top of page
privacy policy

Privacy Policy

Who We Are

 

Hesta Health Limited (“we”, “us”, “our”) is committed to protecting your personal information. This privacy notice explains what personal data we collect about you, why we process it, how we use it, and the measures we take to ensure compliance with applicable laws.

 

We are registered with the Information Commissioner’s Office (ICO) as a data controller (registration number: ZB905449).

 

What Data We Collect

 

We collect your personal data primarily when you:

  • Register for our services or create an account

  • Book appointments or consultations

  • Undergo health assessments

  • Visit our website or use our mobile application

  • Participate in research programs or beta testing

  • Receive a gift purchase of our Services from another person

 

We collect and use the following categories of personal data: 

 

Communication Data

  • Contact details including email address, telephone number, country and region, marketing preferences, and communications with our support team, clinical team, or healthcare professionals through our Application, Ask Hesta or other messaging feature.

Health Data

  • Information about your pregnancy, postpartum health, medical history, current conditions, medications, health assessments, postnatal recovery, symptoms, feeding, physical and mental wellbeing, and any health-related information you provide through our web application, AskHesta or any other messaging feature.

​Ask Hesta and Messaging Data

  • Questions, messages, responses, guidance, signposting, escalation notes, dates and times of messages, message status information, and related records created when you use Ask Hesta or any messaging feature. This may include information about your baby where it is relevant to your question or the support you ask us to provide.

Identity Data

  • Name, date of birth, and other identifying information.

Gift Purchase Data

  • Where another person purchases our Services as a gift for you, we may receive your name and email address from the gift purchaser solely for the purpose of delivering your gift notification. We do not receive any health, clinical, or other special category data about you from the gift purchaser. All health and clinical data is collected directly from you when you register and activate the Services.

Lifestyle Data

  •    Information about your behavior, lifestyle choices, and circumstances relevant to your postnatal health. 

Technical Data

  •     Data about your use of our platform, device information, IP addresses, cookies, and website analytics.

​

How We Use Your Data

​

We use your personal data to:

  • Decide which care is most appropriate for you, and how we can best help you

  • Provide postnatal healthcare services, including the provision of clinical services, clinically-led messaging services, management of appointments and consultations and maintenance of medical records

  • Decide whether your question can be answered through Hesta, or whether we should signpost you to your GP, NHS services, emergency services, a specialist provider, or another appropriate source of care

  • Support clinical safety, continuity of care, and appropriate record-keeping for our services

  • Where another person has purchased our Services as a gift for you, use the name and email address provided by that person to send you a gift notification containing your Gift Code

  • Use anonymised and de-identified data derived from our Services for the purposes of research, service improvement, and the development and training of analytical and AI tools. Data used for these purposes is anonymised in accordance with ICO guidance and does not constitute personal data

  • Develop and improve our healthcare services

  • Test and enhance our digital platforms

  • Conduct research to advance postnatal care

  • Contact you to offer you opportunities to participate in user research or beta testing, if you have opted in for such contact

  • Decide which research streams are most suitable for you

  • Provide you with marketing information about our services

  • Send you updates and information about our services if you've opted in

  • If you have expressed interest in doing so, match you with and communicate with you about opportunities to work with us

 

Lawful Basis for Processing

 

We process your personal data on the following legal bases depending on the nature of the processing and the data involved:

  • Contract performance (Article 6(1)(b) UK GDPR): We process your personal data where it is necessary to provide the Services you have purchased or activated, including managing your account, delivering health checks, processing appointments, providing Ask Hesta responses, and fulfilling our obligations under our Terms of Service.

  • Legal obligation (Article 6(1)(c) UK GDPR): We process your personal data where we are required to do so by law, including for clinical record-keeping, regulatory compliance, safeguarding obligations, and responding to lawful requests from regulators such as the Care Quality Commission.

  • Legitimate interests (Article 6(1)(f) UK GDPR): We process certain data where we have a legitimate interest in doing so and that interest is not overridden by your rights. This includes improving and developing our Services, ensuring platform security, and, where you have received a Gift Purchase, processing the name and email address provided by the gift purchaser to send you a gift notification. We have assessed that processing an email address for this purpose is proportionate and does not materially affect your rights or interests.

  • Consent (Article 6(1)(a) UK GDPR): Where we rely on consent, including for marketing communications, participation in research, and beta testing, we will ask for your consent separately and clearly. You may withdraw consent at any time without affecting the lawfulness of processing carried out before withdrawal or the provision of clinical Services to you.

​

Processing of special category health data

​

Your health data is special category personal data under Article 9 UK GDPR. We process it on the following additional bases:

  • Provision of health or social care (Article 9(2)(h) UK GDPR and Schedule 1, paragraph 2 Data Protection Act 2018): The primary basis for processing your health data is that it is necessary for the purposes of providing preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems.

  • Explicit consent (Article 9(2)(a) UK GDPR): Where we ask for your explicit consent to process health data for purposes beyond direct care delivery, such as research or service improvement, we will seek that consent separately.

  • We do not receive any special category health data about you from a gift purchaser. All health data is collected directly from you.

 

Marketing

 

We will only send you marketing communications if you have opted in. You can withdraw your consent at any time by clicking “unsubscribe” in our emails or contacting us.

 

Storing and Sharing Your Data

 

We do not sell your data. We may share your data with:

  • Other healthcare providers (with your explicit consent where required) to facilitate referrals, clinical review and escalations, signposting, coordinated care and information transfers

  • Service providers who help us operate our website and services (e.g., hosting, email delivery, payment processors, messaging service providers, customer support tools, clinical operations systems and marketing communications providers). All suppliers are contractually bound to protect your data and cannot use it for their own purposes.

  • Gift purchasers, solely to confirm that a Gift Code has been issued following their purchase. We will not share with a gift purchaser any information about whether you have activated your Gift Code, used the Services, or any clinical, health, or personal data relating to your use of the Services.

  • Where required by law or to meet legal obligations, such as providing records to regulatory bodies like the Care Quality Commission.

 

We implement appropriate technical and organisational security measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction.

 

International Transfers

 

If we transfer your data outside the UK or EEA, we ensure appropriate safeguards are in place.

 

How Long We Keep Your Data
 

We keep your data for as long as you remain opted in, or as required to comply with our legal obligations. Ask Hesta messages, clinician responses, signposting, escalation notes, and related records may be retained as part of your service and clinical record for as long as reasonably necessary to provide the Services, support continuity of care, respond to questions or complaints, and meet our legal, regulatory, and clinical record-keeping obligations.

​

Where we have received your name and email address from a gift purchaser for the purpose of sending you a gift notification, we will retain that data only for as long as necessary to deliver the notification and manage any related query. If you do not activate the Services using your Gift Code, we will delete your name and email address when the Gift Code expires, which will be no later than 12 months from the date of gift purchase.

 

If Hesta Health or its assignors ceases trading, we will notify you and give you 60 days to download or otherwise export your data. After this date, we won’t keep any copies, and any data will be securely deleted. Where the law requires certain records to be preserved (for example, some clinical records), we’ll transfer them to an appropriate custodian.

​

Information We Receive From Third Parties
 

Where another person purchases our Services as a gift for you, they may provide us with your name and email address. We use this solely to send you a gift notification. We will send you this privacy notice at the same time as, or before, your gift notification so that you are aware we hold your details and understand your rights. If you do not wish us to hold your details, contact us at privacy@hesta.health and we will delete them promptly, provided your Gift Code has not already been activated.

 

Your Rights

 

You have specific rights regarding your personal data.  You have the right to:

  • Request confirmation of what personal data we process 

  • Receive a copy of personal data you provided us in a structured, common format

  • Correct or update your data if it is inaccurate or incomplete

  • Request deletion of your data, subject to some exceptions for legal reasons

  • Object to or restrict processing

  • Withdraw consent (where processing is based on consent)

  • Lodge a complaint with the ICO at www.ico.org.uk/make-a-complaint

 

Contact Us

 

If you have questions or wish to exercise your rights, contact us at: privacy@hesta.health or write to us at:

 

Hesta Health

25 Eccleston Place

London

SW1W 9NF

 

Changes to This Notice

 

We may update this notice from time to time. The latest version will always be posted on our website.

 

For substantive changes, we will notify you in advance and explain the impact.

​

As of 20 May 2026.

bottom of page