised service to you. This policy describes how we use cookies and your options in regard to them.
What are cookies?
Cookies are a small piece of text which is downloaded on a device (such as a computer or mobile phone) when a user accesses a website which allows the website
to understand the users preferences or past actions.
Univa uses a number of these cookies as outlined below. Univa will always ask for
your consent before placing these cookies on your device, except where the cookie is
necessary in order for our website to function. These are called ‘strictly necessary’
Cookies.
All other cookies can be controlled via our cookie management system, which is available on our website pages.
Pixel tags and web beacons are tiny graphic images placed on website pages, emails and social posts that allow us to determine whether you have performed a specific action. When you access these pages, open or click an email, or share a post on social media, the pixel tags and web beacons generate a notice of that action. These tools allow us to measure responses to our communications and improve our web pages and promotions.
We have outlined below the types of cookies we use, their purpose and how long the cookie is kept on your device.
Where you have consented to all non-strictly necessary cookies, you may withdraw this at any time by using our cookie management platform.
Strictly Necessary Cookies
Strictly Necessary Cookies are required to enable the basic features of the Site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data. We have five cookies that we use which are necessary to run our Site. The purpose of these cookies are outlined below:
| Name of Cookie | Purpose | Duration | Third party? |
| __cf_bm | This cookie, set by Cloudflare, is used to support Cloudflare Bot Management. | 1 hour | Yes |
| __hssrc | This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session. | Session | Yes |
| __hssc | HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie. | 1 hour | Yes |
| _cfuvid | Calendly sets this cookie to track users across sessions to optimize user experience by maintaining session consistency and providing personalized services | Session | Yes |
| cookieyes-consent | CookieYes sets this cookie to remember users’ consent preferences so that their preferences are respected on subsequent visits to this site. It does not collect or store any personal information about the site visitors. | 1 year | Yes |
Analytics Cookies
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate and traffic source.
| Name of Cookie | Purpose | Duration | Third party? |
| __ga_* | Google analytics sets this cookie to store and count page views | 1 year 1 month 4 days | Yes |
| _ga | Google analytics sets this cookie to calculate visitor, session and campaign data and track site usage for the site’s analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognise unique visitors. | 1 year 1 month 4 days | Yes |
| _hstc | Hubspot set this main cookie for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session) | 6 months | Yes |
| hubspotutk | HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts. | 6 months | Yes |
How long do we keep your personal information?
As required in accordance with how we use your personal information, we may share your personal information as follows:
| Personal Information | How long we keep it |
| Contact information | We will store this personal information for no longer than we need it to provide the Univa Service you request from us and for the other purposes set out above.We may also need to keep it to comply with our legal obligations and enforce our rights from time to time.As a result, the length of time that we keep your information will vary depending on the purposes for which we have it. In any event, we will review what information we need on an ongoing basis and will only retain it for the minimum amount of time that we need it for. |
| Comments, queries and feedback | |
| Communication preferences | |
| Content you submit when using the Website or App | We will store this personal information for as long as your account is active and for up to 90 days after you cancel.We may also need to keep it to comply with our legal obligations and enforce our rights from time to time.As a result, the length of time that we keep your information will vary depending on the purposes for which we have it. In any event, we will review what information we need on an ongoing basis and will only retain it for the minimum amount of time that we need it for. |
| Clinical information | We will store this personal information for 8 years if you are an adult member. If you are 16 years old, we will retain your data until your 25th Birthday or until 26, if you were 17 at the time of starting the Univa Service. |
| Information about how you access the Univa Service | We will store this personal information for no longer than necessary to assess the performance of the Univa Service and identify errors in the Univa Service. |
How we protect your personal data
Univa is committed to protecting your personal data with the highest standards of security. We use a combination of administrative, technical, and physical safeguards to protect your information from loss, theft, misuse, unauthorised access, disclosure, alteration, or destruction.
All personal data is stored in encrypted form on secure servers housed in tightly controlled environments. Access to your data is limited to authorised Univa employees, contractors, and agents who require it to operate, maintain, or improve our services and platform.
We follow widely accepted industry standards to protect personal data during transmission and once it is received. Our security practices include a range of technical and organisational controls designed to ensure your information remains private and secure at all times. This includes:
- Compliance with the NHS Data Security and Protection Toolkit
- Completing annual Cyber Essentials certification by external security specialist company
- Annual penetration testing of our systems by an external cyber security specialist company
- Annual training for all staff on how to handle information securely.
- Having role-based access controls so that staff can only access records necessary for their role.
- Hosting on a secure platform through Amazon Web Services who maintain the servers and ensure they are secure and up-to-date at all times with the latest security patches. This also includes extensive physical access security systems to the server sites by professional security staff utilising video surveillance, state-of-the-art intrusion detection systems, and other electronic means.
How to contact the supervisory authority
You have the right to complain to the Information Commissioner (ICO) if you are unhappy about how we process your personal data or if you feel that we have not addressed your concern in a satisfactory manner.
The ICO Helpline number is 0303 123 1113, and you can find other ways to contact the ICO here: https://ico.org.uk/global/contact-us/
Changes to our Privacy Notice
We keep this Privacy Notice under regular review and place any updates on www.univa.health/privacy-policy. This Privacy Notice was last updated on 29th June 2025.