Last Updated: 01/2024
Gaia Fertility Ltd. (“Gaia”, “we”, “our”) is committed to protecting the privacy and security of the personal data we collect about end customers and users of our services (“you/your”).
- Create an account on our website;
- Speak to our advisor;
- Enquire about our products;
- Request marketing to be sent to you;
- Give us feedback or contact us;
- Provide us with a scan of your document if this is required for “know your customer” or anti-money laundering purposes;
- Interact with our website;
- Contact us, including for assistance or sending feedback;
- Request information about a clinic;
- Receive treatment at one of Gaia’s partner clinics;
- Complete our customer surveys, and
- Browse the internet while on our website.
This notice provides you with information about your rights and obligations and explains how, why and when we collect and process your personal data.
We take personal data seriously. Anything containing personally identifiable information is kept safe and we have put in place appropriate technical and other security measures to protect it. We need to collect certain types of information to allow us to make a decision on your request for financial and insurance products. We also need to comply with legal and regulatory requirements relating to anti-fraud, anti-money laundering, know your customer and responsible lending obligations.
We will only collect the information we need to be able to provide you with the service you have requested. You need to make sure that the information you provide is accurate, complete, and not misleading. Your personal information may need to be disclosed when we are obliged to by law, for purposes of national security, taxation, defence of a legal claim or criminal investigations.
We also collect data from third-parties (see the ‘Third parties we collect personal data from’ below). When we do this, we are the data controller. Our website may contain hyperlinks to websites that are not operated by us. We urge you to review any privacy policies posted on any site you visit before using the site or providing any personal information about yourself.
Who are we?
We are Gaia Fertility Ltd.
Our registered office is at Great Western Studios, 65 Alfred Rd, London W2 5EU, UK.
We are registered in England and Wales under company number 12009812.
We are registered on the Information Commissioner’s Office (ICO) Register under number ZA788761.
We can be contacted:
- By post at 65 Alfred Road, London, W2 5EU
If you want to contact us about anything data privacy related, you can do so at email@example.com
We have also appointed an external data protection officer (DPO) and their details are as follows:
Leylands Business Park
Phone: +44 (0)333 050 0111
Email: firstname.lastname@example.org (Please mark your communications ‘FAO the Data Protection Officer’)
- Member is a person who has signed a Gaia Membership agreement
- Visitor is a person who has visited Gaia website
What is personal data?
‘Personal data’ is any information from which you can be identified, either directly or indirectly. For example, your name or an online identifier.
‘Special category personal data’ is more sensitive personal data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.
What personal data do we collect?
We collect, use and are responsible for certain personal data about you. When we do so we are subject to the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
The personal data we collect about you depends on the purpose for which you engage with us. We may collect and use the following data about you:
- Identity - full name, marital status, title, date of birth,and partner details if applicable.
- Contact - address, email address, telephone number(s), Gaia profile data.
- Financial - bank account and payment card details.
- Transaction - details about payments to and from you.
- Usage - details about how you use our website.
- Marketing and Communications - your preferences in receiving marketing from us and your communication preferences.
- Technical - internet protocol (IP) address, Gaia log in details, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this website
- Medical - Health and Lifestyle data, see “Special Category Personal Data” below.
Special Category Personal Data
Sometimes we will request or receive Personal Information that is sensitive due to its nature, and we call this “Special Category of Personal Data”. The types of Special Categories of Personal Data Information that we hold, and process include:
- Health and lifestyle data – including details of pre-existing or past medical conditions, your family medical history, details regarding appointments and consultations with medical professionals, diagnoses, medical records, whether you do or have ever smoked, details regarding alcohol consumption.
Conditions for processing special category data
We will only process this data with explicit consent from the user. We may collect this data and your explicit consent, either before or after entering a contract and providing The Gaia Plan. Additionally, where we collect additional sensitive health and lifestyle data throughout the course of your engagement with us, we will always ensure that we have your explicit consent to do so.
Purposes for which we use personal data and the legal basis
When providing services to you, we may use your personal data for the following purposes and on the following lawful bases:
Where personal data is processed because it is necessary for the performance of a contract to which you are a party, we will be unable to provide our services without the required information.
Profiling and automated decision-making
We rely on automated decision-making, including profiling, to work out whether we are able to provide you with a Gaia Plan and to calculate the amount of premium that you will need to pay. This will be based on the health information and medical history that you provide us, including details of your BMI (which is calculated using your height and weight), age and any fertility conditions.
This means that our systems could decide that you don't meet the acceptance criteria that we use to offer you a Gaia Plan. If we notify you that we are not able to offer you a Gaia Plan and you believe that this decision should be contested, please contact us at email@example.com. If you would like us to, we can explain how we reached the decision and, if we deem it appropriate, we can manually check an automated decision.
Sharing your data and third parties
Third parties assist us in our marketing efforts, to deliver our products to you and in the provision of our services. The type of information shared will depend on the third party: it can be identity, contact, financial, transaction, usage, marketing & communications, technical and health & lifestyle, but will be limited to what is strictly necessary.
We only allow third parties to handle your personal data if we are satisfied, they take appropriate measures to protect your personal data. We also impose contractual obligations on our service providers, to ensure they can only use your personal data to provide services to us and to you.
We may disclose your personal data to law enforcement agencies and regulatory bodies to comply with our legal and regulatory obligations.
We may also need to share some personal data with other parties, such as potential buyers of some or all of our business or during a restructuring. Usually, data will be anonymised but this may not always be possible. The recipient of the data will be bound by confidentiality obligations.
The third parties we currently rely on or with whom we share personal data
Gaia uses the accounting service Xero. You can read more about how Xero uses your Personal Information in their privacy notice: https://www.xero.com/uk/legal/privacy/
Aircall is a telecom company offering a cloud-based phone system which we use for communicating with our customers. You can read more about how Aircall uses your Personal Information in their privacy notice: https://aircall.io/privacy/
Amazon Web Services (AWS)
AWS is an industry-standard cloud service provider which we build our platform on and provide our web services through. You can read more about how AWS uses your Personal Information here: https://aws.amazon.com/privacy/
We use the Llyod’s brokers Guy Carpenter and Aon UK Limited to distribute our insurance product. You can read more about how Guy Carpenter and Aon uses your Personal Information in their privacy notices: https://www.guycarp.com/company/about/privacy-policy.html and https://www.aon.com/unitedkingdom/privacy.jsp
Calendly is a meeting scheduling automation platform. You can read more about how Calendly uses your Personal Information and Calendly’s activities in their privacy notice: https://calendly.com/privacy
We use Docusign for sending and signing our membership agreements and other legal contracts. You can read more about how Docusign uses your Personal Information in their privacy notice: https://www.docusign.com/privacy/
We collect financial information and results of “politically exposed persons” or sanction checks received from the credit bureau Experian. Our sanctions check, credit check and affordability check processes include sharing and obtaining data from Experian.
You can read more about how Experian uses your Personal Information here and Experian’s activities in their privacy notice: https://www.experian.co.uk/privacy/privacy-policies.
Fintern is your loan originator for treatment costs repayment if you have a child. You can read more about how Fintern uses your Personal Information and Fintern’s activities in their privacy notice: https://fintern.ai/privacy
Fivetran is a data ingestion tool that connects with multiple sources of data. You can read more about how Fivetran uses your Personal Information in their privacy notice: https://www.fivetran.com/legal/privacy
Google Analytics allows us to see how users are finding out about Gaia and if our use of social or paid campaigns are working to draw users to sign up to our platform.
You can read more about how Google uses your Personal Information here: https://www.google.com/intl/en/policies/privacy/. You can also opt-out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.
Google Cloud Services
Google Cloud Services is a suite of cloud computing services that provides a series of modular cloud services including computing, data storage, data analytics and machine learning. You can read more about how GCS uses your Personal Information here: https://cloud.google.com/security/privacy
Hex is a tool used for data science analysis. You can read more about how Hex uses your Personal Information in their privacy notice: https://learn.hex.tech/docs/security/privacy-policy
We use Hubspot to manage all communication with our potential and existing members. You can read more about how Hubspot uses your Personal Information in their privacy notice: https://legal.hubspot.com/privacy-policy
Chaucer Group, Beazley Furlonge Ltd and other insurance market participants help us provide you an insurance cover. When you give us your consent to the use of your personal information and your partner’s, if applicable, we might share data with the insurers to issue you an insurance policy in connection with your Gaia Plan. You do not have to give your consent and you may withdraw your consent at any time. However, if you do not give your consent, or you withdraw your consent, this may affect our ability to provide the insurance cover from which you benefit and may prevent the provision of cover for you or handling your claims. You can read more about how Chaucer and Beazley uses your Personal Information in their privacy notices: https://www.chaucergroup.com/privacy-cookie-policy and https://www.beazley.com/en-001/privacy-and-cookies-statements.
Looker is a data visualisation tool used to analyse Gaia’s business. You can read more about how Looker uses your Personal Information in their privacy notice: https://www.looker.com/trust-center/privacy/policy/
Mixpanel allows us to see what pages visitors on our website and app visit. You can read more about how Mixpanel uses your Personal Information in their privacy notice: https://mixpanel.com/legal/privacy-policy/
Money services providers
Gaia uses different banks, money services providers and payment processors: GoCardLess, HSBC, Revolut, Stripe and Wise. You can read more about how they use your Personal Information in their privacy notices:
- GoCardLess: https://gocardless.com/privacy/
- HSBC: https://www.hsbc.co.uk/content/dam/hsbc/gb/pdf/privacy-notice-full.pdf
- Revolut: https://www.revolut.com/legal/privacy/
- Stripe: https://stripe.com/fr-gb/privacy
- Wise: https://wise.com/gb/legal/global-privacy-policy-en
If you have chosen a clinic, we may share your identity with the clinic to confirm you are registered with the clinic. If you haven’t chosen a clinic, we might share your contact details with a partner clinic so that they can arrange an initial consultation with you. We will check with you before we do this. We will also share data with the clinic where you have treatment. This data might include medical data, identity and contact information. We will only share medical data with your treatment clinic where we have your explicit consent to do so.
Prefect is a data orchestration tool used for data pipelines. You can read more about how Prefect uses your Personal Information in their privacy notice: https://www.prefect.io/legal/privacy-policy/
Snowflake is a cloud based database, used for storing data. You can read more about how Snowflake uses your Personal Information in their privacy notice: https://www.snowflake.com/privacy-policy/
We collect financial information and results of “politically exposed persons” or sanction checks received from the credit bureau TransUnion. Our sanctions check, credit check and affordability check processes include sharing and obtaining data from TransUnion.
You can read more about how TransUnion uses your Personal Information here and TransUnion’s activities in their privacy notice: https://www.transunion.co.uk/legal-information/bureau-privacy-notice
Typeform is an online software service that specialises in online form and survey building.
You can read more about how Typeform uses your Personal Information here: https://admin.typeform.com/to/dwk6gt/
Vercel provides infrastructure to easily deploy, distribute and host web applications. You can read more about how Vercel uses your Personal Information in their privacy notice: https://vercel.com/legal/privacy-policy
Webflow hosts our marketing website. You can read more about how Webflow uses your Personal Information in their privacy notice: https://webflow.com/legal/privacy
Zapier is a service that integrates various web applications into one platform.
You can read more about how Zapier uses your Personal Information here:
International Transfers of Personal Data
To provide products and services to you, it is sometimes necessary for us to share your personal data outside the UK and EEA, for example, with our service providers located outside the UK.
We may also send your data outside of the UK and EEA upon your data portability request, to comply with legal and regulatory duties, and to work with our agents and advisers that runs your accounts and services.
We have taken appropriate steps to ensure that the Personal Data processed outside the UK has an essentially equivalent level of protection to that guaranteed in the UK. We do this by ensuring that:
- Your Personal Data is only processed in a country which the Secretary of State has confirmed has an adequate level of protection (an adequacy regulation), or
- We enter into an International Data Transfer Agreement (“IDTA”) with the receiving organisation and adopt supplementary measures, where necessary.
Cookies and Analytical Tools
How long we keep your data
We will retain your personal data for as long as is necessary to provide you with our services and for a reasonable period thereafter to enable us to meet our contractual and legal obligations and to deal with complaints, litigation and claims.
After your relationship with Gaia ends, we may keep your data for the following scenarios:
- To respond to any queries or complaints;
- To show that we have acted and treated you fairly;
- To maintain records according to rules and regulations that apply to us.
At the end of the retention period, we may also retain data for a longer period, and your personal data will be securely deleted or anonymised, for example by aggregation with other data, so that it can be used in a non-identifiable way for statistical analysis and business planning. The retention period of your personal data may need to be extended where we require this to bring or defend legal claims.
Data Analysis and Research
Gaia will anonymise your information for health-related studies, or research or evaluation in which Gaia will participate. The types of data which may be used for analysis and research purposes include details about a patient (e.g. age, cause of infertility, lifestyle), lab results (e.g. blood test results, hormonal levels), information about cycle planning, the cycle itself, the stimulation phase and egg collection (e.g. stimulation treatment, number of follicles, number of collected eggs), information about embryology and the embryo transfer, results of ultrasound scans, and details about the success or otherwise of a pregnancy.
Once information is truly anonymised, it does not relate to a person and it is impossible to identify a person from that data. As a result this type of information falls outside data protection laws.
The purposes for which Gaia will use this analysis and research information are:
- To report on Gaia’s performance based on statistical studies (e.g., pregnancy rate, birth rate, etc.). Any reporting information will be aggregated, and it will never be possible to identify you from this.
- Improve Gaia’s services to you.
Both when you enter our site or sign up as a user, we will confirm that you have opted into our services. Any electronic marketing communications we send you will include clear instructions to follow should you wish to unsubscribe at any time.
You may also amend your contact preferences by emailing us at firstname.lastname@example.org.
How we protect your data
We are committed to ensuring that your information is secure. Appropriate security measures are in place to protect against loss, misuse, unauthorised disclosure, destruction, or alteration of information collected from you, including measures to prevent, as far as possible, access to our databases by parties other than Gaia.
We adopt the following technical and organisational measures to protect your personal data:
- Limit access to your personal information to those who have a genuine business need to know it. Those accessing and processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
- Have policies and procedures in place regarding treating personal data lawfully and appropriately, including a procedure to deal with any suspected data security breach. We will also notify you and the ICO of a suspected data breach where we are legally required to do so.
- Backups of information.
- Data protection training for staff.
- Encryption of personal data.
- Anonymisation of personal data.
Secure Online Services
You can easily identify secure websites by looking at the address in the top of your browser which will begin https:// rather than http://.
Your rights and options
You have certain rights in relation to the processing of your personal data, including to:
- Request access to your personal data (commonly known as a “Subject Access Request”). This enables you to receive a copy of the personal data we hold about you.
- Request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).
- Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. If you object to us using your personal data for marketing purposes we will stop sending you marketing material.
- Request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of your personal data, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal data to another party (data portability).
- Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you.
Right to withdraw consent
In the circumstances where you may have provided your consent to the processing of your personal data for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we are permitted by law to do so.
You will not have to pay a fee to access your personal data (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
If you wish to exercise your rights, please contact us at email@example.com and we’ll respond within 30 days. We will assess your request and if we decide not to act upon it or place certain restrictions on it, we will inform you of our reasons for this.
We may need to request specific information from you to help us confirm your identity before we can process a request from you to exercise any of the above rights. This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
You can also lodge a complaint with the Information Commissioner’s Office. They can be contacted using the information provided at: https://ico.org.uk/concerns/. Their address is: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. They can be contacted by phone on 0303 123 1113 (local rate) or 01625 545745 if you prefer to use a national rate number.
For further information on each of those rights, including the circumstances in which they apply, see the Guidance from the UK Information Commissioner’s Office (ICO) on individuals rights under the General Data Protection Regulation. You can find details on how to report a concern at: https://ico.org.uk/make-a-complaint/.
For more information about our privacy practices, if you have questions, or if you would like to make a complaint, please contact us by e-mail at: firstname.lastname@example.org.
Changes to this privacy notice
We may update this notice (and any supplemental privacy notice), from time to time in order to reflect, for example, changes to our practices or for other operational, legal or regulatory reasons. Updated versions of this policy will be posted on our website. We will notify you by email if there are significant changes to this policy.