Effective Date: 19th November 2025
Sheba ("we", "us", "our") is committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how we collect, use, store, and share your information when you use our website, mobile application, and related services (collectively, our "Services").
By using our Services, you agree to the collection and use of information in accordance with this Privacy Policy. We encourage you to read this document carefully as it contains important information about your privacy rights and how we handle your personal data.
Sheba is a trading name of Sora Health Limited, a company registered in England and Wales under Company Number 15789992. Our registered office is located at Collingwood Buildings, 38 Collingwood Street, Newcastle Upon Tyne, United Kingdom, NE1 1JF.
Sora Health Limited acts as the data controller for the purposes of applicable data protection legislation, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
For any questions or concerns relating to this Privacy Policy or our data protection practices, please contact us through the following channels:
We may collect and process various categories of personal data about you, depending on how you interact with our Services. The types of personal data we collect include:
We collect information such as your name, date of birth, gender, postal address, email address, and telephone number. This information helps us identify you and communicate with you effectively.
When you create an account with us, we collect your login credentials, account preferences, and communication settings. This information enables us to provide you with a personalised experience and manage your account securely.
If you use our health-related Services, we may collect sensitive health information. This includes your medical history, symptoms or responses to health questionnaires, consultation notes from healthcare professionals, suitability assessments for treatments, prescription or treatment information, laboratory test results, and any photographs or videos you choose to upload for medical assessment purposes. We recognise that this constitutes special category data under data protection laws and handle it with the highest level of care and security.
We automatically collect certain technical information when you use our Services. This includes your device details, IP address, browser type and version, operating system, application activity data, access times, referring URLs, and information about which pages you view and how you interact with our Services.
We maintain records of your transactions with us, including details of payments you have made, services you have purchased, and information about order fulfillment and delivery.
We record your marketing preferences and track how you interact with our marketing communications. This helps us ensure we only send you communications that are relevant and in accordance with your preferences.
When you participate in surveys, submit complaints, contact our support team, or send us any other correspondence, we collect the information you provide. This helps us improve our Services and address any concerns you may have.
We collect personal data through various methods and sources:
We collect information that you voluntarily provide to us when you create an account, complete health assessments, communicate with our team, upload documents or images for medical review, book consultations, or request prescriptions. You are in control of the information you choose to share with us directly.
We use cookies and similar tracking technologies to automatically collect certain information when you visit our website or use our mobile application. This includes analytics data about how you navigate and interact with our Services, as well as technical information about your device and browser. For more detailed information about our use of cookies, please refer to our Cookie Policy.
We may receive information about you from third-party sources, including our partner pharmacies when they fulfil your prescriptions, laboratories that process your test samples, healthcare professionals who provide consultations through our platform, payment providers who process your transactions, and analytics and advertising platforms that help us understand and improve our Services.
We use your personal data for various purposes, each with an appropriate legal basis under data protection law:
We use your personal data to create and manage your account, assess your suitability for treatments, facilitate consultations with healthcare professionals, issue prescriptions, process payments, fulfil orders, and provide customer support. Our legal bases for this processing are the performance of our contract with you and, where health data is involved, your explicit consent for the processing of special category data.
We process your personal data to review your medical suitability for treatments, screen for potential health risks or contraindications, maintain accurate clinical documentation, and collaborate with healthcare partners to ensure continuity of care. Our legal bases for this processing include your consent, protecting vital interests where necessary, and the public interest in maintaining high standards of healthcare delivery.
We are required to process certain personal data to comply with various legal requirements, including healthcare regulations, tax laws, anti-money laundering requirements, and fraud prevention obligations. The legal basis for this processing is our need to comply with legal obligations.
We analyze usage patterns and feedback to enhance our Services, develop new features, optimise user experience, and conduct research to improve healthcare outcomes. Our legal bases for this processing are our legitimate interests in improving our Services and, where required, your consent for the use of cookies and analytics tools.
We send you service updates, appointment reminders, safety notifications, and regulatory information that is essential to your use of our Services. The legal bases for these communications are the performance of our contract with you and our legitimate interests in keeping you informed about important service-related matters.
Where permitted, we may send you promotional materials, educational content about health topics, and information about new services or features. We only do this where we have your consent or, in limited circumstances permitted by law, where we have a legitimate interest and have carefully considered your rights and interests.
You have the right to withdraw your consent or opt out of marketing communications at any time by using the unsubscribe link in our emails or by contacting us directly.
We share your personal data only when necessary and with appropriate safeguards in place. The categories of recipients include:
We share relevant medical information with licensed healthcare professionals who provide consultations or issue prescriptions through our platform. These professionals are bound by strict confidentiality obligations and professional standards.
We share necessary information with our partner pharmacies to enable them to dispense medications safely and deliver them to you securely.
When you order tests through our Services, we share relevant information with accredited laboratories to process your samples and generate test results.
We work with carefully selected third-party providers who help us deliver our Services. These include hosting providers, analytics services, communication platforms, and payment processors. All our service providers are contractually obligated to protect your data and only process it according to our instructions.
We may share information with our legal advisers, financial advisers, auditors, and insurance providers when necessary for obtaining professional advice or managing our business operations.
We may be required to share information with regulators, law enforcement agencies, or other governmental bodies when legally required to do so or to protect vital interests.
In the event of a reorganisation, merger, acquisition, or sale of our business, personal data may be transferred to the successor organization. We will ensure appropriate protections are in place for such transfers.
While we primarily process data within the United Kingdom, some of our service providers may be located in other countries. When we transfer personal data outside the UK or European Economic Area, we ensure appropriate safeguards are in place to protect your information. These safeguards may include relying on adequacy decisions that confirm the destination country provides an adequate level of data protection, implementing standard contractual clauses approved by relevant authorities, or applying additional technical and organisational measures to ensure your data remains protected.
We implement comprehensive technical and organisational measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction. Our security measures include encryption of data in transit and at rest, strict access controls and authentication procedures, regular security assessments and audits, secure data centre facilities, incident response procedures, and staff training on data protection and security practices.
While we strive to use commercially acceptable means to protect your personal data, we acknowledge that no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to maintaining the highest practical standards of data protection.
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention periods are determined by several factors, including the nature of our Services provided to you, legal obligations to maintain certain records, regulatory requirements specific to healthcare data, the need to resolve disputes or enforce agreements, and legitimate business purposes such as fraud prevention.
Medical records and prescription information are typically retained for longer periods in accordance with clinical governance requirements and healthcare regulations. When personal data is no longer required, we either securely delete it or anonymise it so that it can no longer be associated with you.
We use cookies, device identifiers, and similar technologies to enhance your experience on our website and mobile application. These technologies help us operate our Services effectively, analyze performance and usage patterns, personalise content and recommendations, remember your preferences, and implement security measures.
You can manage your cookie preferences through your browser settings or device settings. Please note that disabling certain cookies may affect the functionality of our Services. For detailed information about the cookies we use and how to manage them, please refer to our Cookie Policy.
Under data protection law, you have several rights regarding your personal data. These rights include:
You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
You can request that we correct any inaccurate or incomplete personal data we hold about you.
In certain circumstances, you have the right to request that we delete your personal data. However, this right is not absolute, and we may need to retain certain information for legal or regulatory reasons, particularly medical records.
You can request that we restrict the processing of your personal data in certain situations, such as when you contest its accuracy or object to our processing.
You have the right to object to processing based on legitimate interests, direct marketing, or processing for research purposes.
Where applicable, you can request to receive your personal data in a structured, commonly used, and machine-readable format, and have the right to transmit this data to another controller.
Where we process your personal data based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing based on consent before its withdrawal.
To exercise any of these rights, please contact us using the details provided in Section 2 of this Policy. We may need to verify your identity before processing your request to ensure your personal data is not disclosed to unauthorised persons.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe we have not handled your personal data appropriately. You can contact the ICO at www.ico.org.uk or by calling their helpline.
We want to ensure you only receive marketing communications that are relevant and welcomed. You can opt out of marketing communications at any time by clicking the unsubscribe link included in all our marketing emails, updating your preferences in your account settings, or contacting us directly at the email address provided in Section 2.
Please note that even if you opt out of marketing communications, we will continue to send you important service-related messages, such as updates about your account, changes to our terms, or information about your orders and prescriptions.
Our Services are not intended for individuals under 18 years of age. We do not knowingly collect personal data from children under 18. If we become aware that we have inadvertently collected personal data from someone under 18, we will take appropriate steps to delete such information from our systems as soon as reasonably practicable.
Our Services may contain links to third-party websites, applications, or services that are not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party sites or services before providing them with your personal data.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the effective date at the top of this Policy.
For significant changes that materially affect how we process your personal data, we will provide you with prominent notice, such as by email notification or through a notice on our Services. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your personal data.
Your continued use of our Services following the posting of changes to this Policy constitutes your acceptance of those changes. If you do not agree with the revised Policy, you should discontinue your use of our Services.
We welcome your questions, comments, and concerns about this Privacy Policy and our data protection practices. If you would like to contact us, please use the following information:
Data Protection Officer
Sora Health Limited (trading as Sheba)
Collingwood Buildings
38 Collingwood Street
Newcastle Upon Tyne
NE1 1JF
United Kingdom
Email: support@joinsheba.com.
We aim to respond to all data protection inquiries within 30 days. For complex requests, we may need additional time, in which case we will keep you informed of our progress.