Reboost.com UK LTD (DoktorABC) – Privacy Policy

1. About Us

Reboost.com UK Limited, trading as DoktorABC, is a digital healthcare company that provides online medical consultations and prescription services. We connect patients with licensed, independent healthcare professionals through our platform, enabling them to access treatments and medications conveniently and securely.

Reboost.com UK Limited (the “Company”, “we”, “our” or “us”) is committed to protecting and respecting your privacy. This privacy notice explains how we collect, use, store and share your personal data when you use our website at https://www.doktorabc.com/uk (the “Website”) and our services.

For the purposes of UK data protection legislation (including the UK General Data Protection Regulation and the Data Protection Act 2018), the data controller is Reboost.com UK Limited, a company registered in England and Wales (company number 17051536), with registered office at 219 Labs Atrium Stables Market, Chalk Farm Road, London, United Kingdom, NW1 8AH.

Our data protection officer can be contacted via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu , email: datenschutz@heydata.eu

We have appointed Martin Bastius, c/o heyData GmbH, Schützenstraße 5, 10117 Berlin, E-Mail: eu-rep@heydata.eu as our EU representative.

2. Information We Collect

We collect and process personal data about you in the following ways:

2.1 Personal Information You Give Us

This is information about you that you give us by filling in forms on our Website, undergoing a consultation, or by corresponding with us by phone, email or otherwise. It includes information you provide when you register on our Website, place an order, complete a medical questionnaire, or report a problem. This information may include your name, date of birth, address, email address, phone number, gender, identification documents and payment information.

2.2 Special Category Data You Give Us

Special category data (also known as “sensitive personal data”) includes information about your health, medical conditions, medication history, and other health-related information. Because we provide an online healthcare service, we collect this type of data when you complete medical questionnaires, undergo consultations with prescribers, or otherwise communicate health information to us. Special category data receives additional protection under data protection law, and we explain the legal bases on which we process it in Section 3 below.

2.3 Information We Collect Automatically

When you visit our Website, we automatically collect technical information including your IP address, browser type and version, time zone setting, browser plug-in types and versions, operating system, and platform. We also collect information about your visit, including pages visited, clickstream data, page response times, download errors, and page interaction information. Much of this data is collected through cookies and similar technologies – please see Section 5 (Cookies) for further details.

2.4 Information We Receive from Third Parties

We may receive information about you from third parties, including our partner prescribers, fulfilment pharmacies, payment processors, and identity verification providers. Where we receive personal data about you from a third-party source, we will provide you with information about the source and the data received, where we are required to do so by law.

3. How We Use Your Information and Our Legal Bases

The table below sets out the purposes for which we process your personal data, the categories of data involved, and the legal basis we rely on in each case.

3.1 Processing of Personal Data

The following outlines the purposes for which we process your personal data, the categories of data involved, and the legal basis we rely on in each case:

3.1.1 Purpose: Providing our services, processing orders, and managing your account

Categories of Data: Name, contact details, date of birth, payment information, identification documents

Legal Basis: Performance of our contract with you (Art. 6(1)(b) UK GDPR)

3.1.2 Purpose: Facilitating medical consultations and prescriptions through independent prescribers

Categories of Data: Name, contact details, date of birth, gender, health data (see Section 3.2 below)

Legal Basis: Performance of our contract with you (Art. 6(1)(b) UK GDPR). For health data, see Section 3.2

3.1.3 Purpose: Verifying your identity

Categories of Data: Name, date of birth, identification documents, photographs

Legal Basis: Performance of our contract with you (Art. 6(1)(b) UK GDPR) and compliance with legal obligations (Art. 6(1)(c) UK GDPR)

3.1.4 Purpose: Sending service communications (e.g. order confirmations, prescription updates)

Categories of Data: Name, email address, phone number

Legal Basis: Performance of our contract with you (Art. 6(1)(b) UK GDPR)

3.1.5 Purpose: Direct marketing about similar products and services

Categories of Data: Name, email address

Legal Basis: Legitimate interests (Art. 6(1)(f) UK GDPR) – to promote relevant services to existing customers. You can opt out at any time

3.1.6 Purpose: Improving our Website, conducting analytics and research

Categories of Data: Technical data, usage data, cookies

Legal Basis: Legitimate interests (Art. 6(1)(f) UK GDPR) – to improve and optimise our services

3.1.7 Purpose: Ensuring network and information security

Categories of Data: Technical data, usage data

Legal Basis: Legitimate interests (Art. 6(1)(f) UK GDPR) – to keep our Website safe and secure

3.1.8 Purpose: Compliance with legal and regulatory obligations

Categories of Data: All categories as required

Legal Basis: Compliance with a legal obligation (Art. 6(1)(c) UK GDPR)

3.2 Processing of Special Category Data (Health Data)

Because our services involve healthcare, we process health-related special category data. We rely on the following legal bases under Article 9(2) of the UK GDPR:

Explicit consent (Art. 9(2)(a) UK GDPR): Where you provide your health information to us via our medical questionnaires and consultations, you give your explicit consent for us to process that data to facilitate the provision of healthcare services. You may withdraw your consent at any time by contacting us, though this may affect our ability to provide services to you.
Health or social care purposes (Art. 9(2)(h) UK GDPR): The processing of your health data is necessary for the provision of healthcare, including the assessment of your suitability for treatment by independent prescribers and the dispensing of medication by our partner pharmacy. This processing is carried out by or under the responsibility of a health professional subject to professional obligations of confidentiality.

4. Access to NHS Records and Your GP

To support safe and effective prescribing, our independent prescribers may need to access your medical history. By using our services, you may be asked to provide your explicit consent for the following:

4.1 Summary Care Record (SCR)

The NHS Summary Care Record is an electronic record of your key health information (including medications, allergies, and adverse reactions) created from your GP medical records. With your explicit consent, our independent prescribers may access your Summary Care Record to:

verify information you have provided during the consultation (such as current medications and known allergies);

identify potential contraindications, drug interactions, or safety concerns before issuing a prescription; and

support safe and clinically appropriate prescribing decisions, particularly for higher-risk medicines or where there is clinical uncertainty.

Access to your SCR will only be sought where clinically necessary and with your explicit consent. You are not obliged to consent, but if you do not, the prescriber may not be able to proceed with prescribing where they determine that SCR access is necessary to make a safe clinical decision.

4.2 Contacting Your GP

With your consent, our independent prescribers may contact your registered GP or other healthcare providers in order to:

obtain or verify relevant aspects of your medical history where this is clinically necessary;

notify your GP of any treatment or prescription issued to you through our service, to support continuity of care; and

make an onward referral where the prescriber considers this appropriate for your safety or wellbeing.

We will ask for your consent before making such contact. If you decline consent, the prescriber will take this into account in their clinical decision-making and may decline to prescribe where they consider that safe prescribing requires access to your medical history or GP communication.

4.3 Legal Basis

The processing of your personal data (including health data) for the purposes of accessing your SCR and contacting your GP is based on:

Your explicit consent (Art. 9(2)(a) UK GDPR): We will obtain your specific, informed consent before accessing your SCR or contacting your GP.

Health or social care purposes (Art. 9(2)(h) UK GDPR): Such processing is necessary for the provision of healthcare and is carried out by or under the responsibility of a healthcare professional subject to obligations of professional confidentiality.

You may withdraw your consent at any time by contacting us. Withdrawal of consent does not affect the lawfulness of processing carried out prior to withdrawal, and may affect our ability to continue providing services to you.

5. Cookies

Our Website uses cookies and similar technologies to distinguish you from other users, to provide you with a good experience, and to improve our Website. Detailed information about the cookies we use, their purposes, durations, and how to manage your cookie preferences is set out in our separate Cookie Notice.

We recommend that you review the Cookie Notice for full details. In summary, we use the following categories of cookies:

Strictly necessary cookies: Required for the operation of our Website (e.g. login, shopping cart).

Analytical/performance cookies: Allow us to measure and improve the performance of our Website.

Functionality cookies: Enable personalisation and remember your preferences.

Targeting cookies: Record your visits and browsing to deliver more relevant advertising.

You can manage your cookie preferences at any time by clicking the cookie settings link on our Website, or through your browser settings. Blocking all cookies may affect the functionality of our Website.

In addition to cookies, we use other similar tracking technologies on our Website, including web beacons (small transparent image files embedded in web pages or emails that allow us to track page views or email opens) and local storage (a browser feature that stores data locally on your device for similar purposes to cookies). These technologies are subject to the same consent requirements as cookies, where applicable.

Please note that some cookies on our Website store personal data about authenticated users, including name, email address, gender, and marketing preferences. This data is processed in accordance with Section 3 of this Privacy Notice and is protected by our cookie consent mechanism. Functionality cookies that store personal data are only placed on your device with your consent.

6. Who We Share Your Information With

6.1 Our Staff

We share your information with our employees and authorised personnel who need access to perform their roles in providing our services to you.

6.2 Healthcare and Service Partners

In order to deliver our services, we share your personal data with the following categories of partners:

Independent prescribers: Name, date of birth, gender, contact details, and health data – to facilitate your medical consultation and prescribing decision.

Fulfilment pharmacy (currently SignatureRx): Name, address, date of birth, prescription details – to dispense and deliver your medication.

Delivery providers: Name and delivery address – to ship your order.

6.3 Third-Party Service Providers

We engage the following categories of third-party service providers who process personal data on our behalf:

6.3.1 Provider: Amazon Web Services (AWS)

Service: Cloud hosting

Data Shared: All data stored on platform

Purpose: Secure data storage and infrastructure

6.3.2 Provider: Stripe / PayPal

Service: Payment processing

Data Shared: Name, email, payment details

Purpose: Processing transactions

6.3.3 Provider: Mailgun

Service: Transactional email

Data Shared: Name, email address

Purpose: Sending service emails

6.3.4 Provider: Bugsnag

Service: Error monitoring

Data Shared: Technical data, anonymised usage data

Purpose: Identifying and resolving errors

6.3.5 Provider: Google Analytics

Service: Website analytics

Data Shared: Anonymised/pseudonymised usage data, IP address

Purpose: Understanding Website usage

6.3.6 Provider: Mixpanel

Service: Product analytics

Data Shared: Pseudonymised usage data

Purpose: Product improvement

6.3.7 Provider: Trustpilot

Service: Customer reviews

Data Shared: Name, email address

Purpose: Collecting customer feedback

6.3.8 Provider: HubSpot

Service: Customer service

Data Shared: Name, email, enquiry details

Purpose: Managing customer support

6.3.9 Provider: Google Ads, Bing Ads, TikTok, Snapchat

Service: Advertising

Data Shared: Pseudonymised identifiers, browsing data (via cookies)

Purpose: Targeted advertising

6.3.10 Provider: Google reCAPTCHA

Service: Security

Data Shared: Technical data, IP address

Purpose: Fraud and abuse prevention

6.3.11 Provider: Cloudflare

Service: Content delivery network (CDN)

Data Shared: Technical data, IP address

Purpose: Website performance and security

6.3.12 Provider: Klarna, Apple Pay, Google Pay, Adyen

Service: Payment processing

Data Shared: Name, email, payment details

Purpose: Additional payment methods

6.3.13 Provider: Algolia

Service: Site search

Data Shared: Search queries, IP address

Purpose: Website search functionality

6.3.14 Provider: Wisepops

Service: Website popups

Data Shared: Browsing data, email (if provided)

Purpose: On-site engagement and offers

6.3.15 Provider: VWO

Service: A/B testing

Data Shared: Pseudonymised usage data, IP address

Purpose: Website optimisation

6.3.16 Provider: Facebook/Meta (Pixel, Custom Audiences)

Service: Advertising and analytics

Data Shared: Pseudonymised identifiers, browsing data (via cookies)

Purpose: Targeted advertising and conversion tracking

6.3.17 Provider: Outbrain, Taboola

Service: Advertising

Data Shared: Pseudonymised identifiers, browsing data (via cookies)

Purpose: Content discovery and advertising

6.3.18 Provider: Google Tag Manager

Service: Tag management

Data Shared: Usage data

Purpose: Tracking and script deployment

6.3.19 Provider: Google Fonts

Service: Font service

Data Shared: IP address

Purpose: Website typography

6.3.20 Provider: Reddit (Reddit Pixel)

Service: Advertising

Data Shared: Pseudonymised identifiers, browsing data (via cookies)

Purpose: Targeted advertising and conversion tracking

6.3.21 Provider: AdRoll

Service: Retargeting and advertising

Data Shared: Pseudonymised identifiers, browsing data (via cookies)

Purpose: Targeted advertising and retargeting

6.3.22 Provider: Microsoft Clarity

Service: Session recording and heatmap analytics

Data Shared: Pseudonymised usage data, session recordings

Purpose: Website optimisation and UX analysis

6.4 Disclosures Required by Law

We may disclose your personal data to third parties where we believe disclosure is:

required by law, or in order to comply with judicial proceedings, court orders, or legal or regulatory proceedings;
necessary to protect the safety of our employees, our property, or the public;
necessary for the prevention or detection of crime, including exchanging information with other organisations for the purposes of fraud protection; or
proportionate as part of a merger, business or asset sale, in which case we will inform you and ensure your data continues to be protected.

Further details of whom we share your data with and why are available from our Data Protection Officer.

7. International Transfers of Personal Data

Your personal data is primarily stored and processed within the United Kingdom and the European Economic Area (EEA).

Where we transfer personal data outside of the UK and EEA (for example, where a service provider is based in a third country), we ensure that appropriate safeguards are in place to protect your data. These safeguards include:

UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs): We enter into these approved contractual frameworks with recipients of personal data outside the UK/EEA to ensure your data receives an equivalent level of protection.
Adequacy decisions: Where the UK Secretary of State or the European Commission has determined that a country provides an adequate level of data protection, we may transfer data to that country without additional safeguards.

You may request further information about the specific safeguards applied to transfers of your data by contacting our Data Protection Officer.

8. How Long We Keep Your Personal Data

We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy legal, regulatory, accounting, or reporting requirements. The specific retention periods depend on the nature of the data and the purpose for which it was collected:

8.1 Medical/health records and prescribing data

Retention Period: 10 years from last interaction
Reason: Professional and regulatory requirements for medical records retention

8.2 Account and identity data

Retention Period: Duration of account plus 6 years
Reason: Contractual and legal obligations (including limitation periods)

8.3 Transaction and payment data

Retention Period: 7 years from transaction
Reason: Tax and accounting obligations

8.4 Marketing preferences and consent records

Retention Period: Duration of consent plus 2 years
Reason: To demonstrate compliance with consent requirements

8.5 Website analytics and cookie data

Retention Period: Up to 26 months
Reason: Website improvement and analytics purposes

Where we no longer need your personal data, we will securely delete or anonymise it. If deletion is not immediately possible (for example, because data is held in backup archives), we will securely store the data and isolate it from further processing until deletion is possible.

9. Data Security

We have implemented appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. All information you provide to us is stored on secure servers. Payment transactions are encrypted using SSL/TLS technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our Website, you are responsible for keeping this password confidential.

Unfortunately, the transmission of information via the internet is not completely secure. Although we take all reasonable steps to protect your personal data, we cannot guarantee the security of your data transmitted to our Website; any transmission is at your own risk.

10. Your Rights

Under UK data protection law, you have the following rights in relation to your personal data:

10.1 Right to Be Informed

You have the right to receive clear, transparent, and easily understandable information about how we use your personal data. This privacy notice fulfils that obligation.

10.2 Right of Access

You have the right to request a copy of the personal data we hold about you. We will respond to your request within one month. We will provide your data free of charge, unless your request is manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse the request.

10.3 Right to Rectification

You have the right to request that we correct any inaccurate personal data we hold about you, or complete any incomplete data.

10.4 Right to Erasure

In certain circumstances, you have the right to request that we delete your personal data. This applies where, for example, the data is no longer necessary for its original purpose, you withdraw consent (and we have no other legal basis), you object to processing and there are no overriding legitimate grounds, or we have processed data unlawfully. Please note that we may need to retain certain data to comply with legal or regulatory obligations (for example, medical records).

10.5 Right to Data Portability

You have the right to receive your personal data in a structured, commonly used and machine-readable format, and to request that we transmit it to another controller, where technically feasible. This right applies where the processing is based on consent or contract and is carried out by automated means.

10.6 Right to Object

Direct marketing: You have an absolute right to object to us using your personal data for direct marketing purposes at any time. To opt out, you can click the “unsubscribe” link in any marketing email, or contact us at the details in Section 16. We will stop processing your data for marketing purposes promptly upon receiving your request.

Other processing based on legitimate interests: Where we process your data on the basis of our legitimate interests, you have the right to object. We will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, rights and freedoms, or where the processing is necessary for the establishment, exercise or defence of legal claims.

10.7 Right to Restrict Processing

You have the right to ask us to restrict the processing of your personal data in certain circumstances, including where you contest the accuracy of the data, where processing is unlawful but you do not wish us to delete it, where we no longer need the data but you require it for legal claims, or where you have objected to processing and we are assessing your objection.

11. Automated Decision-Making

Our Website uses online questionnaires as part of the consultation process. The responses you provide are reviewed by an independent prescriber (a qualified healthcare professional) who exercises their own clinical judgement in deciding whether to issue a prescription. The prescriber may request additional information or initiate two-way communication with you where clinically appropriate.

Accordingly, prescribing decisions are not made solely by automated means – they involve meaningful human intervention by a qualified prescriber. We do not engage in solely automated decision-making that produces legal or similarly significant effects on you without human involvement.

We may use automated tools and analytics to personalise the content displayed on our Website (for example, showing relevant products or information). Such personalisation does not produce legal effects or significantly affect you, and you can contact us if you have any questions about this.

12. Video Consultations

We may offer video consultations through our Website. Where you request a video consultation, the following additional processing applies:

After logging in or registering, you may complete the relevant medical questionnaire and provide consent for remote consultation via video.

Your personal data (including name, email address, phone number, and health data communicated during the consultation) will be shared with the independent prescriber conducting the video consultation.

Video consultations are facilitated through a third-party video conferencing provider. The provider processes technical and communication data (such as device information, IP address, name, email address, and phone number) as necessary to deliver the service.

The legal basis for this processing is your explicit consent (Art. 9(2)(a) UK GDPR) for health data, and performance of our contract with you (Art. 6(1)(b) UK GDPR) for other personal data. You may withdraw your consent at any time.

13. Social Media

We maintain profiles on social media platforms including Facebook, Instagram, TikTok, Snapchat, YouTube, Twitter/X, and LinkedIn. When you interact with our profiles on these platforms, the platform operators may process your personal data in accordance with their own privacy policies. We have no control over such processing by the platform operators.

If you contact us through our social media profiles, we will process the data you provide to us in order to respond to your enquiry, on the basis of our legitimate interests (Art. 6(1)(f) UK GDPR).

We encourage you to review the privacy policies of the relevant social media platforms to understand how they process your data.

14. Customer Surveys

From time to time, we may conduct customer surveys to better understand our customers and their needs. Participation in surveys is voluntary. We process the data collected through surveys on the basis of our legitimate interests (Art. 6(1)(f) UK GDPR), namely to improve our services and understand customer preferences. Survey data is deleted once the results have been evaluated, unless you have given separate consent for longer retention.

15. Changes to This Privacy Notice

We may update this privacy notice from time to time. If we make material changes, we will notify you by posting the updated notice on our Website and, where appropriate, by email. The date at the top of this notice indicates when it was last updated. We encourage you to review this notice periodically.

16. Complaints and Contact

If you wish to exercise any of your rights, or if you have any questions or complaints about our collection or use of your personal data, please contact us in the first instance:

By post: Reboost.com UK Limited, 219 Labs Atrium Stables Market, Chalk Farm Road, London, NW1 8AH

By email: support@doktorabc.com

Data Protection Officer: Our data protection officer can be contacted via heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu , email: datenschutz@heydata.eu. We have appointed Martin Bastius, c/o heyData GmbH, Schützenstraße 5, 10117 Berlin, E-Mail: eu-rep@heydata.eu as our EU representative.