Privacy Policy
Last Updated: June 1, 2025
1. Introduction
Thank you for choosing HeySlim and for taking the time to read our Privacy Policy. This policy explains how Panmedica Medical Distribution Ltd. (referred to as "HeySlim", "we", "us", or "our") collects, uses, shares, and protects your personal data when you visit our website (heyslim.co.uk), use our services, or interact with us.
Our services involve connecting you with UK-based registered prescribers for consultations regarding prescription weight loss treatments, including medications like Mounjaro and Wegovy, and facilitating the dispensing and delivery of these treatments if prescribed.
This Privacy Policy, together with our Terms and Conditions, governs your use of our platform and services. By using our services, you agree to the collection and use of information in accordance with this policy.
Who We Are
HeySlim is a trading name of Panmedica Medical Distribution Ltd., a company registered in England and Wales under company number 8409943, with its registered office at Unit 503, Segro V-Park Grand Union 3 North Circular road, London NW10 7UD.
We operate a pharmacy registered with the General Pharmaceutical Council (GPhC), registration number: 9012739.
For the purpose of the UK General Data Protection Regulation (UK GDPR) and other applicable data protection laws, HeySlim is the data controller of your personal data when you use our platform and services, except where stated otherwise (e.g., for Partner Prescribers).
2. What Personal Data We Collect
We may collect and process the following categories of personal data about you:
- Identity Data: Your full name, date of birth, gender, and government-issued identification (for identity verification purposes).
- Contact Data: Your email address, telephone number, billing address, and delivery address.
- Health Data (Special Category Data): Information about your physical or mental health, medical history, current health conditions, allergies, medications you are taking, lifestyle information (e.g., diet, exercise habits), weight, height, BMI, and responses to our online health questionnaires and consultations with prescribers. This also includes any photographs you may provide for clinical assessment.
- Financial Data: Payment card details and billing information. Please note that we use third-party payment processors (e.g., Shopify Payments, Stripe) to handle payments, and we do not store your full payment card details ourselves.
- Transaction Data: Details about payments to and from you, details of products and services you have purchased from us, and consultation history.
- Technical Data: Internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access our website.
- Usage Data: Information about how you use our website, products, and services, including pages visited and interaction patterns.
- Marketing and Communications Data: Your preferences in receiving marketing from us and our third parties and your communication preferences.
- Feedback and Correspondence: Any information you provide when you give us feedback, contact our support team, or respond to surveys.
3. How We Collect Your Personal Data
We collect personal data in the following ways:
- Directly from you: When you create an account, complete our online health questionnaires, communicate with us (e.g., email, phone, chat), participate in consultations with prescribers, make a purchase, or provide feedback.
- Automatically: When you interact with our website, we may automatically collect Technical Data and Usage Data using cookies and similar technologies.
- From third parties:
- From our Partner Prescribers (e.g., consultation notes, prescription details).
- From payment service providers (e.g., confirmation of payment).
- From analytics providers (e.g., Google Analytics) regarding your website usage.
- From your GP, with your consent, if necessary for your treatment.
4. How and Why We Use Your Personal Data (Legal Basis for Processing)
We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances and on the following legal bases:
| Purpose of Processing | Type(s) of Data | Legal Basis for Processing (including special category condition for Health Data) |
|---|---|---|
| To register you as a new customer and manage your account. | Identity, Contact, Technical | Performance of a contract with you. |
| To assess your suitability for our services and treatments (including online questionnaires and consultations). | Identity, Contact, Health Data | Performance of a contract with you (to take steps at your request prior to entering into
a contract). For Health Data: Necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional (UK GDPR Art. 9(2)(h)). |
| To process and deliver your orders, including managing payments, fees, and charges, and collecting and recovering money owed to us. | Identity, Contact, Financial, Transaction, Health Data (for prescriptions) | Performance of a contract with you. For Health Data (related to prescriptions): Necessary for the purposes of medical diagnosis, the provision of health care or treatment (UK GDPR Art. 9(2)(h)). |
| To facilitate consultations with Partner Prescribers. | Identity, Contact, Health Data | Performance of a contract with you. For Health Data: Necessary for medical diagnosis, provision of health care or treatment (UK GDPR Art.9(2)(h)). |
| To communicate with you about your account, orders, appointments, and to provide customer support. | Identity, Contact, Transaction | Performance of a contract with you; Legitimate interests (to keep you updated and manage our relationship). |
| To send you marketing communications that you have opted into, or where permitted by law. | Identity, Contact, Marketing and Communications, (potentially Health Data for tailored marketing, with explicit consent) | Consent. For marketing based on Health Data: Explicit Consent (UK GDPR Art. 9(2)(a)). |
| To improve our website, services, marketing, customer relationships, and experiences (including analytics and research). | Technical, Usage | Legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy); Consent (for certain cookies). |
| To comply with legal or regulatory obligations (e.g., record keeping for pharmacy services, responding to requests from regulatory bodies). | Identity, Contact, Transaction, Health Data | Legal obligation; Necessary for medical diagnosis, provision of health care or treatment (UK GDPR Art. 9(2)(h)) for medical records. |
| To manage our business relationships with suppliers and partners. | Identity, Contact, Financial, Transaction | Performance of a contract; Legitimate interests (to manage our business operations). |
| To enforce our terms and conditions, and to establish, exercise or defend legal claims. | Identity, Contact, Transaction, Health Data (if relevant to a claim) | Legitimate interests (to protect our rights and business). |
Shopify: Our store, including the checkout process for our services, is powered by Shopify Inc. They provide us with the online e-commerce platform that allows us to sell our products and services to you. Your data is stored through Shopify’s data storage, databases, and the general Shopify application. They store your data on a secure server behind a firewall. If you choose a direct payment gateway to complete your purchase, then Shopify stores your credit card data. It is encrypted through the Payment Card Industry Data Security Standard (PCI-DSS). For more insight, you may also want to read Shopify’s Terms of Service or Privacy Statement.
Consent for Health Data: We rely on the condition under Article 9(2)(h) of the UK GDPR for processing your health data for providing healthcare services. Where we rely on your consent for other processing of Health Data (e.g., specific research or tailored marketing), we will make this clear at the point of collection, and you will have the right to withdraw your consent at any time.
5. Who We Share Your Personal Data With
We may need to share your personal data with the following categories of third parties:
- Partner Prescribers: Licensed UK prescribers who conduct consultations, assess your suitability for treatment, and issue prescriptions. They are independent data controllers for the personal data they process during and for the purpose of your consultation and will handle your data in accordance with their own professional obligations and privacy policies.
- Partner Pharmacies: Registered pharmacies that dispense and deliver your prescribed medication. They will be provided with necessary information to fulfil your prescription.
- Payment Service Providers: Such as Shopify Payments, Stripe, or other providers who process your payments securely.
- Delivery and Fulfilment Providers: Courier and postal services to deliver your medication and products.
- IT Service Providers: Including cloud hosting providers (e.g., AWS, Google Cloud), Shopify (our e-commerce platform), email service providers, and technical support services.
- Identity Verification Services: To verify your identity as required by law or for fraud prevention.
- Analytics and Advertising Partners: Such as Google Analytics, and social media platforms (e.g., Facebook, Instagram) for advertising purposes, subject to your consent and preferences.
- Professional Advisors: Lawyers, accountants, auditors, and insurers who provide consultancy, banking, legal, insurance, and accounting services.
- Regulators and Authorities: Such as the General Pharmaceutical Council (GPhC), Medicines and Healthcare products Regulatory Agency (MHRA), the Information Commissioner's Office (ICO), and other authorities if required by law or to protect our rights.
- Your GP: With your explicit consent, or where necessary for your vital interests or required by professional guidelines, we may share information about your treatment with your GP.
- Third parties in a business transfer: If we sell, transfer, or merge parts of our business or assets, your personal data may be transferred to the new owners.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
6. International Data Transfers
Some of our external third parties (e.g., Shopify, Google Analytics, other IT service providers) may be based outside the UK, so their processing of your personal data will involve a transfer of data outside the UK.
Whenever we transfer your personal data out of the UK, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the UK.
- Where we use certain service providers, we may use specific contracts approved by the UK which give personal data the same protection it has in the UK (such as the International Data Transfer Agreement or Addendum to EU Standard Contractual Clauses).
Please contact us if you want further information on the specific mechanism used by us when transferring your personal data out of the UK.
7. Data Security
We have implemented appropriate technical and organisational security measures to prevent your personal data from being accidentally lost, used, or accessed in an unauthorised way, altered, or disclosed. These measures include encryption, access controls, and regular security assessments.
We limit access to your personal data to those employees, agents, contractors, and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have procedures in place to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
However, please remember that no method of transmission over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.
8. Data Retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, regulatory, tax, accounting, or reporting requirements. For medical records, this includes specific retention periods mandated by healthcare regulations (typically at least 8 years after the last contact for adult records, or longer in some circumstances).
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting or other requirements.
In some circumstances, we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
9. Cookies and Similar Technologies
Our website uses cookies and similar technologies to distinguish you from other users, provide a good experience, and help us improve our site.
10. Your Legal Rights
Under certain circumstances, you have rights under UK data protection laws in relation to your personal data. These include the right to:
- Request access to your personal data (commonly known as a "data subject access request").
- Request correction of the personal data that we hold about you.
- Request erasure of your personal data. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons (e.g., medical record retention requirements) which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.
- Request restriction of processing of your personal data.
- Request the transfer of your personal data to you or to a third party (data portability).
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you.
If you wish to exercise any of the rights set out above, please contact us at privacy@heyslim.co.uk.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.
11. Children's Privacy
Our services are not intended for individuals under the age of 18. We do not knowingly collect personal data from children under 18. If you are a parent or guardian and you are aware that your child has provided us with personal data, please contact us. If we become aware that we have collected personal data from children without verification of parental consent, we take steps to remove that information from our servers.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last Updated" date. We encourage you to review this Privacy Policy periodically for any changes.
13. Contact Us
If you have any questions, concerns, or complaints about this Privacy Policy, or how we handle your personal data, please contact our Data Protection Officer (or privacy team) at:
Email: privacy@heyslim.co.uk
Address: Unit 503, Segro V-Park Grand Union 3 North Circular road, London NW10 7UD
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO, so please contact us in the first instance.