Evernu Ltd ("Evernu", "we", "us") is a virtual health clinic registered in Northern Ireland, providing remote weight management services to adults aged 18 and over. We are regulated by the Regulation and Quality Improvement Authority (RQIA).
When you use our service, Evernu Ltd acts as the data controller — meaning we are responsible for deciding how and why your personal data is processed.
| Detail | Information |
|---|---|
| Data Controller | Evernu Ltd |
| Registered Address | 1 Skeoge Industrial Estate, Londonderry, BT48 8SE |
| Company Number | NI729459 |
| Data Protection Officer | Joseph Smyth |
| Contact | privacy@evernu.co.uk |
| ICO Registration Reference | ZC081786 |
We collect only the data that is necessary to provide you with a safe, effective weight management service.
Your full name, date of birth, home address, email address and telephone number — used to create and manage your account and to communicate with you about your care.
A government-issued photo ID (such as a passport or driving licence) and a live selfie, processed through our identity verification partner Didit. This is used to confirm your identity, prevent duplicate registrations, and protect against fraud.
Your medical history, current medications, allergies, family history, weight, BMI, and any symptoms or side effects you report through the patient app. This is the core clinical data our prescribing clinician uses to assess your suitability for treatment and to monitor your progress safely.
A photograph submitted by you in close-fitting clothing to allow our clinician to verify your BMI. This photograph is reviewed by a clinician and assessed by our AI-detection partner (Hive) to confirm it is authentic.
Payment card details collected at the point of purchase, processed directly and securely by our payment provider Trust Payments. We do not store your full card details.
Messages sent through the patient app, email correspondence, and any contact made through our customer support platform.
A record of the consents you have given us — including consent to treatment, to identity verification, and to GP notification — with timestamps. These are retained as part of your clinical record.
Under the UK GDPR, we must have a valid lawful basis before processing your personal data. We rely on the following:
| Processing Activity | Lawful Basis |
|---|---|
| Registering you as a patient and assessing your eligibility | Performance of contract — necessary to provide the service you have requested |
| Clinical prescribing, monitoring and record-keeping | Performance of contract; and legal obligation (clinical records requirements) |
| Compliance with regulatory obligations (RQIA, GMC, ICO) | Legal obligation |
| Clinical governance, audit and quality improvement | Legitimate interests — maintaining safe, effective clinical governance |
| Marketing communications (where you have opted in) | Consent — you may withdraw this at any time |
| Website analytics and anonymised session recording to identify and resolve technical issues | Legitimate interests — ensuring the platform functions correctly and patients can access their treatment without disruption |
Your health and clinical data is special category data under Article 9 of the UK GDPR, which means it is afforded enhanced legal protection. Biometric data processed for identity verification (facial recognition) is also special category data.
In addition to our lawful basis under Article 6, we rely on the following conditions under Article 9 to process your health data:
We collect your personal data through the following channels:
All data collection is clearly explained at the point it is collected, and you will be asked for your consent where this is required.
We take the security of your personal and health data very seriously. Your data is held within our purpose-built Clinical Management System (CMS), hosted on Google Cloud Platform. The following security measures are in place:
We share your personal data with the following trusted third-party processors, each of whom is engaged under a written Data Processing Agreement and is required to handle your data securely and in accordance with UK GDPR:
| Processor | Purpose | Data Shared |
|---|---|---|
| Didit didit.me | Identity verification — government ID and facial recognition | Name, date of birth, ID document data, facial biometric |
| Hive thehive.ai | AI-generation detection for BMI photographs | BMI verification photograph |
| Partner pharmacies (e.g. Primed Pharmacy) | Dispensing and delivering your prescribed medication | Name, address, prescription details |
| Trust Payments | Secure payment processing | Payment card data (not stored by Evernu Ltd) |
| Mailjet | Transactional and service emails | Name, email address |
| Chatwoot | Customer support communications | Name, email, support message content |
| Google Cloud Platform | Secure hosting of our Clinical Management System | All data held within our CMS |
| PostHog posthog.com | Website analytics and session recording to identify and resolve technical issues that may affect your care journey | Pseudonymous user identifier, pages visited, clicks and interactions, treatment and medication information displayed on screen. Personal identifiers (name, email, address, date of birth, phone number) are masked in recordings and are not transmitted to PostHog. Data is stored on EU servers. |
We do not share your data with any other third party without your explicit consent, except where we are legally required to do so — for example, in response to a court order or a lawful request from a regulatory authority.
We retain your personal data only for as long as necessary. The key retention periods are:
| Data Type | Retention Period |
|---|---|
| Clinical and health records | Minimum 8 years from your last contact with us — in line with NHS Records Management standards and our regulatory obligations |
| Prescription records | Minimum 8 years |
| Consent records | Minimum 8 years from last contact |
| Complaints records | 8 years from resolution |
| Payment records | 6 years (HMRC requirements) |
| General correspondence | 2 years, unless forming part of a clinical or complaints record |
When your data reaches the end of its retention period it is securely deleted or anonymised. You may request early deletion of certain data — see Section 9 for your rights, and note that clinical records may need to be retained to comply with our legal and regulatory obligations even if you request erasure.
Under the UK GDPR you have the following rights in relation to your personal data. To exercise any of these rights, contact our Data Protection Officer at privacy@evernu.co.uk. We will respond within one calendar month.
Request a copy of all personal data we hold about you (a Subject Access Request).
Ask us to correct inaccurate data or complete incomplete data.
Ask us to delete your data where it is no longer necessary — subject to our legal and clinical retention obligations.
Ask us to limit how we use your data in certain circumstances.
Receive your data in a structured, machine-readable format and transfer it to another provider.
Object to processing based on legitimate interests, or withdraw consent for marketing at any time.
You have the right to request a copy of all personal data we hold about you. To make a Subject Access Request (SAR):
As part of safe prescribing practice, we ask for your consent during registration to notify your NHS GP that you have commenced weight management medication. This is particularly important for GLP-1 receptor agonist medications such as Mounjaro and Wegovy, where GP awareness supports safe shared care and reduces the risk of medication interactions.
If you decline GP notification, we will present you with information about the clinical importance of GP awareness and ask you to reconsider. Where you continue to decline, your decision will be documented in your patient record.
Our website uses cookies to ensure it functions correctly and to improve your experience. A separate Cookie Policy is available on our website. You can manage your cookie preferences at any time through your browser settings or our cookie consent tool.
We use PostHog to record anonymised session replays of how users interact with our website. This helps us identify and fix technical issues that could affect your ability to access treatment. These recordings capture your clicks, page navigation, and on-screen content — but your name, email address, home address, date of birth and phone number are automatically masked before the recording is transmitted. Recordings are stored on PostHog's EU servers and are retained for up to 90 days. A pseudonymous user identifier is used to link sessions for debugging purposes only; this identifier cannot be used to identify you without access to our internal systems.
We review this Privacy Notice at least annually and update it when our processing activities change or when required by changes in data protection law or ICO guidance. The effective date at the top of this page reflects when the current version came into force.
Where we make significant changes that affect how we use your data, we will notify you by email before the changes take effect.
If you have any questions about this Privacy Notice or about how we handle your data, please contact our Data Protection Officer:
Evernu Ltd, 1 Skeoge Industrial Estate, Londonderry, BT48 8SE
Email: privacy@evernu.co.uk
Tel: 07424 959159