Privacy Policy

1. Introduction

Bolt Healthcare Ltd ("we", "our", "us", "Fella Health") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, and protect your personal information when you use our website or services.

This policy (together with our Terms of Sale and Service and any other documents referred to in it) sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us. Please read the following carefully to understand our practices regarding your personal data and how we will treat it.

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the data controller is Bolt Healthcare Ltd, ("we", "our", "us", "Fella Health") registered in England and Wales with company number 15149039, with its registered office situated at Unit 15 The Hub Commercial Road, Darwen, England, BB3 0FL.

Our Data Protection Officer can be contacted at help@fellahealth.co.uk

2. Information We May Collect From You

We may collect and process the following data about you:

2.1. Information you give us:

You may give us information about you by filling in forms on our site, by completing questionnaires, by corresponding with us by phone, e-mail or otherwise, or by using our services. This includes information you provide when you:

• Register to use our site
• Create an account
• Complete medical questionnaires
• Submit information to be reviewed by a qualified clinician
• Place an order for products or services
• Subscribe to our services
• Participate in discussion boards or other social media functions on our site
• Enter a competition, promotion or survey
• Report a problem with our site or services

The information you give us may include:

• Identity and Contact Data: your name, address, email address and phone number
• Financial Data: payment card details (though we do not store complete payment card information)
• Health Data: medical history, current health status, medications, allergies, symptoms, lifestyle factors, and other health-related information necessary for our independent clinicians or CQC-registered healthcare providers to assess your condition and provide appropriate care
• Login Data: your login and password details
• Profile Data: your preferences, feedback and survey responses
• Technical Data: information about your visits to our website (see section 2.3)

2.2. Information we collect about you:

With regard to each of your visits to our site we may automatically collect the following information:

• Technical Data: technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, your login information, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform
• Usage Data: information about your visit, including the full Uniform Resource Locators (URL) clickstream to, through and from our site (including date and time); products or services you viewed or searched for; page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page

2.3. Information we receive from other sources:

We may receive or share your personal data with the following types of third parties, where necessary and appropriate, and in accordance with data protection law:

• Your GP or other healthcare providers, with your explicit consent
• Clinicians or prescribers operating independently or under CQC-registered healthcare providers, for the purpose of assessing your suitability for treatment
• Technical service providers, including hosting, analytics, and customer support platforms
• Payment and delivery providers, for processing orders and handling logistics
• Advertising networks and analytics providers, to help us improve and market our services (see Cookie Policy for more)
• Regulators, legal authorities, or health oversight bodies, where legally required or in the public interest
• NHS systems or services, only where integration is available and with your consent (e.g. Summary Care Record access or prescription history)

2.4. Special Categories of Personal Data:

Due to the nature of our services, we process health-related data, which is classified as a ‘special category’ of personal data under the UK GDPR. We only process this data where at least one of the following Article 9 conditions applies:

• You have given explicit consent
• The processing is necessary for the purposes of medical diagnosis, the provision of health or social care or treatment, or the management of health systems and services, and is carried out by a health professional under a duty of confidentiality
• The processing is necessary to protect your vital interests or those of another person where you are physically or legally incapable of giving consent
• The processing is necessary for the establishment, exercise or defence of legal claims

3. Cookies

Our website uses cookies to distinguish you from other users of our website. This helps us to provide you with a good experience when you browse our website and also allows us to improve our site. For detailed information on the cookies we use and the purposes for which we use them see our Cookie Policy.

4. How We Use Your Information

We use information held about you in the following ways:

4.1. Information you give to us:

We will use this information:

• To carry out our obligations arising from any contracts entered into between you and us, including to provide you with the products and services that you request from us
• To facilitate access to healthcare services, including online clinical assessments, prescription services, and ongoing care — delivered by qualified healthcare professionals operating independently or under a CQC-registered provider.
• To assess your suitability for medicines and treatments
• To process your orders and manage your account
• To notify you about changes to our products or services
• To ensure that content from our site is presented in the most effective manner for you and for your device
• To provide you with information about other products and services we offer that are similar to those that you have already purchased or enquired about (if you have consented to this)
• To provide you with information about products or services we feel may interest you (if you have consented to this)
• To allow you to participate in interactive features of our service, when you choose to do so
• To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you (if you have consented to this)
• To comply with our legal and regulatory obligations

4.2. Information we collect about you:

We will use this information:

• To administer our site and for internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes
• To improve our site to ensure that content is presented in the most effective manner for you and for your device
• To allow you to participate in interactive features of our service, when you choose to do so
• As part of our efforts to keep our site safe and secure
• To measure or understand the effectiveness of advertising we serve to you and others, and to deliver relevant advertising to you (where you have consented to this)
• To make suggestions and recommendations to you and other users of our site about products or services that may interest you or them (where you have consented to this)

4.3. Information we receive from other sources:

We may combine information we receive from other sources with information you give to us and information we collect about you. We may use this information and the combined information for the purposes set out above.

5. Legal Basis for Processing

Under the UK GDPR, we must have a lawful basis for processing your personal data. Our lawful bases for processing are:

• Contractual necessity: Processing is necessary for the performance of a contract with you or to take steps at your request before entering into a contract (e.g., to provide you with products you've ordered or services you've requested)
• Legal obligation: Processing is necessary for compliance with our legal obligations (e.g., keeping records for tax purposes or providing information to regulatory bodies)
• Legitimate interests: Processing is necessary for our legitimate interests or the legitimate interests of a third party, provided your interests and fundamental rights do not override those interests (e.g., to improve our products and services)
• Consent: You have given clear consent for us to process your personal data for a specific purpose (e.g., to send you marketing communications or to process your health data)
• Vital interests: Processing is necessary to protect someone's life
• Public task: Processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law

For special category data (such as health data), we rely primarily on:

• Your explicit consent
• The processing being necessary for the purposes of preventive or occupational medicine, medical diagnosis, or the provision of health or social care or treatment
• The processing being necessary for reasons of substantial public interest

6. Disclosure of Your Information

We may share your personal information with:

6.1. Healthcare Professionals and Service Providers:

• Qualified clinicians (such as pharmacist independent prescribers or doctors) who operate independently or under CQC-registered healthcare providers and review your information to determine your suitability for treatment
• Bolt Pharmacy, our GPhC-registered pharmacy, which dispenses medications prescribed through our platform. In some cases, we may use third-party pharmacies to dispense medications, where required for operational, clinical, or delivery reasons
• Delivery companies that deliver products to you
• Payment service providers who process your payments securely on our behalf

6.2. Selected Third Parties:

• Business partners, suppliers and sub-contractors for the performance of any contract we enter into with them or you
• Analytics and search engine providers that assist us in improving and optimizing our site.

6.3. We may disclose your personal information to third parties:

• In the event that we sell or buy any business or assets, in which case we may disclose your personal data to the prospective seller or buyer of such business or assets
• If Bolt Healthcare Ltd. (Fella Health) or substantially all of its assets are acquired by a third party, in which case personal data held by it about its customers will be one of the transferred assets
• If we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our Terms of Sale and Service and other agreements; or to protect the rights, property, or safety of Bolt Healthcare Ltd. (Fella Health), our customers, or others
• To healthcare regulators or other regulatory bodies (such as the GPhC, MHRA, CQC, ICO, or GMC) where we have a legal obligation to do so
• To your GP, NHS services, or other healthcare professionals where necessary for your ongoing care (with your consent, unless there is an overriding public interest or legal requirement)
• To independent clinicians or CQC-registered healthcare providers involved in your treatment, where appropriate and in accordance with data protection law
• To our professional advisors, such as legal, financial, or compliance consultants, where necessary and subject to confidentiality obligations

7. Data Security

We have implemented appropriate security measures to prevent your personal data from being accidentally lost, misused, accessed in an unauthorised manner, altered, or disclosed. In addition, we limit access to your personal data to employees, agents, contractors, and other third parties who have a legitimate business need to know. They will only process your personal data in accordance with our instructions and are subject to a duty of confidentiality.

All information you provide to us is stored on secure servers. Any payment transactions will be encrypted using SSL technology. Where we have given you (or where you have chosen) a password which enables you to access certain parts of our site, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.

Unfortunately, transmitting information over the internet is not entirely secure. While we will do our best to protect your personal data, we cannot guarantee the security of data transmitted to our site; any transmission is at your own risk. Once we receive your information, we will apply strict procedures and security measures to help prevent unauthorised access.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

8. Data Retention

We will retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to meet legal, accounting, or reporting obligations.

For healthcare data, we will retain your records for at least 8 years after your last contact with us, in accordance with NHS records management guidelines and legal requirements.

For non-healthcare related data, different retention periods apply:

• Account information: for as long as you maintain an account with us plus 2 years
• Transaction data: 7 years from the transaction date for tax purposes
• Marketing preferences: until you withdraw consent or 3 years after your last interaction with us

In some circumstances you can ask us to delete your data (see Your Rights below).

In some circumstances, we may anonymise your personal data so that it can no longer be linked to you. In such cases, we may use this information indefinitely for research or statistical purposes without further notice to you.

9. International Transfers

We primarily store and process your personal data within the United Kingdom (UK) and the European Economic Area (EEA). However, in some cases, your data may be transferred to, or accessed from, countries outside the UK or EEA.

Whenever we transfer your personal data internationally, we ensure a similar level of protection is applied by implementing appropriate safeguards, including:

• Transferring to countries that have been deemed to provide an adequate level of data protection by the UK government
• Using Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreements (IDTAs) approved by the Information Commissioner's Office
• For US-based service providers, transferring data only to organisations that are certified under the UK Extension to the EU–US Data Privacy Framework, or otherwise using appropriate safeguards

If you would like further information on the specific mechanisms used by us when transferring your personal data outside the UK or EEA, please contact our Data Protection Officer at **help@fellahealth.co.uk.**

10. Your Rights

Under the UK GDPR, you have various rights in relation to your personal data:

10.1. Right to Access

You have the right to request a copy of the personal data we hold about you.

10.2. Right to Rectification

You have the right to request that we correct any inaccurate or incomplete personal data we hold about you.

10.3. Right to Erasure (Right to be Forgotten)

You have the right to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your information unlawfully or where we are required to erase your personal data to comply with local law.

10.4. Right to Object

You have the right to object to processing of your personal data where we are relying on a legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

10.5. Right to Restriction of Processing

You have the right to request the restriction or suppression of your personal data in certain circumstances.

10.6. Right to Data Portability

You have the right to request that we transfer your personal data to you or to a third party. We will provide to you, or a third party you have chosen, your personal data in a structured, commonly used, machine-readable format.

10.7. Right to Withdraw Consent

Where we are relying on consent to process your personal data, you have the right to withdraw this consent at any time.

If you wish to exercise any of these rights, please contact our Data Protection Officer at help@fellahealth.co.uk

You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal data (or to exercise any of your other rights). This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

11. Complaints

You have the right to lodge a complaint at any time with the Information Commissioner's Office (ICO), the UK supervisory authority for data protection (www.ico.org.uk). However, we would welcome the opportunity to address your concerns directly before you contact the ICO, so please reach out to us in the first instance.

12. Changes to Our Privacy Policy

We may update this privacy policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. If we make material changes to this policy, we will notify you by email or by posting a notice on our website prior to the change becoming effective. We encourage you to periodically review this page for the latest information on our privacy practices.

The date of the last update to this policy will be displayed at the top of the page. Your continued use of our services after any changes to this privacy policy constitutes your acceptance of the new terms.

13. Third-Party Links and Services

Our website may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy policy of every website you visit.

14. Children's Privacy

Our services are not intended for individuals under 18 years of age, and we do not knowingly collect personal data from children. If you are a parent or guardian and believe that your child has provided us with personal data, please contact us, and we will take steps to delete such information.

15. Marketing Communications

We may use your Identity, Contact, Technical, Usage and Profile Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which products, services, and offers may be relevant for you.

You will receive marketing communications from us if you have requested information from us or purchased products or services from us or if you provided us with your details when you entered a competition or registered for a promotion and, in each case, you have not opted out of receiving that marketing.

You can ask us to stop sending you marketing messages at any time by following the opt-out links on any marketing message sent to you or by contacting us at any time.

16. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact our Data Protection Officer:

Email: help@fellahealth.co.uk Post: Unit 15 The Hub Commercial Road, Darwen, England, BB3 0FL.Phone: +447897025580

17. Effective Date

This Privacy Policy is effective as of April 14, 2025

‍