W8Buddy+ Privacy Policy

This Privacy Notice is designed to help you understand everything you need to know about our data gathering and processing operations, and what your legal rights are. The W8Buddy website is not intended for children and we do not knowingly collect data relating to children.

DDM Health Ltd takes its responsibility for protecting your data very seriously. If there’s anything in this policy you don’t understand or if you want to ask any questions, please feel free to contact us.

GroHealth.com and the Gro Health mobile app (each of and together the “Sites”, "Service" or “Platform”) are owned and operated by DDM Health Ltd of 9 Little Park Street, Coventry, CV1 2UR (“we”, “us”, “our“, “DDM”). For the purposes of data protection law: the data controller and data processor is DDM Health Ltd with registration number Z3613413. 

We are committed to protecting and respecting your privacy and this Privacy Policy (together with our Terms and Conditions and any other documents referred to therein) sets out how we process the personal data of each visitor and customer (resident in the European Union) to the Sites, where such personal data is provided to us through any of the Sites, via email communication and any branded pages on third party platforms (such as Facebook or YouTube). Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.

We may update this Privacy Policy at any time. Changes will be posted on this page, and we will notify you via email or in-app message. Your continued use of the Sites constitutes your acceptance of any changes.

Last updated: 17/07/2025.

1. Introduction

Full name of legal entity: DDM Health Ltd
Registered company number: 07975193
Email address: [email protected]
Postal address: 9 Little Park Street, Coventry, CV1 2UR
Telephone: 0330 133 0307

DDM is not a pharmacy. Instead, DDM is a health service provider that partners with licensed pharmacies to deliver safe healthcare solutions. We collect and securely transmit necessary prescription and medical information to a partnered pharmacy, which is responsible for dispensing your medication. As part of this service, prescription and consultation data may be retained for a minimum of two years to comply with UK pharmacy regulations. This approach ensures compliance with the Medicines Act 1968, the Human Medicines Regulations 2012, and relevant record-keeping requirements, as well as maintaining patient safety and facilitating regulatory audits.

Changes to the privacy notice: This version was last updated in July 2025. We may update this notice from time to time. It is important that the personal data we hold about you is accurate and current, so please keep us informed if your personal data changes during your relationship with us.

Third-party links: Our website may include links to third-party websites, plug-ins, or applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our site, we encourage you to read the privacy notice of every website you visit.

2. Why Do We Collect and Process Personal Data?

We collect personal data for several key purposes:

  • Staff and Contractor Management: We collect data about our employees and others who work on our behalf for management and business operation purposes.
  • Customer Relationship: We collect personal data about our customers (and prospective customers) so that we can maintain a professional relationship, provide services, and respond to inquiries appropriately. Limited personal data may also be collected from visitors to our website to tailor user experience and improve our services.
  • Patient Services: We collect data from patients who wish to receive our services. This information is used to tailor and personalize those services, inform our expert advisors (such as medical professionals), improve service effectiveness, and evaluate outcomes.

We only collect personal data when it is necessary to fulfill the purposes above. These purposes reflect our legitimate business interests, providing us a clear legal basis under data protection law (UK GDPR) to process your data. We will not use your personal data for any unrelated purposes unless required or permitted by law.

Special Category Data: Health-related information (e.g. medical data) is classified as "special category" personal data under the law. The legislation places additional restrictions on processing this type of data. We ensure that when we process health information, it is only for the specific medical purposes allowed by law. If we ever need to use your health data for a purpose outside of those legal allowances, we will seek your explicit consent first.

3. The Data We Collect About You

Personal data (or personal information) means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store, and transfer different kinds of personal data about you. We group these as follows:

  • Identity Data: Includes first name, last name, username or similar identifier, title, date of birth, and gender.
  • Contact Data: Includes billing address, delivery address, email address, and telephone numbers.
  • Financial Data: Includes payment card details or other payment information.
  • Transaction Data: Details about payments to and from you, and details of products and services you have purchased from us.
  • Technical Data: Internet Protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology information on the devices you use to access our website.
  • Profile Data: Includes your username and password, purchases or orders made by you, your interests, preferences, feedback, and survey responses.
  • Usage Data: Information about how you use our website, products, and services.
  • Marketing and Communications Data: Your preferences in receiving marketing from us and third parties, and your communication preferences.

We also collect, use, and share Aggregated Data such as statistical or demographic data. Aggregated Data may be derived from your personal data but is not considered personal data in law if it does not directly or indirectly reveal your identity. For example, we might aggregate usage data to calculate the percentage of users accessing a specific website feature. However, if we combine or connect Aggregated Data with your personal data in a way that could directly or indirectly identify you, we treat the combined data as personal data and protect it accordingly.

Special Category Data: With your explicit consent, we may collect certain special category personal data about you. This includes details about your health (for example, information about your weight, height, medical history or other health-related metrics) and may also include information about your race or ethnicity if you choose to provide it. We do not collect any information about criminal convictions and offences. We only collect and use special category data for the purposes explained to you (such as providing healthcare services or advice), and in accordance with the law. If you have questions about why we collect special category data, please email us for further information.

If you fail to provide personal data: Where we need to collect personal data by law, or under the terms of a contract we have with you, and you fail to provide that data when requested, we may not be able to perform the contract or service we are trying to deliver. For example, if we require certain health information from you to determine your eligibility for a treatment and you do not provide it, we may not be able to offer that treatment. In such cases, we may have to cancel a product or service you have with us, but we will notify you at the time if this occurs.

4. How Is Your Personal Data Collected?

We use different methods to collect data from and about you, including:

  • Direct interactions: You may give us your Identity, Contact, Financial, and health-related information by filling in forms or by corresponding with us via our website, by post, phone, email, or otherwise. This includes personal data you provide when you:
    • Enquire about our services (for example, asking about a weight management program or other health service).
    • Complete our health questionnaires or assessment forms (for example, a weight loss or medical history questionnaire).
    • Create an account on our website or sign up on our secure online portal to receive test results or track your progress.
    • Subscribe to our services or publications.
    • Request marketing communications to be sent to you.
    • Provide feedback or contact us with questions/concerns.
  • Automated technologies or interactions: As you interact with our website, we may automatically collect Technical Data about your equipment, browsing actions, and patterns. We collect this personal data using cookies, server logs, and other similar technologies. For example, we may log information about how you navigate through the site or which pages you interact with. (Please see our Cookie Policy on our website for further details about the cookies and tracking technologies we use.) We may also receive Technical Data about you if you visit other websites employing our cookies.
  • Third parties or public sources: We may receive personal data about you from various third parties, such as:
    • Analytics providers (e.g. Google Analytics) or search information providers, which can provide Technical Data about your use of our website.
    • Payment and delivery service providers, which can provide Contact, Financial, and Transaction Data when you make purchases or use our services (for instance, our payment processor might give us confirmation of your payment and some details needed to reconcile transactions).

We only collect data from third parties that are legally allowed to share your information with us, and we use that data in accordance with this privacy notice.

5. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we use your data in the following circumstances:

  • Performance of a Contract: Where use of your data is necessary to perform a contract we are about to enter into or have entered into with you. For example, to provide you with our services – including medical consultations, arranging prescriptions, and coordinating dispensing of medication – we must use your personal and health data.
  • Legitimate Interests: Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. For example, we may process your data to improve patient care, service quality, and our operational efficiency. We will always consider your rights and expectations and will not process your data under legitimate interests if your fundamental rights outweigh our interests.
  • Legal or Regulatory Obligations: Where we need to process your personal data to comply with a legal obligation. For instance, we must abide by laws governing healthcare and pharmacies. While DDM is not a pharmacy, we facilitate pharmacy services and therefore adhere to regulations like the Medicines Act 1968, the Human Medicines Regulations 2012, and other healthcare laws. This may require certain data retention or sharing with regulators.
  • Consent (for Special Category Data): We will process your special category personal data (such as health information) only with your explicit consent or under another lawful basis permitted by law (for example, if processing is necessary for the provision of medical care). Where consent is our basis, you have the right to withdraw that consent at any time (which will not affect the lawfulness of processing before withdrawal).

Legal Basis for Processing Health Data: Under the UK GDPR, we rely on specific legal provisions to process your health-related data (which is special category data):

  • Article 6(1)(c) – Legal Obligation: We may need to retain and use patient data to comply with legal obligations in the pharmacy/healthcare context. For example, ensuring records are kept for regulatory compliance.
  • Article 6(1)(f) – Legitimate Interests: We may use and analyze patient data to provide effective healthcare services, improve our platform, and ensure quality of care, provided these interests are not overridden by your rights.
  • Article 9(2)(h) – Provision of Health or Social Care: This allows us to process health data when it is necessary for the purpose of medical diagnosis, provision of health care or treatment, or the management of health systems and services. We collect and process your medical information (with appropriate safeguards) to assess your suitability for certain medication or treatments and to ensure patient safety.

Marketing and consent: We will only send you marketing communications if you have explicitly consented to receive them. For example, if you opt in to our newsletter or updates about new services, we will use your Contact Data to send those communications. You can withdraw consent or change your marketing preferences at any time – either by updating your preferences in your account settings or by clicking the “unsubscribe” link in any marketing email we send. Withdrawing consent for marketing will not affect services we provide to you, and of course, it does not affect the lawfulness of any processing done before you withdrew consent.

We may also use anonymised or aggregated data (which does not identify you personally) for research, analysis, or insight generation. This helps us improve our services and contribute to a better understanding of health treatments and outcomes (for example, understanding the effectiveness of a weight management program in general). Such data will not identify any individual.

6. Who Might We Share Your Information With?

In order to provide our services and fulfill our obligations, we may need to share your personal data with selected third parties. We only share the information that is necessary for the third party to perform their services, and we require all third parties to handle your data securely and lawfully. We do not sell your personal data to anyone.

External third parties we might share data with include:

  • Healthcare Professionals and Medical Partners: This includes doctors or nurse practitioners who provide medical oversight, blood testing services, or prescribing services for DDM (for example, licensed physicians who review your questionnaire and prescribe medication), as well as specialists or clinicians we might consult or refer you to (such as your NHS General Practitioner or private specialists) to ensure you receive appropriate care.
  • Nutrition and Fitness Professionals: If your care program involves dietary guidance or physical activity coaching, we may share relevant information with nutritionists, dietitians, or physical fitness coaches that are employed by DDM to support your weight loss or health improvement plan. They use this information to tailor their professional advice to your needs.
  • Mental Health or Wellness Coaches: Where applicable, DDM-employed psychological service providers or wellness coaches (for example, services providing behavioral support). We could share necessary information with these partners to help them provide you with appropriate mental wellbeing support as part of a holistic health program.

Note: We will only share your information with the categories of practitioners above if they are actually involved in your care through our services. If your particular program does not involve certain types of coaches or practitioners, your data will not be shared with them.

  • Partner Pharmacy: We share your relevant personal and health information with our licensed partner pharmacy that actually dispenses your medication. This includes information necessary to fulfill your prescription (such as your name, contact details, delivery address, prescription details, and any pertinent medical information). The pharmacy requires this data to safely dispense medications and comply with legal requirements. We do not share more information than is needed for this purpose, and the pharmacy is also obliged to protect your data under data protection laws.
  • Regulatory and Legal Authorities: If required by law, we may share information with regulators or authorities. For example, we might need to provide data to healthcare regulators or agencies such as the Care Quality Commission (CQC) or (if applicable) the General Pharmaceutical Council (GPhC), or to law enforcement or other government bodies. This would only happen in compliance with laws — for instance, if a regulator requires us to demonstrate proper record-keeping or if we need to report an adverse event related to medication. Similarly, if necessary, we may share data with the ICO or other data protection authorities in the context of resolving any data protection issues.
  • Service Providers: We employ trusted third-party companies and individuals to support our business (for example, providers of IT and system administration services, cloud storage providers, email/SMS delivery services, payment processors, etc.). These service providers may process your personal data only on our instructions and for the purposes we specify. They are obligated to keep your information confidential and secure, and they are not allowed to use it for their own purposes.

In all cases, we require third parties to respect the security of your personal data and to treat it in accordance with the law. Third-party service providers are not permitted to use your personal data for their own purposes. They may only process your data for specified purposes and in accordance with our instructions and our contractual agreements with them.

If we ever sell or reorganise our business, we may transfer the personal data we hold to a new owner or partner. If that happens, we will ensure that your personal data remains subject to confidentiality and protection, and we will inform you of any changes where required by law.

Importantly: We do not share your personal health data with any third parties for marketing or commercial purposes. Any data sharing is strictly for the purposes described above, and is done under appropriate legal bases (such as providing you with healthcare services or complying with regulations).

NHS login: Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity, and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

7. Where Will Your Data Be Stored?

Your data will be stored on secure servers located in the United Kingdom. We use reputable cloud infrastructure providers to host and process data. For example, we utilize services such as Microsoft Azure and Google Cloud to ensure your information remains in the UK. All databases and storage systems we use employ strong encryption and security measures to protect your data.

By keeping data storage within the UK, we ensure that your information is protected under UK data protection laws and standards.

8. International Transfers

We do not routinely transfer your personal data outside of the United Kingdom. Our primary data storage and processing activities take place within the UK. However, if in the future we need to use a service provider or partner based outside the UK (for example, a specialist technical service or support team located in another country), we will ensure your data is given an adequate level of protection.

If we ever transfer your personal data out of the UK, we will make sure at least one of the following safeguards is implemented:

  • We will only transfer data to countries that have been officially deemed to provide an adequate level of protection for personal data under UK law. (These are countries approved by the UK government as having strong data protection laws, so your data would be safeguarded similarly to how it is in the UK.)
  • If we transfer data to a service provider in a country without such a designation, we will use specific contractual clauses approved by the UK (such as the UK International Data Transfer Agreement or standard contractual clauses) which give personal data the same protection it has in the UK. We may also rely on other valid transfer mechanisms or exceptions as allowed by the UK GDPR.
9. How Long Will We Keep Your Data?

We will keep your personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. In practice, this means:

  • Service Data: For most data related to the services we provide you, we retain it for as long as you are an active customer and for a reasonable period thereafter. This allows us to have continuity in your care if you return to our services and to comply with any post-service obligations or inquiries.
  • Legal/Regulatory Requirements: As we facilitate pharmacy services, we align with regulatory requirements for medical and pharmacy records. Under UK pharmacy law (specifically, the Medicines for Human Use (Prescriptions Only) Order 1997), prescription and consultation records should be kept for a minimum of two years. Therefore, even though DDM itself is not a pharmacy, we ensure that any prescription-related data and medical consultation records are retained for at least two years. This retention period supports patient safety, regulatory compliance, and audit requirements. We will not delete or anonymise key medical records relating to prescriptions before two years have passed, even if you request it (see Right to Erasure below), because of these legal obligations.

After the relevant retention period has elapsed, we will either securely delete your personal data or anonymise it so that it can no longer be associated with you. For example, we may remove identifying details from old medical records and use the remaining anonymous data to improve our services or for research. If there are specific circumstances where we need to keep data longer (for instance, if required by other healthcare guidelines or for the establishment, exercise or defense of legal claims), we will do so in compliance with the law.

Right to Erasure (Deletion): You have the right to request that we delete your personal data. If you ask us to delete data before the two-year mandatory retention period (or any other legally mandated period) has passed, we will acknowledge your request and do the following: we will restrict the processing of your data for non-essential purposes (for example, we will stop using it for marketing or service improvement analysis). However, we cannot actually erase the data until the required retention period expires. During the mandatory retention period, your data will be locked down and only retained to meet legal requirements, not for active business use. Once the retention period is over, we will proceed to securely delete or anonymise your data as requested (unless further retention is required by law).

We continually review the personal data we hold and delete or anonymise that which is no longer necessary for any purpose.

10. Data Security

We have implemented strict security measures to protect your personal data from being accidentally lost, used or accessed in an unauthorized way, altered, or disclosed. These measures include:

  • Security Standards: We adhere to industry standards and frameworks such as NHS Digital guidelines and the Cyber Essentials Plus framework (a UK government-backed scheme) for healthcare providers. This means our systems and processes are regularly assessed to guard against threats.
  • Encryption: Your data is stored in encrypted databases and transmitted using secure protocols. This ensures that even if data were intercepted or accessed improperly, it would be unreadable without the decryption keys.
  • Access Control: Access to personal data is strictly limited to those employees, contractors, or partners who need to know the information in order to provide our services or fulfill their duties. For example, a doctor will have access to your medical questionnaire, but a customer support agent may only see contact and appointment details. All staff with such access are subject to confidentiality obligations and trained in data protection.
  • Monitoring and Testing: We regularly review and update our security practices. Our systems are monitored for potential vulnerabilities and attacks, and we perform testing (such as penetration testing and security audits) to ensure our defenses remain robust.
  • Breach Procedures: In the unlikely event of a data breach, we have a clear incident response plan. We will notify you and any applicable regulators where we are legally required to do so, and we will take steps to mitigate any potential harm.
11. Your Rights and Our Responsibilities

Under data protection law, you have several rights regarding your personal data. We respect your rights and will assist you in exercising them. Below is a summary of those rights:

  • Right of Access: You have the right to request access to the personal data we hold about you and to receive a copy of that data. This is commonly known as a "Data Subject Access Request." If you would like to know what personal data we have about you, you can contact us to request it. We may need to verify your identity before providing the information, to ensure we do not disclose data to the wrong person. We will provide the information in a concise and transparent format.
  • Right to Rectification: If any personal data we hold about you is incorrect or incomplete, you have the right to have it corrected. Simply let us know what data is inaccurate or incomplete, and we will take action to rectify it. We strive to keep all information accurate and up to date, and will address correction requests as quickly as possible.
  • Right to Object: You have the right to object to our processing of your personal data in certain circumstances. For example, if we are processing your data based on a legitimate interest and you feel that our doing so impacts your rights or freedoms, you can object to that processing. You also have the absolute right to object if we were using your data for direct marketing (which we only do with consent). In some cases, we may demonstrate that we have compelling legitimate grounds to continue processing your information (for example, if it’s needed for legal claims), but we will consider and respond to each objection case by case.
  • Right to Data Portability: You have the right to request that we transfer the personal data you have provided to us to you or directly to another provider (where technically feasible), in a structured, commonly used, machine-readable format. This right applies only to information that we process by automated means and based on your consent or a contract (for example, if you provided health data through our app and want a copy to send to another service). We will help by providing your data in a suitable format (such as CSV or JSON file) when you exercise this right.
  • Right to Erasure: (Also known as the "right to be forgotten.") You have the right to ask us to delete or remove personal data where there is no good reason for us to continue processing it. This includes situations where the data is no longer necessary for the purpose we collected it, or if you have withdrawn consent (where consent was the legal basis) or successfully exercised your right to object (and we have no overriding grounds to continue). Please note, as explained in Section 9, that certain data cannot be deleted immediately due to legal retention requirements, but we can restrict it and erase it as soon as those requirements expire. We will always comply with our legal obligations regarding erasure of data.
  • Right to Complain: We hope to resolve any query or concern you raise about our use of your information directly. Please contact us first if you have a complaint, and we will do our best to address it. If you are not satisfied with our response or believe we are unlawfully processing your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection issues. The ICO can be reached at 0303 123 1113 or via its website at ico.org.uk/concerns. You also have the right to seek a judicial remedy through the courts if you believe your rights have been breached.

To exercise any of your rights, please contact us using the details in Section 1 of this notice. We may need to request specific information from you to confirm your identity when you make a rights request. This is a security measure to ensure that personal data is not disclosed to anyone who does not have the right to receive it. For example, we might ask you to provide information that only our real customer would know, or we may require a form of ID for verification.

No fee usually required: You will not have to pay a fee to exercise these rights or to access your personal data. We will provide the information or take the action you request free of charge in most cases. However, if your request is clearly unfounded, repetitive, or excessive, we may charge a reasonable fee to cover administrative costs, or we might refuse to act on the request in those exceptional circumstances. If we believe a fee is justified, we will inform you and explain our reasoning.

Time limit to respond: We try to respond to all legitimate requests within one month. If your request is particularly complex or if you have made a number of requests, it may take us longer (up to an additional two months). In such a case, we will notify you within the initial one-month period to explain why more time is needed and keep you updated on progress.

12. How to Contact Us

If you have questions about this privacy notice, or if you wish to exercise any of your rights or get in touch for any reason, please contact us on the details given in the Introduction.

When you contact us, we may need to collect a few personal details (like your name and contact information, or information about your account or past orders) to verify your identity and assist you. We will only use any information you provide to us when contacting for the purposes of addressing your inquiry or request. Specifically, we will use your contact with us to:

  • Respond to inquiries or requests you submit. For example, if you ask about our services or have a question about your account, we will use your information to communicate with you and answer.
  • Provide services or support that you request. For instance, if you email us for technical support or help with using our platform, we will use the details you give us to resolve the issue.
  • Process orders or applications you submit. If your contact relates to an order (such as updating a delivery address or changing an appointment), we will use the information to carry out that request.
  • Administer agreements: If you have an agreement or contract with us, contacting us might involve us using your data to carry out our obligations or enforce your rights under that agreement.
  • Improve our services: We may record or note communications to help anticipate and resolve problems with any services supplied to you, or to improve our customer service quality. (For example, we might track common questions to update our FAQs.)

We do not use the personal information you provide in a customer service query for any purpose unrelated to resolving your query or fulfilling your requests. We also do not share such contact information with any third party, unless it is necessary to do so to resolve your issue (and with your consent or as allowed by law).

13. Visiting Other Sites

This privacy policy applies solely to DDM Health Limited and our services. Please note that if you navigate away from our website to another website (for example, by clicking a third-party link), this notice will no longer apply.

We cannot be responsible for the privacy practices and policies of other websites or services, even if you access them using links from our website or if you were referred to our site from a third-party website. If you follow a link to any external website, we recommend you read the privacy policy of that site.

For example, if our website contains a link to an informational article or a partner service, and you click that link, any data collected on the external site will be governed by that site’s privacy policy. We encourage you to review the privacy and cookie policies of every site you visit and be cautious about providing personal data to other sites if you have concerns.

If you have any questions about this Privacy Policy or how we handle your personal data, please contact us at the email or postal address provided above.