Privacy Notice

Evernu Ltd  ·  Effective Date: 2 April 2026  ·  Version 1.1

Section 1

Who We Are

Evernu Ltd ("Evernu", "we", "us") is a virtual health clinic registered in Northern Ireland, providing remote weight management services to adults aged 18 and over. We are regulated by the Regulation and Quality Improvement Authority (RQIA).

When you use our service, Evernu Ltd acts as the data controller — meaning we are responsible for deciding how and why your personal data is processed.

DetailInformation
Data ControllerEvernu Ltd
Registered Address1 Skeoge Industrial Estate, Londonderry, BT48 8SE
Company NumberNI729459
Data Protection OfficerJoseph Smyth
Contactprivacy@evernu.co.uk
ICO Registration ReferenceZC081786
Section 2

What Data We Collect and Why

We collect only the data that is necessary to provide you with a safe, effective weight management service.

Identity and contact data

Your full name, date of birth, home address, email address and telephone number — used to create and manage your account and to communicate with you about your care.

Identity verification data

A government-issued photo ID (such as a passport or driving licence) and a live selfie, processed through our identity verification partner Didit. This is used to confirm your identity, prevent duplicate registrations, and protect against fraud.

Health and clinical data

Your medical history, current medications, allergies, family history, weight, BMI, and any symptoms or side effects you report through the patient app. This is the core clinical data our prescribing clinician uses to assess your suitability for treatment and to monitor your progress safely.

BMI verification photograph

A photograph submitted by you in close-fitting clothing to allow our clinician to verify your BMI. This photograph is reviewed by a clinician and assessed by our AI-detection partner (Hive) to confirm it is authentic.

Payment data

Payment card details collected at the point of purchase, processed directly and securely by our payment provider Trust Payments. We do not store your full card details.

Communications data

Messages sent through the patient app, email correspondence, and any contact made through our customer support platform.

Consent records

A record of the consents you have given us — including consent to treatment, to identity verification, and to GP notification — with timestamps. These are retained as part of your clinical record.

Section 3

Our Lawful Basis for Processing

Under the UK GDPR, we must have a valid lawful basis before processing your personal data. We rely on the following:

Processing ActivityLawful Basis
Registering you as a patient and assessing your eligibilityPerformance of contract — necessary to provide the service you have requested
Clinical prescribing, monitoring and record-keepingPerformance of contract; and legal obligation (clinical records requirements)
Compliance with regulatory obligations (RQIA, GMC, ICO)Legal obligation
Clinical governance, audit and quality improvementLegitimate interests — maintaining safe, effective clinical governance
Marketing communications (where you have opted in)Consent — you may withdraw this at any time
Website analytics and anonymised session recording to identify and resolve technical issuesLegitimate interests — ensuring the platform functions correctly and patients can access their treatment without disruption
Section 4

Special Category Health Data

Your health and clinical data is special category data under Article 9 of the UK GDPR, which means it is afforded enhanced legal protection. Biometric data processed for identity verification (facial recognition) is also special category data.

In addition to our lawful basis under Article 6, we rely on the following conditions under Article 9 to process your health data:

  • Health care provision (Article 9(2)(h)) — processing necessary for the provision of health care and treatment, carried out by a clinician subject to professional confidentiality obligations.
  • Explicit consent (Article 9(2)(a)) — for biometric identity verification and, where applicable, GP notification.
Your health data is never sold We do not sell, rent or trade your personal or health data to any third party for commercial purposes. Your data is shared only within the secure clinical ecosystem described in Section 7.
Section 5

How We Collect Your Data

We collect your personal data through the following channels:

  • The online eligibility questionnaire you complete at registration
  • The Didit identity verification process (government ID upload and live selfie)
  • Your BMI verification photograph submitted through the platform
  • Ongoing symptom and monitoring reports submitted through the patient app
  • Email and customer support communications
  • Payment information at the point of transaction

All data collection is clearly explained at the point it is collected, and you will be asked for your consent where this is required.

Section 6

How We Store and Protect Your Data

We take the security of your personal and health data very seriously. Your data is held within our purpose-built Clinical Management System (CMS), hosted on Google Cloud Platform. The following security measures are in place:

  • Encryption — all data is encrypted at rest and in transit using industry-standard protocols
  • Role-based access controls — staff can only access the data required for their specific role; your clinical data is accessible to clinical staff only
  • Multi-factor authentication (MFA) — required for all staff logins to the CMS
  • Full audit trail — every access, amendment or deletion of your record is logged and can be reviewed
  • UK-based data hosting — your data is stored on UK servers within Google Cloud Platform
Data breach notification In the event of a personal data breach that is likely to affect your rights, we will notify the Information Commissioner's Office (ICO) within 72 hours and will contact you directly without undue delay.
Section 7

Third-Party Data Processors

We share your personal data with the following trusted third-party processors, each of whom is engaged under a written Data Processing Agreement and is required to handle your data securely and in accordance with UK GDPR:

ProcessorPurposeData Shared
Didit
didit.me
Identity verification — government ID and facial recognitionName, date of birth, ID document data, facial biometric
Hive
thehive.ai
AI-generation detection for BMI photographsBMI verification photograph
Partner pharmacies
(e.g. Primed Pharmacy)
Dispensing and delivering your prescribed medicationName, address, prescription details
Trust PaymentsSecure payment processingPayment card data (not stored by Evernu Ltd)
MailjetTransactional and service emailsName, email address
ChatwootCustomer support communicationsName, email, support message content
Google Cloud PlatformSecure hosting of our Clinical Management SystemAll data held within our CMS
PostHog
posthog.com
Website analytics and session recording to identify and resolve technical issues that may affect your care journeyPseudonymous user identifier, pages visited, clicks and interactions, treatment and medication information displayed on screen. Personal identifiers (name, email, address, date of birth, phone number) are masked in recordings and are not transmitted to PostHog. Data is stored on EU servers.

We do not share your data with any other third party without your explicit consent, except where we are legally required to do so — for example, in response to a court order or a lawful request from a regulatory authority.

Section 8

How Long We Keep Your Data

We retain your personal data only for as long as necessary. The key retention periods are:

Data TypeRetention Period
Clinical and health recordsMinimum 8 years from your last contact with us — in line with NHS Records Management standards and our regulatory obligations
Prescription recordsMinimum 8 years
Consent recordsMinimum 8 years from last contact
Complaints records8 years from resolution
Payment records6 years (HMRC requirements)
General correspondence2 years, unless forming part of a clinical or complaints record

When your data reaches the end of its retention period it is securely deleted or anonymised. You may request early deletion of certain data — see Section 9 for your rights, and note that clinical records may need to be retained to comply with our legal and regulatory obligations even if you request erasure.

Section 9

Your Rights

Under the UK GDPR you have the following rights in relation to your personal data. To exercise any of these rights, contact our Data Protection Officer at privacy@evernu.co.uk. We will respond within one calendar month.

Right of Access

Request a copy of all personal data we hold about you (a Subject Access Request).

Right to Rectification

Ask us to correct inaccurate data or complete incomplete data.

Right to Erasure

Ask us to delete your data where it is no longer necessary — subject to our legal and clinical retention obligations.

Right to Restrict Processing

Ask us to limit how we use your data in certain circumstances.

Right to Data Portability

Receive your data in a structured, machine-readable format and transfer it to another provider.

Right to Object

Object to processing based on legitimate interests, or withdraw consent for marketing at any time.

Right to complain to the ICO If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113. We would always welcome the opportunity to resolve your concern directly first — please contact us at privacy@evernu.co.uk.
Section 10

Subject Access Requests

You have the right to request a copy of all personal data we hold about you. To make a Subject Access Request (SAR):

  • Email privacy@evernu.co.uk with the subject line "Subject Access Request"
  • We will verify your identity before releasing any data
  • We will respond within one calendar month of receiving your request
  • There is no charge for a SAR unless your request is manifestly unfounded or excessive
Section 11

GP Notification

As part of safe prescribing practice, we ask for your consent during registration to notify your NHS GP that you have commenced weight management medication. This is particularly important for GLP-1 receptor agonist medications such as Mounjaro and Wegovy, where GP awareness supports safe shared care and reduces the risk of medication interactions.

If you decline GP notification, we will present you with information about the clinical importance of GP awareness and ask you to reconsider. Where you continue to decline, your decision will be documented in your patient record.

Section 12

Cookies

Our website uses cookies to ensure it functions correctly and to improve your experience. A separate Cookie Policy is available on our website. You can manage your cookie preferences at any time through your browser settings or our cookie consent tool.

Session recording

We use PostHog to record anonymised session replays of how users interact with our website. This helps us identify and fix technical issues that could affect your ability to access treatment. These recordings capture your clicks, page navigation, and on-screen content — but your name, email address, home address, date of birth and phone number are automatically masked before the recording is transmitted. Recordings are stored on PostHog's EU servers and are retained for up to 90 days. A pseudonymous user identifier is used to link sessions for debugging purposes only; this identifier cannot be used to identify you without access to our internal systems.

Section 13

Changes to This Notice

We review this Privacy Notice at least annually and update it when our processing activities change or when required by changes in data protection law or ICO guidance. The effective date at the top of this page reflects when the current version came into force.

Where we make significant changes that affect how we use your data, we will notify you by email before the changes take effect.

Section 14

How to Contact Us

If you have any questions about this Privacy Notice or about how we handle your data, please contact our Data Protection Officer:

Data Protection Officer — Joseph Smyth

Evernu Ltd, 1 Skeoge Industrial Estate, Londonderry, BT48 8SE

Email: privacy@evernu.co.uk

Tel: 07424 959159

Information Commissioner's Office (ICO) If you are not satisfied with our response, you may contact the ICO at ico.org.uk or by calling 0303 123 1113. Evernu Ltd's ICO registration reference is ZC081786.

Cart