Privacy Notice  |  Suvera Ltd

About us

We are Suvera Ltd, and we are located at Suvera Ltd, 1st Floor, Aylesbury Works, 19 Aylesbury Street, EC1R 0DB.
We are registered with Companies House under number 12237910 and with the ICO under number ZA567382 If you need to contact us about your data, you can email us at privacy@suvera.co.uk.

What we do

Suvera Ltd operates an Online clinic and a software platform called Planner to help health professionals manage patients with long-term conditions, such as hypertension, diabetes, asthma, COPD, depression and anxiety.

Privacy and information governance are essential to the provision of trusted technology services, particularly in healthcare. At Suvera, we put this at the heart of what we do, not just because of our legal obligations, but because we, our friends and our families are all patients too. We all want to experience high-quality healthcare whilst being in control of our data and how it is used.

Our role

Typically, we act as a processor on behalf of your GP. When we are a processor of your data, then all data is processed in line with your GP practice’s privacy notice, and you should contact them for any queries.

This privacy notice applies to the data that we process when we are a controller of personal data. This typically includes data from employees, suppliers, patients, and users of our website or Planner. Being a controller means that we are trusted to look after and deal with your personal information in accordance with this notice. We determine the ways and means of processing your data and must therefore be accountable for it.

Your rights

  • Your right of access - you have the right to ask us for copies of your personal information.
  • Your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances.
  • Your right to object to processing - you have the right to object to our processing your information if the legal basis is legitimate interests, or where we are relying on Article 9 2 (h)  (Provision of direct health care and a healthcare service).
  • Your right to data portability - this only applies to information you have given us. You have the right to ask that we transfer the information you gave us from one organisation to another, or give it to you. The right only applies if we are processing information based on your consent or under a contract, or in talks about entering into one, and the processing is automated.

If you want to exercise any of these rights, please just contact us on privacy@suvera.co.uk, We work in partnership with your GP practiIf you want to exercise any of these rights, please just contact us on privacy@suvera.co.uk.

We work in partnership with your GP practice; we will liaise with them to ensure we are fully meeting your data subject rights   You also have the right to lodge a complaint about our processing with a supervisory authority — in the UK, that is the ICO, whose details are here: https://ico.org.uk/make-a-complaint/

How we process your data

We cannot provide our services without processing personal data. If you do not wish to share your information with us, we will be unable to offer you a service.

Select the section below that applies to you.

I am a patient invited to use the Online Clinic

Data that we process
Our Online Clinic services operate only on the instructions of your GP. This means that we are a processor, and your GP has told us how to collect, use, and store your information. When you use Suvera’s online portal, we process usage data, such as when you open and close our software, what product features you use and what device you are using. This allows us to improve our software by better understanding your workflows, to provide you with usage data, to monitor the functioning of our software and to prevent fraud, cyberattacks and other dishonest behaviour.

Lawful basis for processing
As a patient of the Online Clinic, you are receiving healthcare from Suvera on behalf of your GP. The legal basis is Article 9 2 (h) (Provision of direct health care and a healthcare service).  We collect usage data, and we ask for your consent via the cookie banner.

Retention period
Your data is retained for the duration of our contract with your GP and for 8 years afterwards for audit and investigation purposes, unless your GP instructs us to delete it sooner. Fully anonymised data is not personal data and is not subject to deletion requirements.

I am a Customer or work at a GP practice using Suvera

Data that we processIf you have entered into a contract with us to provide services to your patients, or you are using Suvera Planner, then the personal information we hold includes your contact details, the name of the practice and PCN where you work, and your signature if you signed the contract. To support the care management of patients, we also maintain a list of names, roles, and competencies for some of your employees. We will also have correspondence between us, which typically contains commercial rather than personal data. Additionally, we use your email address to share relevant Suvera news and use your data to improve our services; you can opt out of these communications at any time.

Lawful basis for processingOur lawful basis for processing this data is the fulfilment of a contract with you and legitimate interest for using the data for marketing emails. You can opt out of marketing emails at any time.
We collect usage data, and we ask for your consent via the cookie banner.

Retention periodWe retain your data for the duration of the contract and for 8 years afterwards in case of legal disputes, unless you instruct us to delete it sooner.

I work at a Health Care Organisation, not currently using Suvera

Data that we processIf you are working at a Health Care Organisation that has not signed a contract with us, but you have expressed interest in our service on our website or in person, then we will likely hold your contact details with a view to introducing our services to you. We would have gathered this information either through a form you filled out on our website or from external sources such as NHS websites and Wilmington Healthcare. This may include your name, role and the organisation you work for.
If we have gathered this data from external sources, then we will abide by our obligations under the GDPR to inform you that we have this data, ideally within 30 days of receiving it, and let you know why we will be processing the data, and to give you the chance to opt out of communications with us.

Lawful basis for processingOur lawful basis for processing is legitimate interest (we believe that you will be interested in our service, and we need to be able to communicate with GPs to grow our business). When we email, we do so under the ICO guidance on direct marketing and PECR regulations, where we are able to send relevant marketing emails to businesses as long as we give you the chance to opt out at any time. A link to unsubscribe will be available in every email we send.

Retention periodWe retain this data until you unsubscribe (at which point we move you to a suppression list to prevent accidental re-contact).

I have applied for a job with you

Data that we process
As a potential employee, we may hold the following data on you:
Contact details, CV, email correspondence with you, pictures, videos and information from Facebook and LinkedIn-accounts, answers to questions asked through the recruiting, title, education and other information you have provided. If you are successful in gaining employment with us then you will fall under the employee privacy notice going forward, which will be provided to you when you sign a contract with us. We also carry out pre-employment checks, as legally obligated to do so by HMRC and various visa requirement bodies.

Lawful basis for processing
Our lawful basis for processing your data is a combination of contract, legitimate interest and consent. When you applied for a job, it was with a view to entering into an employment contract with us. If we decide not to go forward with your application, then we use legitimate interest to retain the data should the chosen candidate not work out or another role become immediately available. We use consent if we want to keep your contact details for longer than our usual retention period.

Retention period
We retain unsuccessful applicants' data for one year. If we wish to retain it longer, we will ask for your consent. In exceptional circumstances, we may retain minimum identifiable data under legitimate interests, consistent with our safeguarding obligations.

I have provided feedback

How we collect your feedback
We collect patient feedback through a secure online webform which is made available to you following your consultation.
Surveys, which are collected and stored in anonymised form only, do not contain personal data.

Data that we processFor the patient feedback web form, we process the following data:
- The name of the GP practice you are registered with
- The name of the healthcare professional you spoke with
- Information about your health conditions and how they are being managed, which may include conditions such as hypertension, diabetes, asthma and general well-being
- Your ratings and responses relating to your clinical care, agreed care plan and condition management

Please note that we do not collect your name or any direct identifier through the feedback web form. However, the combination of GP practice name, clinician name and health condition information could, in some circumstances, particularly within smaller GP practices, make it possible to identify you as an individual. Under UK GDPR Article 4(1), this is known as "singling out" and means the above data must be treated as personal data and afforded full protection under this notice.
Survey responses are collected and stored in anonymised form only. No personal data is collected through this channel.

Lawful basis for processing
Because your webform responses may include information about your health conditions, this is classed as special category data under UK GDPR. We rely on your explicit consent under Article 9(2)(a) UK GDPR to process this data.f you wish us to share your feedback with your GP then we can do, but we do not do this routinely.
Before completing the feedback webform you will be presented with a consent statement and an unticked checkbox which you must actively tick before submitting the form. Submission of the form constitutes your explicit consent to the processing described in this notice.
You have the right to withdraw your consent at any time by contacting us at privacy@suvera.co.uk. Please note that because we do not collect your name, withdrawing consent after submission may be difficult if the data has already been processed. We would encourage you to contact us as promptly as possible if you wish to withdraw.

Retention periodFeedback webform data is retained for 8 years, after which it is securely deleted or fully anonymised. Anonymised aggregated data is not personal data and may be retained indefinitely.

Data sharing and transfersYour feedback is used internally to improve our service and to recognise our clinical team. We do not share individual feedback responses with your GP practice or any third party. We do not sell your data.

Your rights in relation to feedback data
Your data protection rights apply to any personal data we hold about you. However, because we do not collect your name or any direct identifier through the feedback web form, our ability to locate and retrieve your specific feedback responses may be limited.
If you believe you can be identified from the data we hold, for example, because you are a patient at a smaller GP practice with a specific condition, and you wish to exercise any of the following rights, please contact us at privacy@suvera.co.uk, and we will make every reasonable effort to assist you:
- The right to access the feedback data we hold about you
- The right to request erasure of your feedback data
- The right to withdraw your consentWe will always be transparent about whether we are able to locate your data. If we are unable to identify your specific responses within our records, we will inform you of this promptly.
Once feedback data has been fully anonymised, it is no longer considered personal data and data subject rights no longer apply to it.
Survey data, responses are anonymised at the point of collection and data subject rights do not apply.

I am a supplier of yours

Data that we processAs a supplier, we hold the contract and payment details required to carry out our contract with you and data to manage our relationship with you. This data would have been sourced from you directly, although your contact details may have been sourced from a recommendation or another source, with the intention of entering into a contract with you.

Lawful basis for processing
Our lawful basis for processing your data is contract; all data is used to enable us to fulfil our contract with you, including paying you and managing our relationship with you.

Retention period
We hold your data for the length of time you are a supplier to us and for 8 years afterwards, in case of any disputes and for accounting purposes.

Data sharing and transfers
We may share your contact details if someone asks us for a recommendation. We will always contact you before we do this unless it is your company name and switchboard phone number that we share.

I am just visiting your website (Cookie Policy)

We ask for your consent before we drop any third-party or unnecessary cookies. For strictly necessary cookies, we rely on legitimate interest as we need these for our website to work

“Cookies” are small text files placed on your device (e.g. computer, phone or tablet) when viewing certain pages in our software. Cookies allow us to keep track of some of your browsing preferences and optimise our software for your personal use. Cookies also allow us to automatically track certain information about how you navigate through and interact with our software, which helps us to measure its performance and to improve its design and functionality.

For more information on cookies, please visit www.allaboutcookies.org

We use the following cookies:
Strictly necessary cookies. These are cookies that are required for the operation of our software. They include, for example, cookies that enable you to log into your account.

Analytical or performance cookies. These allow us to recognise and count the number of visitors and to see how visitors move around our software when they are using it. This helps us to improve the way our services work, for example, by ensuring that users are finding what they are looking for easily.

Functionality cookies. These are used to recognise you when you return to our software. This enables us to personalise our content for you and remember your preferences (for example, so we can remember the state of your questionnaire if you reload the page while filling it in).

Targeting cookies. These cookies record your visit to our software, the pages you have visited and the links you have followed. We will use this information to make our software more relevant to your interests.

To see what cookies we use, click here.

Call Recordings

When you contact Suvera by phone, or we contact you, your call will be recorded. You will be notified of this before the call begins.

For patients: Your GP practice is the data controller for your healthcare records and determines the lawful basis for processing. Your GP relies on Article 9(2)(h) UK GDPR (provision of healthcare) as the basis for maintaining comprehensive clinical records, which include call recordings made as part of your care. As your GP's data processor, Suvera records calls on their instructions.

The same recordings also serve secondary operational purposes for which Suvera acts as a processor under the GP's instructions, including staff training, monitoring, auditing, feedback, safeguarding staff from abusive contacts, and investigating incidents, complaints, or disciplinary matters. These secondary uses remain within the scope of the GP's instructions and the Article 9(2)(h) basis.

All call recordings are treated as confidential and used only for the purposes described above.

Call recording data is retained for 8 years from the date of the call, unless your GP instructs us to delete it sooner. Your GP may retain records of your care for longer, in line with their own retention schedule.

Security measures

We have in place a number of technical and operational security measures to keep your data safe.

  • All of our employees are trained in data protection and are aware of their obligations to ensure the privacy of all data subjects.
  • Our offices have physical security in place,
  • All data is password protected, access controlled by two-factor authentication, backed up securely and encrypted when appropriate.
  • Data privacy by design and default is an integral part of our development processes.
  • We have a range of internal agreements and policies in place for information governance, network security, information handling, remote working, business continuity, confidential information, incident reporting, access control and staff confidentiality. We review these policies at least annually and will update them if a product or business change necessitates.

Business changes

What happens if our business changes hands? We may, from time to time, expand or reduce our business, and this may involve the sale and/or the transfer of control of all or part of our business. Any personal data that you have provided will, where it is relevant to any part of our business that is being transferred, be transferred along with that part, and the new owner or newly controlling party will, depending on the lawful basis, be permitted to use that data only for the same purposes for which it was originally collected by us.
In the event that any of your data is to be transferred in such a manner, you will be contacted in advance and informed of the changes.

Changes to our privacy notice

We may change this privacy notice from time to time (for example, if the law changes). We recommend that you check this page regularly to keep up-to-date.
If we make any material changes to the manner in which we process and use your personal data, we will contact you to let you know about the change.

Data sharing and transfers

Like most companies, we use a number of other companies as part of our data processing, for example, cloud services and technology services. We have Data Processing Agreements in place with these providers. Where data is transferred outside of the UK or the EEA, we ensure that appropriate protection and mechanisms are in place, for example, Standard Contractual Clauses or the UK’s International Data Transfer Agreement. If data is transferred from the UK to the EEA, then it is done so on the basis of those countries having a comparable data protection regime to the UK (adequacy).

We do not sell your data to anybody.

Find more information on the Security Page

©2026 Suvera - All Rights Reserved.