Privacy Notice  |  Suvera Ltd

About us

We are Suvera Ltd and we are located at Suvera Ltd, 30 Moorgate, London EC2R 6DA.
We are registered Companies House under number 12237910 and with the ICO under number ZA567382
If you need to contact us about your data, you can email us at privacy@suvera.co.uk

What we do

Suvera Ltd operates an Online Clinic with health professionals that remotely manage patients with long-term conditions, such as hypertension, diabetes, asthma, COPD, depression and anxiety.

Privacy and information governance are essential to the provision of trusted technology services, particularly in healthcare. At Suvera, we put this at the heart of what we do, not just because of our legal obligations, but because we, our friends and our families are all patients too. We all want to experience high quality healthcare whilst being in control of our data and how it is used.

Our role

Typically, we act as a processor on behalf of your GP. This will be when your GP surgery has invited you to use our service, rather than you signing up of your own accord and asking us to share data for you with your GP. When we are a processor of your data, then all data is processed in line with your GP practice’s privacy notice and you should contact them for any queries.

This privacy notice applies to the data that we process when we are a controller of personal data. That will usually be the data of potential and existing employees, suppliers, direct patients, website users and then technical data when you use Suvera. Being a controller means that we are trusted to look after and deal with your personal information in accordance with this notice. We determine the ways and means of processing your data and must therefore, be accountable for it.

Your rights

  • Your right of access - you have the right to ask us for copies of your personal information.
  • Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing - you have the right to object to our processing your information if the legal basis is legitimate interests, or where we are relying on Article 9 2 (h) (Provision of direct health care and a healthcare service).
  • Your right to data portability - this only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under a contract, or in talks about entering into one, and the processing is automated.

If you want to exercise any of these rights, please just contact us on privacy@suvera.co.uk, We work in partnership with your GP practice; we will liaise with them to ensure we are fully meeting your data subject rights.

You also have the right to lodge a complaint about our processing with a supervisory authority — in the UK that is the ICO whose details are here: https://ico.org.uk/make-a-complaint/.

How we process your data

The best way to understand how we process your data is to click on the role that best describes you.

Please be aware that we cannot provide any of our services without processing personal identifiable data.

If you do not want to share your information with us, we regret that Suvera won’t be able to offer a service to you. 

We ask all our GP partners to make their patients aware of this before they make a referral.

I have signed up on your website to register an interest in your service

Data that we process
If you have registered your details on our website then the only data we process is the data you gave us (your name, GP practice and email address). We use this data so we can:

a) Let you know when Suvera becomes available for general release.
b) We use the GP practice name so we can tell the practice the aggregated number of their patients potentially interested in using the service.

Lawful basis for processing
We rely on legitimate interest to process this data, based mainly on the fact that you showed an interest in our service so we do not think this processing outweighs your rights and freedoms.

Retention period
We hold your data only until such time as we have told you that Suvera is available with your GP. We have no reason to keep it any longer for this purpose, and we hope that you then continue to use our products and services via your GP.

I am a patient invited to use the Online Clinic

Data that we processOur Online Clinic services operate only on the instructions of your GP. This means that we are a processor, and your GP has told us how to collect, use, and store your information. 

When you use Suvera’s online portal, we process usage data, such as when you open and close our software, what product features you use and what device you are using. This allows us to improve our software by better understanding your workflows, to provide you with usage data, to monitor the functioning of our software and to prevent fraud, cyberattacks and other dishonest behaviour.

Lawful basis for processing
As a patient of the Online Clinic, you are receiving healthcare from Suvera, on behalf of your GP. The legal basis is Article 9 2 (h) (Provision of direct health care and a healthcare service).

We collect usage data, we ask for your consent via the cookie banner.

Retention period
Your data is retained for the length of our contract with your GP and then for 8 years afterwards for audit and investigation purposes.

Anonymised data is not considered personal data so will not be deleted.

I am a Customer or work at a GP practice using Suvera

Data that we processIf you have entered into a contract with us to provide services to your patients, or you are using Suvera Planner,  then the only personal information we will hold are your contact details, name of the practice and PCN where you work, and your signature if it was you that signed the contract with us. We will also have a correspondence between us, but this is unlikely to contain personal data; only commercial. We also use your email address to keep you up to date with any news about Suvera that we think is relevant. We also use your data to help improve the service. You can opt out of these emails at any time.

Lawful basis for processingOur lawful basis for processing this data is the fulfilment of a contract with you and legitimate interest for using the data for marketing emails. You can opt out of marketing emails at any time. We collect usage data, we ask for your consent via the cookie banner.

Retention periodWe retain your data for the length of our contact and then 8 years in case of any legal disputes (which we hope there aren’t any!)

I work at a Health Care Organisation not currently using Suvera

Data that we processIf you are working at a Health Care Organisation that has not signed a contract with us, but we believe may be interested in our services then we will likely hold your contact details with a view to introducing our services to you. We would have gathered this information from external sources such as NHS websites and Wilmington Healthcare. We will abide by our obligations of the GDPR to inform you that we have this data, ideally within 30 days of receiving it, and let you know why we will be processing the data and to give you the chance to opt out of communications with us.

Lawful basis for processingOur lawful basis for processing is legitimate interest (we believe that you will be interested in our service and we need to be able to communicate with GPs to grow our business). When we email, we do so under the ICO guidance on direct marketing and PECR regulations; where we are able to send relevant marketing emails to businesses as long as we give you the chance to opt out at any time. A link to unsubscribe will be available in every email we send.

Retention periodWe retain this data for these purposes until you unsubscribe (in which case we will move you to a suppression list so we don’t accidentally contact you again), or if you have not expressed an interest in our product after an interaction between us.

I have applied for a job with you

Data that we processAs a potential employee we hold the following data on you:
Contact details, CV, email correspondence with you, pictures, videos and information from Facebook and LinkedIn-accounts, answers to questions asked through the recruiting, title, education and other information the User or others have provided through the Service. If you are successful in gaining employment with us then you will fall under the employee privacy notice going forward which will be provided to you when you sign a contract with us. We also carry out pre-employment checks, as legally obligated to do so by HMRC and various visa requirement bodies.

Lawful basis for processing
Our lawful basis for processing your data is a combination of contract, legitimate interest and consent.. When you applied for a job it was with a view to entering into an employment contract with us. If we decide not to go forward with your application then we use legitimate interest to retain the data should the chosen candidate not work out or another role become immediately available. We use consent if we want to keep your contact details for longer than our usual retention period.

Retention period
For unsuccessful candidates we will keep your data on our database for a year after your application. This is in case another more suitable role opens up, or in case the position becomes re-available. If we want to keep the data longer than this then we will ask for your consent. In exceptional circumstances, we would rely on legitimate interest to keep minimum identifiable data. This is in line with our safeguarding obligations.

I have agreed to join your feedback program

Data that we process
IIf you have agreed to provide us with feedback then Suvera will process your name, your phone number, and the feedback you give us.

Lawful basis for processing
We rely on your consent to process this data, based mainly on the fact that you showed an interest in providing feedback. Because you may give us health information, we ask for your explicit consent to process special category data at the start of each feedback session.

Retention period
If you wish us to share your feedback with your GP then we can do, but we do not do this routinely.

Data Sharing and transfers
Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have data processing agreements in place with these providers. Where data is transferred outside of the UK or the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses or the UK’s International Data Transfer Agreement. If data is transferred from the UK to the EEA then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy).

We do not sell your data to anybody.
If you wish us to share your feedback with your GP then we can do, but we do not do this routinely.

I am a supplier of yours

Data that we processAs a supplier, we hold the contact and payment details required to carry out our contract with you and data to manage our relationship with you. This data would have been sourced from you directly, although your contact details may have been sourced from a recommendation or another source, with the intention of entering into a contact with you.

Lawful basis for processing
Our lawful basis for processing your data is contract; all data is used to enable us to fulfil our contract with you, including paying you and managing our relationship with you.

Retention period
We hold your data for the length of time you are a supplier to us and for 8 years afterward in case of any disputes and for accounting purposes.

Data sharing and transfers
We may share your contact details if someone asks us for a recommendation. We will always contact you before we do this unless it is your company name and switchboard phone number that we share.

I am just visiting your website (Cookie Policy)

We ask for your consent before we drop any third party or unnecessary cookies. For strictly necessary cookies, we rely on legitimate interest as we need these for our website to work.

“Cookies” are small text files placed on your device (e.g. computer, phone or tablet) when viewing certain pages in our software. Cookies allow us to keep track of some of your browsing preferences and optimise our software for your personal use. Cookies also allow us to automatically track certain information about how you navigate through, and interact with, our software, which helps us to measure its performance and to improve its design and functionality.

For more information on cookies, please visit www.allaboutcookies.org

We use the following cookies:
Strictly necessary cookies. These are cookies that are required for the operation of our software. They include, for example, cookies that enable you to log into your account.

Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our software when they are using it. This helps us to improve the way our services work, for example, by ensuring that users are finding what they are looking for easily.

Functionality cookies. These are used to recognise you when you return to our software. This enables us to personalise our content for you and remember your preferences (for example, so we can remember the state of your questionnaire if you reload the page while filling it in).

Targeting cookies. These cookies record your visit to our software, the pages you have visited and the links you have followed. We will use this information to make our software and the advertising displayed on it more relevant to your interests.

To see what cookies we use, click here

Call Recordings

When you contact Suvera by phone or if Suvera contacts you by phone, we will record your call to maintain comprehensive records of incoming and outgoing communications. Our telephony system or a member of our team will notify you of this before the call begins.
team member
If you are a patient, we record our calls as part of your medical records, and the legal basis is 9 2(h).  This practice also serves multiple purposes, including training, monitoring, auditing, feedback, safeguarding staff from nuisance or abusive calls, and investigating incidents, complaints, or disciplinary matters. All call recordings are treated as confidential and used solely for the stated purposes. 

Your call recording data is retained for 8 years after the date of the call for audit and investigation purposes. Your GP will retain records of your care for longer, in line with their Retention Schedule. Anonymised data is not considered personal data so will not be deleted.

Security measures

We have in place a number of technical and operational security measures to keep your data safe.

  • All of our employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects.
  • Our offices have physical security in place,
  • All data is password protected, access controlled by two-factor authentication, backed up securely and encrypted when appropriate.
  • Data privacy by design and default is an integral part of our development processes.
  • We have a range of internal agreements and policies in place for information governance, network security, information handling, remote working, business continuity, confidential information, incident reporting, access control and staff confidentiality. We review these policies at least annually and will update them if a product or business change necessitates.

Business changes

What happens if our business changes hands?What happens if our business changes hands?We may, from time to time, expand or reduce your business and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.

In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

Changes to our privacy notice

We may change this privacy notice from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up-to-date.

If we make any material changes to the manner in which we process and use your personal data, we will contact you to let you know about the change.

Data sharing and transfers

Like most companies, we use a number of other companies as part of our data processing, for example cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the UK or the EEA, we ensure that appropriate protection and mechanisms are in place, for example Standard Contractual Clauses or the UK’s International Data Transfer Agreement. If data is transferred from the UK to the EEA then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy).

We do not sell your data to anybody.