This privacy notice (Privacy Notice) provides information about how your personal data is used and processed when collected through the Lalu Life application.
The Privacy Notice contains important information on how and why your personal data is collected, stored, used and shared for the purposes of making the Lalu Life application available to you. It also explains your rights in relation to your personal data and how to contact us or supervisory authorities in the event you have a complaint.
This Privacy Notice relates solely to your personal data collected through the Lalu Life application.
- Lalu Life mobile application (App) once you have downloaded or streamed a copy of the App onto your device (Device).
- Any of the services accessible through the App (Services). This policy sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. This App is not intended for children and we do not knowingly collect data relating to children. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.
Important information and who we are
Lalu Life Limited (Lalu Life) is the controller and is responsible for your personal data (collectively referred to as “Company”, “we”, “us” or “our” in this policy) collected through the App.
Lalu Life Limited is part of the MediData Exchange Limited group.
Your data will be collected from your GP Surgery through eMR, a product which enables GP practices to create digital medical reports in response to a data subject access request. eMR is product owned and operated by MediData Exchange Limited (trading as Medi2Data) who owns and is the parent company of Lalu Life Limited. Please see ‘disclosures of your personal data’ below for further information on the processing of your personal data by MediData Exchange Limited.
If you have any questions about this Privacy Notice, please contact us using the details set out below.
Our full details are:
- Full name of legal entity: Lalu Life Limited
- Name or title of DPO: Nicholas Freeman
- Email address: email@example.com
- Postal address: Devonshire House, 582 Honeypot Lane, Stanmore HA7 1JS
You have the right to make a complaint at any time to the Information Commissioner’s Office (ICO), the UK regulator, if you have any issues associated with the collection and processing of your personal data.
We keep our Privacy Notice under regular review.
This version was last updated on 9 June 2021. It may change and if it does, these changes will be posted on this page and, where appropriate, notified to you when you next start the App. The new policy may be displayed on-screen and you may be required to read and accept the changes to continue your use of the App or the Services.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during our relationship with you.
Third party links
Our App may, from time to time, contain links to and from the websites of our partner networks and affiliates. These websites and any services that may be accessible through them have their own privacy policies and that we do not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. Please check these policies before you submit any personal data to these websites or use these services.
The data we collect about you
We may collect, use, store and transfer different kinds of personal data about you as follows:
- Identity Data: first name, last name, marital status, title, date of birth, gender. We will collect identification documents such as passport, drivers licence or other photo identification which contains the personal data listed above also and we will also collect a photograph of you (which you will be required to provide through the App) for the purposes of verifying your identity.
- Contact Data postal address, email address and telephone numbers.
- Profile Data includes technical information such as the Internet protocol (IP) address used to connect our computer or device from which you access the App to the internet, your username and password for the App and operating system and platform.
- Usage Data includes details of your use of our App.
- Special Category Data includes data concerning your health relating to your Covid-19 vaccination status and history.
- Marketing and Communications Data includes your preferences in receiving marketing from us and your communication preferences.
We may also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. However, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Notice.
We do not collect any information about criminal convictions and offences.
How is your personal data collected?
We will collect and process the following data about you:
- Information you give us. This is information (including Identity, Contact and Marketing and Communications Data) you give to us by filling in forms on the App, or by corresponding with us (for example, by email). It includes information you provide when you register to use the App, download or register the App, use our Services and when you report a problem with an App.
- Information we collect about you and your device. Each time you visit our App we will automatically collect personal data relating to your Usage Data. We collect this data using cookies and other similar technologies.
- Information we receive from GP Surgeries. In providing the Services to you through the App, we will make a subject access request on your behalf to access data relating to your Covid-19 vaccination history from your GP Surgery. GP Surgeries will provide us with Identity Data and Special Category Data about you when providing data relating to your Covid-19 vaccination history.
- Information we receive from third party service providers. We may collect personal data about you from fraud prevention agencies and KYC (know your customer) service providers to verify your identity for the purposes of requesting your personal data and to prevent fraud. We use a third-party service provider to carry out real-time identity verification using the identification documents you provide through the App, this third party provider is Shufti Pro Limited.
- Information we receive from public sources. We may receive information about you from public sources (or from the third party service providers mentioned above who have sourced the information from public sources) such as the electoral register or Companies House for identity verification purposes.
Analytics information we collect about you and your device
We will use Google analytics technologies to help us improve the App by collecting and reporting information on how you use the App. These technologies collect information in an anonymised form (which means once collected you cannot be directly identified from the data).
It is necessary for our legitimate interests to use these analytics technologies to ensure the App performs and functions correctly, to ensure we can provide a good experience when you use the App and to develop our business and the App.
We use the following analytics:
- Firebase Crashlytics – This allows us to understand any issues with the App and to help us to track and fix any issues, in the unlikely event issues occur.
- Google Analytics for Firebase – This allows us to use data to provide analytics about how the App is used by you including the number of users who use the App and the number of sessions.
Further information about the analytics we use on the App can be found here: https://firebase.google.com/support/privacy
We have disabled your IDFA (a devices advertising identifier). When an IDFA is enabled, this allows tracking of activity for advertising purposes. However, as your IDFA will be disabled, we will not collect analytics data about you for advertising purposes. We do not share any analytics data with third parties.
How we use your personal data
We will only use your personal data when the law allows us to do so. Most commonly we will use your personal data in the following circumstances:
- Where you have consented before the processing. Consent means processing your personal data where you have signified your agreement by a statement or clear opt-in to processing for a specific purpose. Consent will only be valid if it is a freely given, specific, informed and unambiguous indication of what you want. You can withdraw your consent at any time by contacting us.
- Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests. Legitimate Interest means the interest of our business in conducting and managing our business to enable us to give you the best service/product and the best and most secure experience. We make sure we consider and balance any potential impact on you (both positive and negative) and your rights before we process your personal data for our legitimate interests. We do not use your personal data for activities where our interests are overridden by the impact on you (unless we have your consent or are otherwise required or permitted to by law). You can obtain further information about how we assess our legitimate interests against any potential impact on you in respect of specific activities by contacting us.
- Where we need to perform a contract we are about to enter or have entered with you. Performance of Contract means processing your data where it is necessary for the performance of a contract to which you are a party or to take steps at your request before entering into such a contract.
- Where we need to comply with a legal or regulatory obligation. Comply with a legal obligation means processing your personal data where it is necessary for compliance with a legal obligation that we are subject to.
We will get your express opt-in consent before we share your personal data with any third party for marketing purposes.
Purposes for which we will use your personal data
|Purpose/activity||Type of data||Lawful basis for processing||Lawful basis for processing special category data|
|To install the App and register you as a new App user||IdentityContactProfile||Necessary for performance of a contract. Information is processed to enable us to provide the Services to you through the App.||Not applicable|
|To manage our relationship with you including notifying you of changes to the App or any Services||IdentityContactProfileMarketing and Communications||Necessary for performance of a contract with youNecessary for our legitimate interests (to keep records updated and to analyse how customers use our products/ Services)Necessary to comply with legal obligations (to inform you of any changes to our terms and conditions)||Not applicable|
|To confirm your identity when you sign up to the App using a third-party service provider to verify your identity through real time facial recognition technology||Identity Contact||Necessary for performance of a contract with you to make the App and the Services available to you (if your identity has not been verified the GP Surgery will not be able to complete the subject access request and provide the relevant vaccination data without undertaking further identity checks) Necessary for the legitimate interests of a third party (your GP Surgery) to enable them to provide the vaccination data having verified your identity||Not applicable|
|To collect personal data relating to your Covid-19 vaccination history for the purposes of making your vaccination data available to you through the App||Identity Special Category||Consent||Consent|
|To ensure the App, content and Services are as effective and relevant as possible and give you the best experience||Identity ProfileUsageSpecial Category||Necessary for our legitimate interests (for ensuring our App and the Services we provide are as effective as possible and to develop our Services)||Not applicable|
|To administer and protect our business and this App including troubleshooting, data analysis and system testing||IdentityContactProfile Usage||Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security)||Not applicable|
|To make recommendations to you about other products or services offered by Lalu Life which may interest you||IdentityContactProfileUsageMarketing and Communications||Necessary for our legitimate interests (to develop our products/Services and grow our business)||Not applicable|
We will not collect or process any of your financial information. Financial transactions relating to our App (including the fee payable for the purchase of our App) are handled by third party payment service providers, Google Pay and Apple Pay. You will be re-directed to the relevant payment services page when you purchase the App and you should read the information about the privacy policies and practices of these payment service providers on their websites, or when prompted to do so by the relevant payment service provider, as applicable.
Subject access requests made through the App
Lalu Life provides a platform for customers to request personal data relating to their vaccination records. You authorise Lalu Life to make a subject access request on your behalf to your GP Surgery.
Lalu Life is not responsible for ensuring the data subject access request is complied with in accordance with relevant data protection laws. Lalu Life facilitates the request and stores the personal data thereafter for the purposes of making this information available to you to access through the App.
It is the responsibility of the GP Surgery to provide the personal data requested through the subject access request in accordance with the requirements of the data protection laws, including the UK GDPR.
In some circumstances, where your identification documents are an exact match to the records held for you by your GP Surgery (as explained further below), MediData Exchange (on behalf of Lalu Life Limited and through eMR) will conduct a real time data extraction of your personal data relating to your vaccination records from the GP Surgery system.
The real time data extraction will be facilitated by using an approved clinical coding system (known as SNOMED CT) which is used to record patient clinical information in the NHS. If the eMR system operated by MediData Exchange Limited (as a service provider of Lalu Life Limited as detailed further below) can make an exact match to your name, address and date of birth in the GP Surgery system and can access your vaccination data through use of the SNOMED CT clinical codes, MediData Exchange Limited will download your vaccination data from the GP Surgery system. MediData Exchange will pass this data to Lalu Life who will make the personal data available through the App.
If the name, address and date of birth you have given in the App is not an exact match to a patient record at your GP Surgery, the GP Surgery will receive an instruction to verify your identity and provide a response to the subject access request. Once the GP Surgery has completed this process and authorised this, eMR will automatically extract and transmit the data to the Lalu Life App.
If you wish to raise any concerns or have any complaints regarding your GP Surgeries response to the subject access request, or the personal data provided, you should direct these complaints directly to the GP Surgery.
Disclosures of your personal data
We may need to share your personal data with the third parties set out below for the purposes set out in the table above:
- Anyone you give us permission to share your personal data with. This includes your GP Surgery for the purposes of making a subject access request to access your personal data relating to your vaccination history and to make your identification documents available to the GP Surgery to verify your identity for the purposes of completing the subject access request.
- Cloud computing storage providers. We use Amazon Web Services (AWS) which stores all personal data held in the App on servers in the United Kingdom – the personal data held is encrypted.
- Third party service providers who provide ‘Know Your Customer’ (KYC) services to help us with identity verification or fraud checks. We will pass your personal data to third party KYC service provider through their respective application programming interface (API).
- Third parties to whom we may choose to sell, transfer or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this Privacy Notice.
- Lalu Life Limited’s parent company. We will share your personal data with MediData Exchange Limited (trading as Medi2Data) who will process your personal data on Lalu Life’s behalf. MediData Exchange Limited will work with Lalu Life to submit the request for your personal data to the GP Surgery by making the subject access request through eMR, a service operated by Medi2Data to enable GP Surgeries to create digital subject access requests.
- Professional advisers including lawyers, bankers, auditors and insurers who provide consultancy, banking, legal, insurance and accounting services.
- HM Revenue and Customs, regulators and other authorities who require reporting of processing activities in certain circumstances.
International transfers and data security
Except as set out below, we do not transfer your personal data outside the UK. Except where processed by a third party for the purposes of verifying your identity as set out below, your personal data will be held on a secure server in the United Kingdom which is operated by AWS, as explored further above.
All information you provide to us is stored on secure servers. Where we have given you (or where you have chosen) a password that enables you to access the App, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Once we have received your information, we will use strict procedures and security features to try to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.
As mentioned above, we will share your personal data with third party service providers who provide ‘Know Your Customer’ services to verify your identity. The external third party we use operates in the United Kingdom but processes and stores the data we make available to them to perform their services on dedicated servers in Germany. Germany is part of the European Economic Area (EEA) which has been deemed to provide an adequate level of protection for personal data and so this provides a safeguard for your personal data. Your personal data will be processed outside of the EEA for a short period of time (whilst the verification process takes place) for the third-party service provider to complete the KYC checks and for manual identity verification purposes only. Your personal data will then be stored in Germany as detailed above. We will use specific contracts approved for use in the UK which provides a safeguard for your personal data with the service provider who provides the KYC checks.
Where we are transferring your personal data out of the UK, we ensure a similar degree of protection is afforded to your personal data by ensuring safeguards are implemented, as described above.
Your personal data which will be shared outside of the EEA comprises of:
- Your name, date of birth, your postal address
- The image you provide of yourself through the App
- Your identification documents including passport, driver licence or other identification document you provide through the App.
We will not share any Special Category Data (including any medical records) about you outside of the UK.
Details of retention periods for different aspects of your personal data are set out below.
Identity, Contact, Usage, Profile Data
By law we have to keep basic information about our customers (including Contact, Identity and Profile Data) for six years after they cease being customers for tax purposes. This does not include any personal data about you which is Special Category Data.
Special Category Data
We will keep information about our customers which relates to their vaccination history (which includes Special Category Data) for as long as the customer continues to be a customer and is a user of the App, or until the customer withdraws their consent. If the customer makes a request to delete their account on the App, or to delete the personal data relating to their vaccination history, Lalu Life will delete the personal data following such request.
In the event that you do not use the App for a period of 12 months we will send you a notification notifying you of the inactivity on the App and will seek your consent to continue processing your vaccination data (the Special Category Data). If you do not consent to the continued processing of this personal data or we do not receive a response, we will treat the account as expired and your personal data will be deleted or anonymised (so that it can no longer be associated with you).
If you consent to the continued processing of your vaccination data but the App continues to be inactive for a further period of 12 months after receiving such consent, the process set out above will be repeated and we will ask for further consent after the expiry of the further period of 12 months.
In some circumstances you can ask us to delete your data: see Your legal rights below for further information.
Your legal rights
Under certain circumstances you have the following rights under data protection laws in relation to your personal data.
- Request access to your personal data (commonly known as a “data subject access request”). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it.
- Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected, though we may need to verify the accuracy of the new data you provide to us.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground as you feel it impacts on your fundamental rights and freedoms. You also have the right to object where we are processing your personal data for direct marketing purposes. In some cases, we may demonstrate that we have compelling legitimate grounds to process your information which override your rights and freedoms.
- Request restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data in the following scenarios:
- if you want us to establish the data’s accuracy;
- where our use of the data is unlawful but you do not want us to erase it;
- where you need us to hold the data even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Request the transfer of your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
- Withdraw consent at any time where we are relying on consent to process your personal data. However, this will not affect the lawfulness of any processing carried out before you withdraw your consent. If you withdraw your consent, we may not be able to provide certain products or services to you, including making your vaccination data or a vaccination certificate available to you.
You also have the right to ask us not to continue to process your personal data for marketing purposes.
You can exercise any of these rights at any time by contacting us on firstname.lastname@example.org.