Privacy Policy

By continuing to use our website, apps and services, you are deemed to agree to our Terms and Conditions and this Privacy Policy for the collection and processing of your personal data. Please note that any consent given for the purposes of medical consultation or examination is separate from consent granted for the processing of your personal data.

This Privacy Policy sets out our use of any and all data collected by us in relation to your use of our website, platform and apps (“Website”). The Website is operated by Leva Clinic (“Leva”, “we”, “us”, “our”), which is operated by Zerenia Clinic.

By continuing to use our website, apps and services, you are deemed to agree to our Terms and Conditions and this Privacy Policy for the collection and processing of your personal data. Please note that any consent given for the purposes of medical consultation or examination is separate from consent granted for the processing of your personal data. 

This Privacy Policy sets out our use of any and all data collected by us in relation to your use of our website, platform and apps (“Website”). The Website is operated by Leva Clinic (“Leva”, “we”, “us”, “our”), which is operated by Zerenia Clinic
Data Controller:
Zerenia Clinic
5 Pemberton Row,
London, EC4A 3BA,
United Kingdom. 

For the purposes of processing your personal data, we are the data controller (under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018). We are committed to protecting your privacy, both online and offline. This Policy explains how we collect information, what we do with it, what rights you have and how to exercise them.

This Policy should be read in conjunction with our Terms and Conditions.
We may amend or update this Privacy Policy from time to time. This version is current as of November 2025.

Legal Basis for Processing

Under UK GDPR, we will only process your personal data if at least one of the following bases applies:

  • Consent (for specific purposes such as marketing, GP communication, and any optional services)

  • Contract (to provide clinical and related services to you)

  • Legal obligation (e.g., compliance with medical regulatory requirements, safeguarding obligations)

  • Vital interests (rare instances relating to life-or-death situations)

  • Public task (if applicable to regulatory reporting)

  • Legitimate interests (for improvements, analytics, fraud prevention, security)

Where special category data (e.g., health information) is processed, we rely on:

  • UK GDPR Article 9(2)(h) – processing for the provision of health or social care, with professional confidentiality.

Marketing processing only occurs when you have provided express consent.

All research data is aggregated and anonymised.

Our services are only available to patients aged 18+.

1. Information we may collect from you 

We may collect and process the following information:

  • Registration information: Name, date/year of birth, email, telephone number, health conditions, and information provided on forms or during sign-up.

  • Payments and purchases: Details of transactions made through the Platform.

  • IP address and interactions: Automatically collected data, such as IP address, device details, behaviour, and Website interactions.

  • Communications with us: Messages, emails or other communications you send to us.

  • Research and surveys: If you choose to participate.

  • Platform usage data: Pages visited, resources accessed, downloads and usage analytics.

  • Health data: Health history, conditions, symptoms, medical notes, prescriptions, allergies, height/weight, and information exchanged with HCPs.
    We may also record audio or video consultations (you will be notified at the time).

  • Children’s Data: We do not knowingly collect data from anyone under 18. If you become aware that a child has accessed our services or provided data without parental authority, contact us immediately. We implement age-verification steps during registration to prevent underage access.We may collect and process the following information about you: 

2. How we use your information (Purposes & Legal Bases)

We process your personal data for the following purposes:

Service delivery

  • Arranging consultations, prescriptions, medical assessments

  • Lawful basis: Contract

Identity verification

  • Fraud prevention and confirming correct patient identity

  • Lawful basis: Legal obligation + Legitimate interests

Payments

  • Processing card and subscription payments

  • Lawful basis: Contract

Providing the Platform

  • Operating accounts, login and functionality

  • Lawful basis: Contract

Clinical records

  • Maintaining medical notes, prescriptions, safeguarding

  • Lawful basis: Legal obligation + Art. 9(2)(h)

Sharing with pharmacists/HCPs

  • To provide safe and regulated medical care

  • Lawful basis: Contract + Art. 9(2)(h)

Improving our services

  • Analytics, audits, user experience optimisation

  • Lawful basis: Legitimate interests

Marketing

  • Sending updates, news and offers

  • Lawful basis: Consent

Research (anonymised)

  • Service improvement, internal reporting

  • Lawful basis: Legitimate interests

Regulatory reporting

Complying with medical, legal or safeguarding duties

Lawful basis: Legal obligation

Email communications involve risks (listed in your original text) and you should ensure your device and provider are secure.

You may opt out of non-essential processing at any time.

 

3. Information shared with others 

  • Information that identifies you: We do not sell or rent your personal data.

  • Healthcare Staff (HCPs): Shared only as necessary for medical care.

  • Pharmacies: For prescription fulfilment, identity verification and communication.

  • Partner Healthcare Schemes: Where services are provided through your employer/insurer.

  • Business Associates: Cloud hosting providers, IT security, accreditation auditors, payments processors (e.g., Stripe), and communications platforms.
    All are under GDPR-compliant contracts.

  • Aggregated, anonymised data: Shared for lawful business or research purposes.

  • Legal or Safety Requirements: We may disclose personal information when required by law, safeguarding obligations, regulatory authorities, or to prevent fraud or cyber-crime.

  • Business Transfers: If Leva/Zerenia is acquired or restructured, personal data may transfer to the new entity under the same protections.

4. Medical information

Handled strictly confidentially and in accordance with UK medical standards and retention codes.

  • Retention of medical data

  • Health records are kept in digital form and retained in accordance with NHS Records Management Code of Practice (currently 8 years for adult medical records unless extended by law).
    Anonymised data may be retained indefinitely.

  • Consultation notes and recordings: Audio/video recordings are retained only for training, quality and governance purposes, and deleted after the minimum legally required period.

  • Sharing with your GP: We will seek your consent to inform your NHS GP.
    If consent is denied, this may limit available treatment options.

  • Security: HTTPS, encryption, access controls and secure digital storage are used.
    You should ensure your device is secure.All medical and health information collected and supplied to Leva (Zerenia Clinic) will be treated as strictly confidential and held in accordance with UK records management codes and data protection laws. 

 

5. Additional information collected automatically

Browser type, device type, referring website, usage analytics and demographic data (non-identifiable).

 

6. External links 

Not covered by this policy. You should check external sites’ own privacy notices.

 

7. Payment processing 

Payments are handled by Stripe, an independent processor.
Your card data is not accessible to us and is used in accordance with Stripe’s terms and privacy policy.

 

8. Security 

We use technical and organisational measures such as encryption, access limitation, network security and regular audits.

No internet transmission is entirely secure.
Use caution with shared/public computers.

 

9. Storage and International Data Transfers

Storage Locations

Data is stored in secure servers located in the UK or EEA.
Some service providers (e.g., cloud communications platforms, analytics providers) may process limited data outside the UK/EEA, including the United States.

Safeguards for International Transfers

Where international transfers occur, we use one or more legally approved safeguards:

  • UK Addendum to the EU Standard Contractual Clauses (SCCs)

  • ICO International Data Transfer Agreement (IDTA)

  • Additional technical and organisational measures (encryption, access control)

  • Providers subject to approved certification or recognised adequacy decisions

You may request a copy of the relevant transfer safeguards by contacting us.
 

10. Automated Decision-Making

Leva does not use automated decision-making that produces legal or significant effects on you.

Where algorithms or digital clinical tools assist clinicians, all final clinical decisions are made by qualified humans.

You always have the right to request human review if automated analysis is used.

11. Data Retention (Full Schedule)

We retain your data for the following periods:

  • Medical records: 8 years (NHS standard) unless required longer

  • Consultation recordings: Minimum needed for governance, then deleted

  • Account and profile data: 7 years after last activity

  • Support communications: Up to 3 years

  • Marketing preferences: Until you withdraw consent

  • Cookie data: As per Cookie Policy (varies by cookie)

  • Payment data (non-card): 7 years (financial compliance)

You may request deletion of non-medical data, subject to legal obligations.

12. Cookie Policy (Required under PECR)

Cookie Use

When you visit our Website, we place cookies and similar technologies on your device.

Categories of Cookies Used

  • Strictly Necessary Cookies – essential for the site to function (no consent required).

  • Analytics Cookies – measure performance and user behaviour (consent required).

  • Functionality Cookies – enhance features such as saved preferences (consent required).

  • Marketing Cookies – used for personalised content and advertising (consent required).

Consent Mechanism

When you first visit our Website, you will be asked to consent to non-essential cookies.
You may withdraw consent at any time using:

  • Cookie banner settings

  • Browser settings

  • Contacting us

A detailed cookie list is available in our Cookie Policy, which forms part of this Privacy Policy.

13. Your Rights

You have the right to:

  • Access your personal data

  • Correct inaccurate information

  • Erase data (subject to medical/legal retention obligations)

  • Restrict processing

  • Object to processing (including legitimate interests)

  • Withdraw consent at any time

  • Receive your data in portable format

  • Not be subject to automated decision making

  • Lodge a complaint with the Information Commissioner’s Office (ICO)

ICO Contact:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
 

Contacting us 

For questions, concerns or to exercise your rights:

Email: info@levaclinic.com
Post:
Zerenia (Leva) Clinic Ltd
5 Pemberton Row
London EC4A 3BA
United Kingdom

Our Data Protection Officer can be reached at the same email address.

Discover Leva

About

Contact us

Blog

FAQ

Project Twenty 21

Refer-a-friend

For NHS and clinicians

What we offer

How Leva works

Online pain management programme

Explore Medical Cannabinoid

Switching clinic?

Medical Cannabinoid FAQs

Legal

Terms and Conditions

Privacy Policy

Cookies

Care Quality Commission logo

© Copyright IASO LTD. 2025. Our website content is for information purposes and should not be used as medical advice. If you need further advice please book an appointment with one of our doctors.

TwitterInstagramLinkedIn