H&B & Me - Privacy Notice

Last updated: 30 September, 2021

This privacy notice explains the details around process of personal data under the GDPR and the UK’s Data Protection Act 2018. For the purposes of this document, when we say GDPR, we will also mean the UK DPA 2018.

Who We Are

We are Holland & Barrett Retail Limited, registered company number 02758955 and registered address at Samuel Ryder House Barling Way Eliot Park Nuneaton CV10 7RH. We refer to ourselves as “H&B” or “we” or “us” in this document.

Our Data Protection Officer (DPO)

UKGDPR Limited
20-22 Wenlock Road
email: dpo@ukgdpr.org

Why We Are Collecting Your Data

H&B is conducting a trial of their new health management platform. Your personal data will be collected from you and processed to assist in the development of the system. H&B will process personal data to evaluate a number of potential health indicators and use that information to provide an evaluation of some areas of your health and potentially make recommendations.

The Categories of Personal Data We Process

We may collect the following categories of personal data, including;

Communication and Support

When you communicate with us, we retain that information to ensure we can provide the right services, for training and for customer support purposes.

The Lawful Basis We Use to Process Personal Data

Under the GDPR we must have a lawful reason for processing personal data. Information about your health is considered a special category of data and requires a higher level of protection.

Our lawful basis for processing personal data is determined based on the type of data and how we are going to use it, and we list those purposes in this Privacy Notice. There are obligations upon us to process your data in accordance with your rights – see the section ‘Your Rights’.

Sometimes we have collected data from you, and other times we will ask for your permission to collect data from other third parties.

Our Purpose when Collecting your Data, our Lawful Basis for the Processing and How Long we Retain Your Data

To Provide Service and Support
  1. We collect your name, contact details and keep copies of complaints or concerns that you have. Our Lawful basis for this is ‘Contractual Obligation’. Your data is held by us for 3 years after the end of your last activity with us, or within 1 month if you request it or actively leave our service.
  2. We collect emails and other standard communication between you and H&B. Our lawful basis for this is ‘Legitimate Interest’. Your data is held by us for 1 year after you cease to actively use our service. If the communication involves a complaint, we will retain the data for 2 years after the last correspondence.
  3. We collect information about you, including your medical condition, and other special category data, as well as other data about yourself that you provide to us. We use that data collectively to help build a picture of your holistic health so that we can provide the best advice. Our lawful basis for processing this data is ‘Consent’. Your data is held by us for 3 years after the end of your last activity with us, or within 1 month if you request it or actively leave our service.
To Keep You Informed of New Products and Services
  1. We will use your name and contact details to inform you of products and services where you have given us consent to do so. Our lawful basis is ‘Consent’. Your data is held by us for 1 year after you cease to use our service
For Research
  1. We may pseudonymise your health data, including medical records, dietary information and conditions, among others, so that it is not easily attributable back to you, and then use that data for research purposes. Our lawful basis for processing this data is ‘Consent’. Your data is held by us for 3 years after the end of your last activity with us, or within 1 month if you request it.

Withdrawing Your Consent

You may withdraw your consent for us to process your data, where the lawful basis is consent. You can do this by writing to us at GDPR@hollandandbarrett.com or by post to Data Protection Officer, Holland & Barrett, Samuel Ryder House, Barling Way, Eliot Park, Nuneaton CV10 7RH.

Note that simply deleting the H&B & Me App from your device will not withdraw any consents you have given.

How We Collect and Store Personal Data

We collect information directly from you via a mobile phone app. We currently have apps for both IOS and Android. Our app only requires the permissions necessary to securely log you in, and for authentication purposes.

We adhere to both Apple’s and Google’s Application store’s development guidelines with regards to data privacy.

Your information is stored on Amazon’s AWS UK-based Cloud service for storing your data. All data sent to storage is encrypted to, or beyond best practice requirements.

Informing You About Our Services

We want to keep you up to date with existing service, offers, or new products and services from time to time. We may send you the information by email or text message, and if you no longer wish to receive this information, you can withdraw your consent at any time using the instructions that are sent at the bottom of every message.

Keeping Your Data Secure

We have implemented a secure system for collecting and storing your data based on best practices. That system is being regularly tested and improved. When we collect your data, it is sent to our servers encrypted. The database on which your personal data is stored is also encrypted, and we use a secure cloud infrastructure from AWS – an Amazon service based in the UK.

We test the application regularly using external security professionals following best practices.

Parties We May Share Your Data With

We will share your personal data with a limited number of trusted third parties to help us process and analyse your Personal Data for us and assist us in providing you with accurate recommendations. This includes external consultants who work independently for Holland & Barrett and are considered experts in a particular field, for example, menopause or sleep. Before we share data with any third party, we ensure they meet our strict security and compliance standards, and we may audit them to ensure the standards are being upheld.

Your Rights

The GDPR, and the UK Data Protection Act 2018 give you rights over your personal data. You should be aware of these rights, which are:

Your right of access - You have the right to ask us for copies of your personal information.

Your right to rectification - You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.

Your right to erasure - You have the right to ask us to erase your personal information in certain circumstances.

Your right to restriction of processing - You have the right to ask us to restrict the processing of your personal information in certain circumstances.

Your right to object to processing - You have the right to object to the processing of your personal information in certain circumstances.

Your right to data portability - You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

Note that the above rights may have certain limitations depending on the circumstances, such as if there was a legal issue outstanding. In the case that we are unable to comply with any one or your rights for a legitimate reason, we would explain that to you.

Your Right to Complain

If you have a complaint about how your information is being managed, please contact our DPO whose contact details are at the top of this privacy notice. However, if you are not satisfied with the outcome, you can complain directly to the Information Commissioner. Their contact details are below.

Information Commissioner:
Wycliffe house
Water Lane

Tel: 01625 545745


Changes to this Policy

We may update this Privacy Notice from time to time. We will inform you when we make any major changes to this Privacy Notice and allow you the opportunity to review them. If you are unhappy with the changes, you always have the ability to request that we stop processing your personal data at any time – see above regarding removing your consent.

This Privacy Notice was last updated on 30 September, 2021.