Privacy Policy

How Canvera Clinic collects, uses and protects your personal information

Canvera Ltd | Version 1.0 | Effective 01.06.2026 | Last reviewed N/A

1. About this policy

This privacy policy explains how Canvera Ltd ("Canvera Clinic", "we", "us" or "our") collects, uses, stores, shares and protects personal information when you use our website, register as a patient, attend a consultation or otherwise interact with us.

We take your privacy seriously. Because we are a healthcare provider, most of the information we hold about you is sensitive, and we treat it accordingly. This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the EU General Data Protection Regulation (EU GDPR) where applicable, the Privacy and Electronic Communications Regulations 2003 (PECR), and the common law duty of confidence that applies to health records.

This policy applies to patients, prospective patients, visitors to our website, professional contacts, and anyone else whose personal data we process in connection with our services.

2. Who we are

2.1 Data controller

Canvera Ltd is the data controller responsible for your personal information.

  • Company name: Canvera Ltd
  • Company number: 17252598
  • Registered office: C/O Elixir Aldershot Enterprise Centre, 14-40 Victoria Road, Aldershot, United Kingdom, GU11 1TQ
  • ICO registration number: to follow (registration pending — will be inserted on confirmation from the ICO)
  • General enquiries: help@canveraclinic.com

2.2 Our regulatory position

Canvera Clinic has submitted an application for registration with the Care Quality Commission (CQC) as a provider of regulated activities in England. Our clinical services are provided by doctors on the General Medical Council (GMC) Specialist Register. Prescription fulfilment is carried out by Canvera Pharmacy, a separately registered entity with the General Pharmaceutical Council (GPhC).

Note: We will update this policy once our CQC registration certificate is issued to reflect our registration number and registered activities.

2.3 Data Protection Officer

We have appointed a Data Protection Officer (DPO) who is responsible for overseeing how we handle personal information. You can contact the DPO directly about anything in this policy, to exercise your rights, or to raise a concern:

  • Name: Bernhard Kommsher
  • Email: bk@canveraclinic.com
  • Postal address: Data Protection Officer, Canvera Ltd, C/O Elixir Aldershot Enterprise Centre, 14-40 Victoria Road, Aldershot, United Kingdom, GU11 1TQ

2.4 Our group

Canvera Ltd is part of a group of companies owned by Canvera Group GMbH, a company incorporated in Germany. Where we share personal information with other group companies — in particular Canvera Pharmacy and our German parent — we do so under written agreements that meet the requirements of UK GDPR and, where relevant, EU GDPR. Those arrangements are described in sections 6 and 7 below.

3. Information we collect

The information we collect depends on how you interact with us. We have grouped it by category below.

3.1 Information you give us

  • Identity and contact details: name, date of birth, sex recorded at birth, gender identity (where you choose to share it), address, email address, telephone number.
  • Identity verification data: copies of photo ID and, where required, a live selfie or video check to confirm identity.
  • Health information: information about your medical history, current symptoms, medications, previous treatments, results of investigations, information from your GP or other clinicians (with your consent), lifestyle information relevant to your care, and notes made by our clinicians during consultations.
  • Consultation content: information shared during video consultations, including any recordings we make where we have told you about the recording and obtained your consent, along with written notes.
  • Financial information: payment card details (processed by our payment provider — we do not store full card numbers), billing address, and transaction history.
  • Correspondence: emails, secure messages, support tickets and other communications between you and us.

3.2 Information we collect automatically

  • Device and browser information, including IP address, browser type and version, operating system and device identifiers.
  • Usage information, including pages viewed, features used, approximate location derived from your IP address, and the time and duration of your visits.
  • Cookies and similar technologies (see our Cookie Policy for details).

3.3 Information we receive from others

  • Information from your GP or other healthcare providers, where you have consented to us requesting it (for example, a Summary Care Record or clinical letter).
  • Information from identity-verification providers we use to confirm your identity.
  • Information from Canvera Pharmacy about prescriptions we have issued and dispensing activity.
  • Information from fraud-prevention, credit-reference or sanctions-screening services where we are required or permitted to use them.

4. Special category (health) data

Most of the information we collect about patients is special category data under UK GDPR (Article 9). This includes health information, and may include information about race, ethnicity, religion or sexual orientation where these are relevant to your care and you choose to share them with us.

We process special category data on the basis of Article 9(2)(h) of UK GDPR — processing necessary for the provision of health or social care or treatment, or the management of health or social care systems and services. This lawful basis applies where processing is carried out by, or under the responsibility of, a health professional subject to a duty of confidentiality, which is the case at Canvera Clinic.

We also rely on Schedule 1 of the Data Protection Act 2018, in particular the condition in paragraph 2 (health or social care purposes), and where relevant paragraph 3 (public health) and paragraph 4 (research).

Where we process special category data for purposes outside direct care — for example, to investigate a complaint or to defend a legal claim — we rely on Article 9(2)(f) (legal claims) or your explicit consent under Article 9(2)(a).

5. How we use your information and our lawful bases

The table below sets out the purposes for which we process your personal information, the categories of data involved, and the lawful bases we rely on under UK GDPR Articles 6 and 9.

5.1 Providing care

To register you as a patient, conduct eligibility checks, deliver video consultations, make clinical decisions, issue prescriptions, arrange dispensing through Canvera Pharmacy (or, at your request, another registered pharmacy), and provide aftercare.

Lawful basis: Article 6(1)(b) (performance of a contract with you). For health data: Article 9(2)(h) (health or social care).

5.2 Identity verification and safeguarding

To confirm you are who you say you are, to prevent fraud, and to identify safeguarding concerns involving vulnerable adults or children.

Lawful basis: Article 6(1)(c) (legal obligation), Article 6(1)(f) (legitimate interests — preventing fraud, safeguarding). For health data: Article 9(2)(h), 9(2)(b) or 9(2)(c) as relevant.

5.3 Clinical governance and quality

To audit the quality of care we provide, investigate adverse events and near misses, conduct case reviews, and improve our services. This is a core requirement of CQC-regulated healthcare and of GMC Good Medical Practice.

Lawful basis: Article 6(1)(f) (legitimate interests in safe, high-quality care) and Article 6(1)(c) (legal obligation). For health data: Article 9(2)(h).

5.4 Reporting and pharmacovigilance

To report adverse drug reactions to the Medicines and Healthcare products Regulatory Agency (MHRA) through the Yellow Card scheme, to maintain controlled-drug records required under the Misuse of Drugs Regulations 2001, and to comply with other statutory reporting obligations.

Lawful basis: Article 6(1)(c). For health data: Article 9(2)(i) (public interest in public health).

5.5 Managing payments

To take payment for consultations and medication, manage refunds, and resolve billing queries.

Lawful basis: Article 6(1)(b).

5.6 Communication

To send appointment confirmations, reminders, follow-up messages, clinical correspondence, service updates and administrative communications.

Lawful basis: Article 6(1)(b) for care-related communication; Article 6(1)(a) (consent) for marketing communications where required by PECR.

5.7 Website operation and security

To run our website and patient portal, monitor performance, protect against cyber-attack, and maintain audit trails for security and compliance.

Lawful basis: Article 6(1)(f) (legitimate interests — security) and, where required, Article 6(1)(a) (consent via cookie banner).

5.8 Complaints and legal matters

To investigate and respond to complaints, manage insurance claims, obtain legal advice, and establish, exercise or defend legal claims.

Lawful basis: Article 6(1)(c), Article 6(1)(f), or Article 6(1)(b). For health data: Article 9(2)(f) or 9(2)(h).

5.9 Research, statistics and service development

To produce anonymised or aggregated statistics about our services, which may be used for internal analysis, published research, or regulatory submissions. Where data is fully anonymised, it is no longer personal data and falls outside the scope of UK GDPR.

Lawful basis (for any identifiable processing): Article 6(1)(f). For health data: Article 9(2)(j) (research) with appropriate safeguards, or your explicit consent under Article 9(2)(a).

6. Who we share your information with

We only share your information where we have a lawful basis to do so. We never sell your personal information.

6.1 Canvera Pharmacy

If your clinician prescribes medication, we share the information necessary to dispense that prescription with Canvera Pharmacy (a separately GPhC-registered entity within our group). You have the right to have your prescription fulfilled by any registered pharmacy of your choice — if you exercise this right, we will share the prescription with the pharmacy you nominate instead.

6.2 Your GP and other clinicians

With your explicit consent, we will share relevant information with your NHS GP or other treating clinicians. We consider it good clinical practice for your GP to be informed of treatment decisions and we will strongly encourage this, but you remain in control of whether we share.

6.3 Our group companies

We share limited information with our German parent company and other group companies for legitimate group purposes, such as group-level clinical governance, IT and security infrastructure, and financial consolidation. Personal health data is shared only where strictly necessary and is protected by intra-group data processing and data transfer agreements.

6.4 Service providers (processors)

We use trusted third-party service providers to help us deliver our services. They process your data on our instructions and under written contracts that meet the requirements of Article 28 UK GDPR. Categories include:

  • Cloud hosting and infrastructure providers
  • Secure video consultation platform
  • Electronic patient records and practice management systems
  • Identity verification providers
  • Payment processors
  • Secure messaging and email providers
  • Analytics and website performance providers
  • Professional advisers (lawyers, accountants, auditors, insurers) and regulators, where relevant

A current list of our key processors is available on request from our DPO.

6.5 Regulators and public authorities

We may be required to share information with regulators and public bodies, including the CQC (once registered), the GMC, the GPhC, the MHRA, the Information Commissioner's Office (ICO), HMRC, the police, the courts, and safeguarding authorities. We only share what we are required or permitted by law to share.

6.6 In connection with a business transaction

If the business is sold, reorganised, or merged, personal information may be transferred as part of that transaction. We will tell you in advance where this is practical and required.

7. International transfers

Some of your personal information is transferred outside the United Kingdom, primarily to our parent company and group services in Germany, and to service providers based in the European Economic Area (EEA) and occasionally elsewhere.

Transfers from the UK to the EEA are covered by the UK's adequacy regulations, which recognise that EEA countries (including Germany) provide an essentially equivalent level of data protection. No additional safeguards are required for those transfers.

For any transfers outside the UK and EEA, we use the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, together with a transfer risk assessment where required, to ensure your information continues to be protected.

You can ask us for a copy of the safeguards that apply to any particular transfer by contacting our DPO.

8. How long we keep your information

We keep your information for as long as we need it for the purposes set out in this policy, and then for as long as we are required to keep it by law or regulation.

Health records are subject to specific retention periods set out in the NHS Records Management Code of Practice. Our default retention periods include:

  • Adult health records: 8 years after the date of the last entry.
  • Mental health records: 20 years after the date of the last entry, or 8 years after death.
  • Controlled drug records: as required by the Misuse of Drugs Regulations 2001 (minimum 2 years, in practice longer).
  • Financial records: 6 years plus the current financial year (HMRC requirement).
  • Complaints records: 10 years from conclusion of the complaint.
  • Website and marketing data: up to 2 years from last interaction, unless a shorter period applies under our Cookie Policy.

Longer retention periods may apply where we are required to hold information for legal, regulatory or insurance reasons.

9. Your rights

Under UK GDPR and, where applicable, EU GDPR, you have the following rights in relation to your personal information:

  • Right to be informed — this policy and our other notices explain how we use your information.
  • Right of access — you can ask for a copy of the personal information we hold about you (a "subject access request").
  • Right to rectification — you can ask us to correct inaccurate information.
  • Right to erasure — you can ask us to delete your information in certain circumstances. This right is limited for health records, which we are required to retain.
  • Right to restrict processing — you can ask us to limit how we use your information in certain circumstances.
  • Right to data portability — you can ask for your information in a structured, commonly-used format where we process it on the basis of consent or contract.
  • Right to object — you can object to processing based on legitimate interests or to direct marketing.
  • Rights relating to automated decision-making — we do not make decisions about your care by automated means alone.
  • Right to withdraw consent — where we rely on your consent, you can withdraw it at any time.

To exercise any of these rights, contact our DPO at the address in section 2.3. We will respond within one month. We may ask you to verify your identity before we act on a request.

There is no fee for exercising these rights, except where a request is manifestly unfounded or excessive.

10. Security

We take the security of your information seriously. Our technical and organisational measures include encryption in transit and at rest, strict access controls, multi-factor authentication for staff, audit logging, regular security testing, staff training, and written confidentiality obligations for everyone who handles patient information.

We hold [CYBER ESSENTIALS / CYBER ESSENTIALS PLUS / ISO 27001 — DELETE AS APPROPRIATE] certification and follow the NHS Data Security and Protection Toolkit where applicable.

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and, where the risk is high, notify you directly.

11. Cookies

Our website uses cookies and similar technologies. Please see our separate Cookie Policy for details.

12. Children

Our services are not directed at children under 18. We do not knowingly collect information from anyone under 18 except where they are referred for clinical reasons with appropriate parental or guardian involvement. If you believe we have collected information from a child inappropriately, please contact our DPO immediately.

13. Changes to this policy

We may update this policy from time to time. The version on our website is always the current one, with the effective date shown at the top. Where changes are material, we will tell you directly — for example, by email or through the patient portal.

14. How to complain

If you are concerned about how we handle your personal information, please contact our DPO first. We take data protection complaints seriously and will investigate promptly.

You also have the right to complain to the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113
  • Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Contacting the ICO does not affect any other legal rights you may have.

End of Privacy Policy.