Last updated: 27 April 2026

Contents

  1. Our Commitment to Protecting Your Personal Data
  2. About Us
  3. How to Contact Us
  4. Changes to This Privacy Policy
  5. Our Lawful Bases for Processing Your Data
  6. Personal Data We May Collect About You
  7. How We Collect Your Information
  8. The Purposes for Which We Use Your Data
  9. How We Use and Disclose Your Health Information
  10. Our Legal Duties to Maintain the Privacy of Your Health Information
  11. Your Rights in Relation to Your Health Information and How to Exercise Them
  12. Data Security
  13. Third Parties With Whom We Share Your Data
  14. International Transfers
  15. How Long We Keep Your Information
  16. Your Rights in Relation to Your Personal Data
  17. Cookies
  18. Other Information
  19. Complaints and How to File One

1. Our Commitment to Protecting Your Personal Data

At trimu, we are committed to respecting and protecting your privacy. This Privacy Policy explains:

  • Who we are and how to contact us
  • What personal data we collect about you, and how we collect it
  • Why we process your personal data (our purposes) and the lawful bases for doing so
  • How we use and disclose your health information (sometimes referred to as Protected Health Information or PHI)
  • Who we share your data with, how long we retain it, and any international transfers
  • Your rights in relation to your personal data and your health information, and how to exercise them
  • Our legal duties to maintain the privacy and confidentiality of your health information
  • How to make a complaint

We take your privacy extremely seriously. As a CQC-registered healthcare provider, we handle sensitive personal and medical information and are committed to protecting it to the highest standards.

We align our data protection practices with:

  • The UK General Data Protection Regulation (UK GDPR)
  • The Data Protection Act 2018 (DPA 2018)
  • The Privacy and Electronic Communications Regulations 2003 (PECR)
  • The common law duty of confidentiality and the Caldicott Principles
  • GPhC standards for pharmacy professionals
  • CQC fundamental standards
  • NHS and healthcare data security principles (where applicable)

When we use the term “personal data” we mean any information that can be used to identify you as an individual, directly or indirectly. When we use the terms “health information” or “Protected Health Information (PHI)” in this policy, we mean any personal data that relates to your physical or mental health, the healthcare services we provide to you, or any payment for those services. Under UK law, this is treated as “special category data” and receives additional legal protection.

All personal data, including your health information, is:

  • Encrypted at rest and in transit
  • Stored securely within systems under our control
  • Never sold
  • Never transmitted outside of our control without a lawful basis

2. About Us

Trading name: trimu Company name: AO Health Ltd Company number: 16472317 Registered in: England and Wales

ICO registration number: ZB930745 GPhC number: 1037748 CQC registration number: 1-26726129808

Registered office: Unit 1, Dragonville Industrial Park, Dragon Lane, Durham, DH1 2XJ

Dispensing pharmacy: Blue House Pharmacy, 1 Heworth Road, Concord, Washington, NE37 2PY

Throughout this Privacy Policy, “we”, “us” and “our” refer to AO Health Ltd trading as trimu. We are a UK-based online pharmacy and healthcare provider registered with the General Pharmaceutical Council (GPhC) and the Care Quality Commission (CQC), and we comply with all applicable UK data protection and healthcare regulations.

Our Services

When you become a patient of trimu, you are likely to use one or more of our services, including:

  • The trimu website (trimu.com)
  • Online clinical consultations
  • Prescription and dispensing services via our partner pharmacy, Blue House Pharmacy
  • Ongoing clinical support and monitoring

3. How to Contact Us

We provide a range of contact addresses so you can reach the right team quickly. For any privacy, data protection, or health information matter, please use the addresses below.

Privacy, data protection, and your rights

Clinical, safeguarding and general support

Other contact addresses

By post

Data Protection, AO Health Ltd, Unit 1, Dragonville Industrial Park, Dragon Lane, Durham, DH1 2XJ

Our Data Protection lead is responsible for overseeing how we handle your personal data and your health information. If you would like to raise a matter directly with our Data Protection lead, please email [email protected] and mark your message for their attention.

If you have concerns about how we process your personal data that we cannot resolve, you have the right to contact the Information Commissioner’s Office (ICO):

Website: https://ico.org.uk/make-a-complaint/ Telephone: 0303 123 1113


4. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a prominent notice on our website. The latest version will always be available at trimu.com/privacy-policy.

Please inform us at [email protected] if your personal details change during your relationship with us, so we can keep your information accurate and up to date.


5. Our Lawful Bases for Processing Your Data

Under the UK GDPR, we must have a lawful basis for processing your personal data. The lawful bases we rely on are:

  • Consent – you have given us clear permission to process your data for a specific purpose
  • Contract – processing is necessary to fulfil a contract with you or to take steps before entering into one
  • Legal Obligation – processing is necessary for us to comply with the law
  • Legitimate Interest – processing is necessary for our legitimate business interests, provided these do not override your rights
  • Vital Interests – in rare cases, processing is necessary to protect someone’s life

Special Category Data

When we process special category data (such as your health information / PHI), we will only do so where we have an additional lawful basis under Article 9 of the UK GDPR, such as:

  • Explicit Consent – you have given explicit permission for us to process sensitive data (Article 9(2)(a))
  • Provision of Healthcare – processing is necessary for the provision of health or social care, or the management of health or social care systems (Article 9(2)(h))
  • Public Health – processing is necessary for reasons of public interest in the area of public health, including pharmacovigilance (Article 9(2)(i))

Our legal obligations in relation to healthcare include requirements set by the General Pharmaceutical Council (GPhC), Care Quality Commission (CQC), Medicines and Healthcare products Regulatory Agency (MHRA), the Health and Social Care Act 2008, and the Human Medicines Regulations 2012.

If you do not provide the information we need to deliver healthcare services, we may not be able to provide treatment to you.


6. Personal Data We May Collect About You

Personal Data

Personal data is any information that can be used to identify you. This includes:

  • Full name, surname, and username
  • Contact information such as email address, telephone number, and postal address
  • Date of birth, age, and gender
  • GP details

We also process technical and marketing information when you visit our website:

  • Technical information such as your IP address, browser type and version, time zone setting, operating system, and device information
  • Usage data such as pages viewed, links clicked, page response times, and how you navigate our website
  • Marketing data such as your preferences for receiving communications from us

Special Category Data (Health Information / PHI)

Special category data is more sensitive information that requires additional legal protection. The health information we hold about you (sometimes referred to as Protected Health Information or PHI) may include:

  • Health information, including your physical and mental health, medical history, current medications, allergies, GP or hospital visits, and your responses to our online consultations
  • Information about your ongoing care by other healthcare professionals
  • Consultation notes, prescriptions issued, clinical decisions and outcomes
  • Adverse event and side-effect reports relating to medicines we have supplied to you
  • Images of formal identification documents
  • Information about your sex life (where clinically relevant to the treatment you are seeking)

Account and Transaction Data

  • Account login details and order history
  • Consultation history and communications with us
  • Payment method details (processed securely by third-party payment providers)
  • Transaction references

We do not store full card details.

We do not knowingly collect the data of children. You must be at least 18 years old to use our services.


7. How We Collect Your Information

Directly From You

We collect data when you:

  • Complete one of our online consultations or questionnaires
  • Create an account or subscribe to communications
  • Place an order or purchase products or services
  • Contact us by email, phone, live chat, or through our website
  • Provide feedback or take part in surveys
  • Provide identification documents for verification

From Our Website

  • Cookies and similar tracking technologies (see our Cookies Policy)
  • Your marketing and communication preferences
  • Technical and usage data collected automatically when you visit our site

From Third Parties

  • Identity verification providers (where used)
  • Our dispensing pharmacy (Blue House Pharmacy)
  • Payment service providers
  • Analytics service providers
  • Your GP or other healthcare professionals (where you consent or where patient safety requires it)

8. The Purposes for Which We Use Your Data

The tables below set out the purposes for which we process your information, together with the lawful bases for doing so.

When You Use Our Website

ActivityPurposeData CollectedLawful Basis
Creating an account or placing an orderTo fulfil your request for services and administer your accountName, email, phone number, postal addressContract; Legitimate Interest
Marketing communicationsTo inform you about our products and servicesEmail address, phone numberConsent (soft opt-in exemption)
Website analyticsTo improve our website and understand how it is usedIP address, pages visited, browser type, device informationConsent; Legitimate Interest
Identity verificationTo confirm your identity and prevent fraudName, date of birth, address, formal identificationLegal Obligation

When You Complete a Consultation or Receive Treatment

ActivityPurposeData CollectedLawful Basis
Online health questionnaireTo assess your suitability for treatmentHealth information including conditions, medications, allergies, weight, heightLegal Obligation; Provision of Healthcare; Explicit Consent
Clinical consultation reviewTo make prescribing decisionsHealth information, consultation responses, GP details, current medicationsLegal Obligation; Provision of Healthcare
Sharing information with your GPTo ensure safe prescribing and continuity of care (where you consent or where patient safety requires it)Electronic patient recordLegal Obligation; Provision of Healthcare
Adverse event reportingTo comply with pharmacovigilance obligationsHealth information, details of adverse reactionLegal Obligation

When You Make a Purchase or Transaction

ActivityPurposeData CollectedLawful Basis
Processing a paymentTo complete your transactionPayment card information, billing addressContract; Legal Obligation
Service communicationsTo provide important information about your order or treatmentName, email, phone number, postal addressContract; Legitimate Interest
Feedback and researchTo improve our products and servicesName, email, feedback responsesLegitimate Interest

When You Contact Us

ActivityPurposeData CollectedLawful Basis
Query or complaintTo manage and resolve your query or complaintName, email, contact details, correspondence recordsContract; Legitimate Interest
Individual rights requestTo verify your identity and fulfil your requestDate of birth, contact details, formal identificationLegal Obligation

9. How We Use and Disclose Your Health Information

This section explains how we may use and disclose your health information (also referred to as Protected Health Information or PHI). We only use and disclose your health information where we have a lawful basis to do so under UK data protection law and where doing so is consistent with our duty of confidentiality as a healthcare provider.

Uses and Disclosures for Your Treatment

We use and disclose your health information to provide you with safe, appropriate care, including:

  • Reviewing your online consultation and assessing your suitability for treatment
  • Making prescribing decisions and issuing prescriptions
  • Sharing relevant clinical information with our partner dispensing pharmacy (Blue House Pharmacy) so your medication can be dispensed and delivered
  • Sharing information with our GMC-registered prescribers and GPhC-registered pharmacists who form part of your clinical care team
  • Following up with you about your treatment, including monitoring outcomes, side effects, and ongoing suitability
  • Coordinating care with your GP or other healthcare professionals, where you have consented or where patient safety requires it

Uses and Disclosures for Payment

We use and disclose limited information to obtain payment for the services you receive, including:

  • Processing payments through secure third-party payment providers
  • Confirming eligibility for payment plans or instalment options
  • Resolving billing queries and refunds

We do not share full clinical detail with payment providers – only the information necessary to take payment.

Uses and Disclosures for Healthcare Operations

We may use and disclose your health information to operate our service safely and to the standard required of a CQC-registered provider, including:

  • Quality assurance, clinical audit, and case review
  • Complaints handling and investigation
  • Training of clinicians (using anonymised or pseudonymised information wherever possible)
  • Risk management, incident investigation, and patient safety reviews
  • Internal reporting to our Caldicott Guardian, Information Governance lead, and Data Protection lead
  • Detecting and preventing fraud or misuse of our services

Disclosures Required or Permitted by Law

We may use or disclose your health information without your consent where we are required or permitted to do so by law, including:

  • Reporting suspected adverse drug reactions to the MHRA under the Yellow Card scheme
  • Reporting notifiable diseases or public health risks to UK public health authorities
  • Responding to lawful requests from regulators (including the CQC, GPhC, MHRA and ICO), the police, courts, or government bodies
  • Safeguarding disclosures where there is a serious risk of harm to you or to another person
  • Cooperating with coroners, fatal accident inquiries, or other legal proceedings

Disclosures You Authorise

We will disclose your health information to other people or organisations where you have given us clear authorisation to do so. Examples include:

  • Sending a copy of your records to a named individual, such as a family member or carer
  • Sharing information with another healthcare provider you have asked us to coordinate with
  • Providing information to an insurer, employer, or solicitor at your request

You can withdraw your authorisation at any time by contacting [email protected]. Withdrawal will not affect any disclosures we have already made in reliance on your authorisation.

Uses and Disclosures We Will Not Make Without Your Explicit Consent

We will not use or disclose your health information for the following purposes unless you have given us explicit consent:

  • Marketing communications that involve your health information
  • Sale of your information (we do not sell your personal data under any circumstances)
  • Research that uses information that could identify you (where research uses anonymised data, separate consent is not required)

10. Our Legal Duties to Maintain the Privacy of Your Health Information

As a CQC-registered healthcare provider and a GPhC-registered pharmacy, we have specific legal and professional duties to maintain the privacy and confidentiality of your health information. We take these duties seriously and they apply to every member of our team and to every third party we work with.

Specifically, we are required to:

  • Maintain the privacy and security of your personal data, including your health information / PHI, in line with the UK GDPR and the Data Protection Act 2018
  • Provide you with this notice describing our legal duties and privacy practices in relation to your health information
  • Abide by the terms of this notice that are currently in effect at the time of any use or disclosure of your health information
  • Notify you and, where required, the Information Commissioner’s Office of any personal data breach affecting your information without undue delay, and within 72 hours of becoming aware of it where the breach is likely to result in a risk to your rights and freedoms
  • Uphold the common law duty of confidentiality and the Caldicott Principles, which together govern the use of confidential patient information in the UK
  • Comply with the professional standards set by the General Pharmaceutical Council (GPhC) for pharmacy professionals and the standards set by the General Medical Council (GMC) for prescribing clinicians
  • Comply with the fundamental standards of care set by the Care Quality Commission (CQC), including standards relating to good governance and the safe handling of records
  • Comply with relevant healthcare legislation, including the Health and Social Care Act 2008, the Human Medicines Regulations 2012, and the requirements of the Medicines and Healthcare products Regulatory Agency (MHRA)
  • Train our staff in information governance and data protection, and ensure they only access health information on a need-to-know basis
  • Put written contracts in place with any third party we ask to process your health information on our behalf, requiring them to apply equivalent standards of security and confidentiality

We reserve the right to change the terms of this notice and our privacy practices. If we make a material change, we will notify you and post the updated notice on our website. The new terms will apply to all health information we hold, including information we created or received before the change.


11. Your Rights in Relation to Your Health Information and How to Exercise Them

You have specific rights in relation to the health information we hold about you. This section explains those rights and how to exercise them. These rights apply in addition to your general data protection rights set out in section 16.

Right to be Informed

You have the right to be told, in clear and plain language, what health information we collect about you, why we collect it, how we use and share it, and how long we keep it. This Privacy Policy is the main way we provide this information to you. You will also be given specific information at the point you complete a consultation or place an order.

Right to Inspect and Access Your Records

You have the right to inspect and obtain a copy of the health information we hold about you. This is sometimes called a Subject Access Request.

To exercise this right:

  • Email [email protected] with the subject line “Subject Access Request”
  • Tell us what information you would like (for example, your full record, a specific consultation, or a specific time period)
  • Provide proof of identity so we can confirm we are sending information to the right person

We will respond within one calendar month. There is no fee for the first request. We may charge a reasonable administrative fee, or refuse, where a request is manifestly unfounded or excessive (for example, repetitive requests for the same information).

Right to Request Amendment of Your Records

If you believe any of the health information we hold about you is inaccurate or incomplete, you have the right to ask us to correct it.

To exercise this right:

  • Email [email protected] with the subject line “Request to Amend Records”
  • Tell us which information you believe is inaccurate or incomplete
  • Tell us what the correct information should be, and provide any supporting evidence you have

We will review your request and respond within one calendar month. Where we agree the information is inaccurate, we will correct it. Where a clinical record reflects a clinical judgement made at the time, we may not be able to delete or rewrite it; instead, we will add a note to the record reflecting your view. We will tell you in writing if we cannot make the change you have asked for, and why.

Right to Request a Copy of Your Records (Data Portability)

Where we process your information by automated means and on the basis of your consent or a contract, you have the right to ask us to provide a copy of that information in a structured, commonly used, machine-readable format. We can also send the information directly to another provider where this is technically feasible.

To exercise this right, email [email protected] with the subject line “Data Portability Request”.

Right to Restrict Processing

You have the right to ask us to limit how we use your health information in certain circumstances – for example, while we investigate a request to amend your records, or where you have objected to processing and we are considering whether our legitimate grounds override yours.

To exercise this right, email [email protected] with the subject line “Request to Restrict Processing”.

Right to Object to Processing

You have the right to object to our use of your information for direct marketing at any time, and we will stop using your information for that purpose immediately. You also have the right to object to other processing where we rely on legitimate interests.

To exercise this right, email [email protected] with the subject line “Objection to Processing”.

Right to Erasure (“Right to be Forgotten”)

You have the right to ask us to delete the health information we hold about you. This right is not absolute. Because we are a regulated healthcare provider, we are legally required to retain certain clinical records for set periods (see section 15 on retention). Where we cannot delete information, we will tell you which information we are required to keep and for how long.

To exercise this right, email [email protected] with the subject line “Erasure Request”.

Right to Withdraw Consent

Where we rely on your consent to process your health information, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. To withdraw consent, email [email protected].

Right to Request Confidential Communications

You have the right to ask us to communicate with you about your health information in a particular way or at a particular address – for example, sending letters to a different postal address, or contacting you only by email. We will accommodate reasonable requests.

To exercise this right, email [email protected].

Right Not to Be Subject to Solely Automated Decision-Making

You have the right not to be subject to a decision that has a legal or similarly significant effect on you and that is based solely on automated processing. All clinical decisions about your treatment at trimu are reviewed by a human prescriber before any prescription is issued.

Identity Verification

Before we act on any of the requests above, we will need to confirm your identity. This protects your information from being released to someone who is not entitled to receive it. We may ask you to provide proof of identity such as a copy of a photo ID.

Helping Someone Else Exercise Their Rights

If you are exercising rights on behalf of another person (for example, as a carer, parent of a child where lawful, or under a Lasting Power of Attorney), you will need to provide evidence of your authority to act, in addition to your own and the patient’s identity documents.

Timescales and Fees

We will respond to all rights requests within one calendar month. In complex cases we may extend this by up to two further months and will tell you if we need to do so. Most requests are free. We may charge a reasonable fee, or refuse, where a request is manifestly unfounded or excessive.


12. Data Security

We implement strict technical and organisational measures to protect your data, including:

  • Encryption of data at rest and in transit
  • Secure access controls and role-based access for staff
  • Regular security reviews and monitoring
  • Fraud prevention and security monitoring systems
  • Staff training in information governance and confidentiality

We do not transmit your personal or medical data outside of our control unless required by law or for essential service provision under strict safeguards. If you suspect a security incident affecting your information, please contact [email protected] immediately.


13. Third Parties With Whom We Share Your Data

Our business relies on working with third parties to provide our services. For all third parties, we carry out data protection due diligence and have contracts in place with specific data processing clauses.

Third parties we may share your personal information with include:

  • Blue House Pharmacy (our dispensing pharmacy) for the fulfilment of prescriptions
  • UK-registered clinicians and prescribers who review your consultations
  • Identity verification providers (where used)
  • Delivery and courier service providers (address and contact details only)
  • Payment service providers (payment processing only)
  • Analytics providers (Google Analytics 4)
  • Marketing and communications providers (Meta, Omnisend)
  • Technology and hosting providers
  • Your GP (where you consent, or where patient safety requires it)
  • Professional advisors such as auditors, accountants, and lawyers
  • Regulators, courts, government authorities, and law enforcement where required by law
  • Any entity that may acquire our business or part of it, subject to appropriate data protection safeguards

We never sell your personal data.


14. International Transfers

Almost all data we collect is stored and processed in the United Kingdom. However, from time to time it may be necessary to transfer your data outside the UK to deliver our services (for example, where a third-party service provider processes data outside the UK).

Where your data is transferred outside the UK, it will only be done where adequate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) for transfers to the EEA and countries with adequacy decisions
  • The UK-US Data Privacy Framework or SCCs for transfers to the United States
  • SCCs with the UK International Data Transfer Addendum (IDTA) for other international transfers

If you would like a copy of the safeguards we have in place for international transfers, please contact us at [email protected].


15. How Long We Keep Your Information

We keep your personal data only as long as it is necessary to provide our services, for legitimate business purposes, and to comply with our legal obligations.

Key retention periods include:

  • Health records: 10 years after your last interaction with us, in line with CQC and NHS retention guidelines
  • Pharmacy records: 2 years from the end of the financial year, in line with CQC guidelines
  • Financial and transaction records: 7 years, in line with HMRC requirements
  • Marketing consent records: retained for the duration of your consent and for a reasonable period afterwards

Once retention periods are met, we securely destroy, anonymise, or archive data. Exceptions may apply where there is an unresolved issue, a legal obligation, or a legitimate business reason such as fraud prevention.


16. Your Rights in Relation to Your Personal Data

In addition to your rights in relation to your health information set out in section 11, under data protection law you have the following general rights:

  • Right of access – you can ask for copies of your personal information
  • Right to rectification – you can ask us to correct inaccurate or incomplete information
  • Right to erasure – you can ask us to delete your personal information in certain circumstances (this is not absolute, as we may need to retain certain information for legal reasons)
  • Right to restrict processing – you can ask us to limit how we use your data in certain circumstances
  • Right to object – you can object to our processing where we rely on legitimate interests or consent
  • Right to data portability – you can ask us to transfer your data to another provider in a machine-readable format
  • Right not to be subject to automated decision-making – you can object to decisions made solely by automated means without human involvement

Exercising Your Rights

To exercise any of these rights, please contact us at [email protected] or by post. We will respond within one calendar month.

We will not charge you for exercising your rights. However, we reserve the right to charge a reasonable administration fee if a request is manifestly unfounded or excessive.

For more information about your rights, visit: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/


17. Cookies

Our website uses cookies and similar technologies to ensure website functionality, maintain security, and improve user experience.

Full details of the cookies we use, why we use them, and how you can manage your preferences are set out in our Cookies Policy, available at trimu.com/cookies-policy.


18. Other Information

External Links

If you click on a link to a third-party website from our site, you are leaving our service. We are not responsible for the privacy practices of other websites and we encourage you to read their privacy policies.

Password Security

Where you have a password to access your account, you are responsible for keeping it safe. Do not share your password with anyone. For guidance on strong passwords, visit: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words

Severability

If any provision of this Privacy Policy is held by a court to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.


19. Complaints and How to File One

We take complaints about our handling of your personal data and your health information seriously. If you are unhappy with how we have handled your information, please tell us so we can investigate and put things right.

How to File a Complaint With Us

You can file a complaint by:

  • Email: [email protected] (preferred for privacy and data protection complaints)
  • Email: [email protected] (for general complaints about our services)
  • Email: [email protected] (for safeguarding concerns)
  • Post: Data Protection, AO Health Ltd, Unit 1, Dragonville Industrial Park, Dragon Lane, Durham, DH1 2XJ

To help us investigate quickly, please include:

  • Your name and the email address or account associated with trimu
  • A clear description of what happened, including dates where possible
  • What you would like us to do to put things right
  • Any supporting documents or screenshots

What Happens Next

  • We will acknowledge your complaint within 5 working days
  • We will investigate and provide a substantive response within 30 days. Where a complaint is complex, we may need longer; if so, we will tell you and keep you updated
  • You will not be penalised, refused service, or treated unfavourably for making a complaint

If You Are Not Satisfied With Our Response

If you are not satisfied with how we have handled your complaint, you have the right to escalate it to the relevant regulator.

Information Commissioner’s Office (ICO) – for complaints about how we handle your personal data, including your health information:

Care Quality Commission (CQC) – for complaints about the quality or safety of our healthcare services:

General Pharmaceutical Council (GPhC) – for complaints about the conduct of a pharmacist or pharmacy:

Filing a complaint with a regulator does not affect your right to pursue other legal remedies.