Onko Privacy Policy

Onkohealth Ltd
Privacy Policy

1st June 2022


This is the Privacy Policy for the website hosted at www.onkohealth.co.uk (the “website”) and the Onkohealth app (the “App”), (together our “Services”). Our Services are operated by Onkohealth Limited. The Site and App are operated by Onkohealth Limited trading as “Onko” (“we”, “us” and “our”). We are a limited company, registered in England. Our registered company number is 11096924, and our registered office is Price Mann & Co, Magnolia House, Spring Villa Park, 11 Spring Villa Road, Edgware, HA8 7EB.

We are committed to protecting and respecting your privacy and this policy (together with the terms of service) sets out:

1) Introduction
2) Applicable law
3) Information we collect about you
4) How we use your information
5) Where we store your information
6) How we protect your information
7) Legal bases for processing your data
8) How long we keep your information
9) Subject access requests, changing and deleting your personal data
10) Your rights
11) Child safety
12) Marketing

Our data protection officer (DPO) is Martyn Rankin and can be contacted at enquiries@onkohealth.co.uk

By using or engaging our Services you acknowledge that you have read and understood this privacy policy. We reserve the right to change this privacy policy from time to time and any substantive changes will be notified to you by email

This privacy policy was last updated on 1st June 2022.


Data processing by Onkohealth Limited is subject to English law. Pursuant to UK GDPR, UK DPA 2018, and any other applicable data protection regulations, we work to ensure our users have appropriate protection of their privacy and personal data.

For the purposes of European Economic Area data protection law, (the “Data Protection Law”), the data controller is Onkohealth Limited. This means we are responsible for deciding how we hold and use personal information about you.


We are committed to the GDPR principle of data minimisation, and only collect the personal data we require to be able to provide our Services to you. We will collect and process the following personal data from you:

Information you give us

This is information about you that you give us directly when you interact with us. We will not use your personal data for any purposes that are not set out in this privacy policy, or will update you if we need to use your personal data for another purpose. This information is required to:  

  • Register to create an account with us
  • Arrange appointments with our clinical health coaches
  • Record information about your health, medical diagnoses, treatment, symptoms, medication and how you are feeling
  • Answer questions about your health, symptoms and holistic needs
  • Share your health information with permitted third parties (for e.g. your GP)
  • If you are a healthcare provider or carer, information such as your name, telephone number, email address, job title and place of work

How we obtain your information
This will be collected in a number of ways including:

  • In an initial telephone call with you following your referral
  • In any video or telephone appointments with our customer service teams or healthcare professionals
  • When you input information into the App or website (including responses to questionnaires)
  • When you report a problem with the App or website
  • Information provided by your referring healthcare professional (e.g. your clinical team) on referral and throughout your use of our Services.

The information you provide may include your name, address, email address, telephone number, date of birth, gender, login and password details.

To interact fully with the Service you will need to provide information about your existing health conditions, treatment and/or medication, symptoms and the name and contact information of your healthcare team, hospital and GP.

You can choose to import metrics on activity, heart rate and sleep via wearable devices (for e.g. Fitbit and Apple Health). You will also be able to journal your mood and symptoms, such as the type, severity and frequency, so you can track your progress over time and share with others where you choose to do so.

NHS Services

We provide some services to the NHS. For NHS patients, we are obliged to collect data on your health and healthcare in order fulfil our contractual obligations. This data may include relevant information about your diagnosis and treatments from your NHS health care records. We use this data to provide clinical care, feed back to your clinical team, to account for our NHS activity and to evaluate our outcomes in line with our contractual obligations.


Only employees and agents of Onko, which are obligated to maintain confidentiality, can access applicable data and only as reasonably necessary to perform their role. Other third parties do not have access to your personal data without your explicit consent.

Your personal data, as well as all data collected via the App or website (e.g. data about activity, symptoms, mood etc., including from connected external apps e.g. Fitbit, Apple HealthKit,) will only be used for rendering Services according to contractual obligations. When Onko is providing Services to, and on behalf, of the NHS or Private medical Insurers, personal data is exchanged between Onko and referring healthcare professionals (e.g. your GP practice) for the purposes of caregiving and safeguarding. We also report our activity to referring healthcare organisations

When Onko is providing Services to, and on behalf of the NHS or Private Medical Insurers, non-personally identifiable (or anonymised) data on Service users is shared with commissioning bodies and contractually relevant parties for the purposes of evaluating our Services and/or for research. Such data may be used by Onko and authorised affiliates (i.e. NHS) for research and publication purposes and can be analysed and used to improve our Service (optimisation, further development and research) during the duration of the contract and after the termination of the contractual relationship.

We also record telephone calls as needed for optimal customer service and quality management purposes.

You have the right and ability to opt out of certain uses or sharing of your data etc., please see below section titled “Subject Access Requests, Changing & Deleting Your Personal Data”. The reason you cannot opt out of all data sharing with us is that we would be unable to provide you with our Service.


We use Amazon Web Services (“AWS”) (offered by Amazon Web Services, 60 Holborn Viaduct, London, EC1A 2FD) to host the data. Your data is processed on servers in the UK. Data is encrypted end to end.

For further information, please refer to Amazon’s privacy policy for AWS (https://aws.amazon.com/privacy/). The processing of your data in AWS is based on your consent, the performance of the contract, and/or legitimate interest (legal bases for processing under applicable data protection regulations).

The data we collect from you is stored within the European Economic Area (“EEA”).


All information you provide to us is stored on our secure servers and is encrypted between your device and any external host storage to keep it safe (i.e. ‘encrypted in transit’ as well as ‘encrypted at rest’). We use the AES 256 encryption standard.

The Microsoft Teams platform is used for the majority of video consultations. Microsoft Teams is compliant with a range of regulatory security standards, including ISO 27001, ISO 27018 and HIPAA Business. All data sent via stored and backed up in Azure cloud storage. Azure is delivered through data centres in 54 global regions, which allows Microsoft to store Teams data based on each organisation’s region. This means that all data is stored in compliance with the data security regulations of the region that each organisation is operating in. Network communications in Teams are encrypted by default. By requiring all servers to use certificates and by using OAUTH, Transport Layer Security (TLS), and Secure Real-Time Transport Protocol (SRTP), all Teams data is protected on the network. For further information around security please consult https://docs.microsoft.com/en-us/microsoftteams/teams-security-guide and for further information around data collection please consult https://privacy.microsoft.com/en-GB/data-collection-teams

The Twilio video used for video consultations is based on the open standard WebRTC protocol. The security architecture is described here and the protocols used include TLS, DTLS and SRTP. All communication between a Programmable Video client and the Twilio cloud is encrypted. Media shared in Group Rooms is encrypted during transport to Twilio, is briefly decrypted in memory in Twilio’s cloud, and is immediately re-encrypted before being sent to other Participants. Decrypted media is not written to any persistent storage or sent across the network. For further information please consult https://www.twilio.com/docs/video/media-security

The website and App may contain links to external sites. We are not responsible for the privacy policies or the content of such sites. When you leave our website or our App, we encourage you to read the privacy policy of every other website you visit.


Any information about your health is classed as sensitive personal data and we ensure that additional safeguarding measures are in place to protect this information. Our legal bases relied upon in processing of your personal data are:

  • Consent;
  • Provision of preventative or occupational medicine, health or social care or treatment, or the management of health or social care systems;
  • Performance of a contract;
  • Legitimate interest; and/or
  • Public interest.

Should you have any questions on which may apply to your particular personal data, please e-mail enquiries@onkohealth.co.uk


Your personal data is retained only for as long as necessary, per contract and in accordance with data protection regulations. In many cases, the retention period is 8 years, to comply with applicable NHS data retention standards.

Should you have any questions on this, please e-mail enquiries@onkohealth.co.uk


You can make a Subject Access Request (SAR) to change or delete the personal data entrusted to us at any time if you request same with a copy of your identification (passport, driving license) by e-mail to enquiries@onkohealth.co.uk. We will oblige your request except for any data which might be required for us keep on file for a specified timeframe for compliance with applicable law(s), NHS standards/regulations, etc.

We strive to respond to your requests within 28 days and will let you know if we are unable to meet this timeframe. If your request or concern is not satisfactorily resolved by us, you may approach your local data protection authority (see https://ec.europa.eu/info/law/law-topic/data-protection_en).

The Information Commissioner (ICO) is the supervisory authority in the UK and can provide further information about your rights and our obligations in relation to your personal data, as well as deal with any complaints that you have about our processing of your personal data. You can contact the ICO by writing to Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.


Under data protection legislation, data subjects have the following rights with regards to their personal information:

  • the right to be informed about the collection and the use of their personal data
  • the right to access personal data and supplementary information
  • the right to have inaccurate personal data rectified, or completed if it is incomplete
  • the right to erasure (to be forgotten) in certain circumstances
  • the right to restrict processing in certain circumstances
  • the right to data portability, which allows the data subject to obtain and reuse their personal data for their own purposes across different services
  • the right to object to processing in certain circumstances
  • rights in relation to automated decision making and profiling
  • the right to withdraw consent at any time (where relevant)
  • the right to complain to the Information Commissioner


The website and the App is intended for use only by persons who are at least 18 years of age. By using our Services, you confirm to us that you meet this requirement. If you suspect that a child under 18 is accessing the App and providing personal data without their parent or guardian’s consent, please contact us at enquiries@onkohealth.co.uk so that we can investigate and remove/delete the data where necessary.


We use mailchimp to provide you with our monthly update email (Monthly Brief). This is a carefully curated update and is part of the Onko Service delivering you content to help you with your health and wellness goals.

We may use information for marketing services to you in the following ways:

  • Marketing emails relating to our own services and events, only where you have not opted-out of receiving that marketing.
  • Newsletters and marketing emails where you have requested this information from us, or we have obtained your consent to send you marketing.

We will provide an option to unsubscribe or opt-out of further communication on any electronic marketing communication sent to you or you may opt out by contacting us at any time by emailing enquiries@onkohealth.co.uk