Myway Health.png Myway Health.png
Menu

Privacy Policy

Who are we?

MyWay Digital Health Ltd (MWDH Ltd) is a medical software company, founded by NHS specialists in diabetes and healthcare management, responsible for the MyWay services, including MyWay Diabetes (MWD). For the purposes of data protection:

  • Data Processor: MWDH Ltd acts as a Data Processor when processing personal and clinical data on behalf of NHS organisations, GP practices, or other healthcare providers (the Data Controllers), to deliver the MyWay Diabetes service.

  • Data Controller: MWDH Ltd acts as a Data Controller for personal data collected directly from users of the platform (e.g. account registration details, user-entered data, support queries, and platform usage data), where we determine the purposes and means of processing.

We process all personal data in accordance with applicable UK data protection legislation, including the UK GDPR and Data Protection Act 2018. (for more information on the difference between data processors and data controllers, click or tap on this link “ICO definition of data controller“)

What data do we collect?

We collect demographic and medical data relating to your diabetes condition from your healthcare providers, i.e.: name; address; email, phone number; IP address; date of birth; height; weight; GP practice; type of diabetes; blood pressure; laboratory test results; smoking status; eye and foot screening info; goals; appointment data; and medication. We store any data input by you (e.g.: blood glucose readings, goals, text added to the eLearning chat forum). In addition, general auditable information and bug reporting data are also collected to help improve the service we offer. We only collect the minimum amount of data required to support your diabetes self-management and for the service to operate effectively unless you have provided your consent for optional improved site functionality (see related Cookies Policy).

Any data you input directly into the website or app will contribute to the care record you can access on your device. Please note, this data is not currently shared with your healthcare team, and you should not assume your healthcare team will be aware of any manual data inputs or device uploads.

What happens if wrong data is manually entered by you?

When you input your own measurements, most of the time you will be happy that this is accurate. If you enter data on your own measurement into the system and later realise the data is incorrect, we can manually erase it. Please get in touch via our ‘Contact Us‘ form with details of what is wrong including the date entered and values that are wrong. Examples could be where a child has entered data on your smartphone or tablet without your knowledge or you may have mistyped a blood glucose level or entered a blood pressure reading in the wrong section, by mistake.

How do we collect your data?

We collect data and process data when you register online for any of our products or services and use or view our website via your browser’s cookies. We collect data from primary care systems, and other associated systems, relating to your diabetes. We track your progress through educational resources, available on our website. Data may also be collected via a customer survey or from feedback. And we may also monitor how you use the site.

There are three main routes to data collection:

MWDH Ltd may receive your data via a bulk data transfer, from your GP (Data Controller).

MWDH Ltd may receive data via the GP (Data Controller) Patient Facing Services (PFS) route.

And with your consent, at the registration sign-up step to use any of our products and services, for data you may input manually.

How will we use or share your data?

The MyWay Diabetes (MWD) service focuses on holistic diabetes management. It is available to all patients, in a region, where their GP has signed up to use this system for the relevant diabetes patients and to patients that have given their consent. We collect data in order to manage your account, giving you: secure access to your medical records; access to tailored education resources; and in some cases, the ability to upload results. Visitors to the public site (who have not logged in), have data stored on the system (basic functional cookies only, unless consent is granted for opt-in Cookies which cover tracking of site use and ability to market via Facebook), however, we do log the IP address of everyone who visits the site.

The website, and/or App, does not currently allow you to share data with other users, such as a carer or family member, as a feature. Any data you share is done so entirely at your own risk. The service does not currently permit data transfers.

We collect and process information about you only where we have a legal basis for doing so under applicable EU/UK laws. The legal basis depends on the services you use and how you use them.

When processing on instruction of the Data Controller, the GDPR lawful basis for ‘processing of personal data’ is met under Article 6(1)(e): Processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The GPDR lawful basis for ‘processing of special category data’ is met under Article 9(2)(h): Processing necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the individual, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care services, with appropriate safeguards.

For PFS consent, the GDPR lawful basis for ‘processing of personal data’ is met under Article 6(1)(e): processing necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. The GDPR lawful basis for ‘processing of special category data’ is met under Article 9(2)(h): Processing necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the individual, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care services, with appropriate safeguards.

For personal data you provide directly to MWDH for which MWDH is Controller, we rely on Article 6(1)(f) as it is in our legitimate interest to provide you a platform to enable you to support your care with diabetes, and Article 9(2)(h) as the processing is used to support your provision of health care. Optional analytics and similar technologies are processed based on user consent (Article 6(1)(a)), where applicable.

As Controller, we collect and share information for the following purposes:

  • to support the delivery of direct healthcare. For example, we share your data with healthcare professionals and feed back to your local healthcare teams (e.g.: to improve structured education). Anonymised data may be used for regional and national quality reporting.

  • to promote the services and to protect the safety and security of the services. For example, we send some data you provide to NHS systems as part of your health record or verification step when first registering. Your data may also be used to help improve the products and services MWDH Ltd offer, for service evaluation and audit, and for more general feature improvements such as machine learning functionality. We may pass non-identifiable data to third parties.

  • to protect our legal rights and interests. Note, we may need to process your data to comply with a legal obligation.

  • for a specific purpose not listed within this policy, where you have given us consent to do so. For example, we may publish testimonials or featured customer stories to promote our services, with your permission.

We maintain a record of processing activities (ROPA) which documents the categories of personal data processed, purposes of processing, legal bases, recipients, and retention periods.

In summary:

  • Healthcare data received from GP systems is processed to deliver care services

  • User-provided data is processed to support account functionality and self-management

  • Platform usage data is processed to maintain, secure, and improve the service

  • Data may be shared with healthcare providers, hosting partners, and authorised service providers where necessary to deliver the service

The service does not involve any automated decision-making or profiling however it will provide basic lifestyle and education recommendations, based on your data record (e.g.: type of diabetes, medications).

We follow the principle of data minimization and only collect data and information which are important and relevant to diabetes care and self-management.

We will not use your data in any way other than as laid out in the Privacy Policy and we will not use your data beyond the purposes described unless required by law or with appropriate legal basis.

Do we carry out marketing activities to users?

This is an NHS service and is free at the point of care, so we do not use your data for commercial marketing without consent, in line with UK GDPR, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR). . We distinguish between service communications and marketing communications:

Service communications (essential)

These include emails or messages necessary to deliver the service (e.g. account notifications, care-related updates, or service information). These are not considered marketing and are sent as part of providing the service.

Marketing communications (optional)

Where we contact you to promote features, engagement, or broader awareness of the service, this is treated as marketing. Such communications are only sent where you have provided appropriate consent, and you may opt out at any time.

Where applicable, we may engage in partnerships or affiliate arrangements. Any such activity will be clearly identified and will only take place where appropriate consent has been obtained.

Social media and advertising

Where you have provided explicit consent for optional cookies, we may use third-party platforms such as Facebook or Google to support awareness of the service. These activities rely on your prior consent for cookies and tracking technologies. These platforms do not receive your clinical data; these activities are limited to service awareness and are based on your cookie preferences. You can withdraw consent or change your communication preferences at any time by contacting us.

How do we store data?

We take data security very seriously. All personal and clinical data is hosted within UK-based, secure cloud environments (including Microsoft Azure UK regions and AWS UK regions). . Our infrastructure and service providers operate in line with recognised security and data protection standards, supporting our compliance with UK GDPR and the Data Protection Act 2018. MWDH maintains documented policies and procedures covering technical, and organisational security measures, aligned to ISO 27001, to manage information security risks and protect the confidentiality, integrity, and availability of data.

Data storage is on your local device unless you manually export the data. Data is encrypted while stored and when being sent from the service to your device as per standard encryption for data transfers over the internet. All data is protected using HTTPS with TLS encryption between the device and the host.

We will retain data for as long as the service, in your area, is being funded, and thereafter in line with applicable NHS records retention schedules and contractual obligations. Upon termination of funding, all data will be securely and completely destroyed. Given current volumes, the process to delete any personal data is documented and carried out using secure deletion methods aligned with ISO 27001 controls and NHS data handling standards.

MWDH Ltd has implemented controls to ensure that regulatory obligations regarding data protection are followed, documented, and results logged. In the unlikely event of a data breach, we will assess the risk and where appropriate, notify the competent supervisory authority (in the UK, this is the ICO) within 72 hours. If the risk assessment indicates a high risk for you, we would also communicate any breach of personal data directly to you. Specific procedures for the management of security incidents and breach monitoring are in place.

NHS login

Please note that if you access our service using your NHS login details the identity verification services are managed by NHS Digital. NHS Digital is the controller for any personal information you provided to NHS Digital to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS Digital (as the “controller”) when verifying your identity.

To see NHS Digital’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

Minors using the app

This service is intended for use in accordance with applicable healthcare provider registration and eligibility criteria. Should we become aware that a minor is using this app, we will take steps to address this.

If you believe that a minor is using this app, then please contact us on support@mwdh.co.uk to let us know so that we can investigate and take necessary action.

What are your data protection rights?

We would like to make sure you are fully aware of all of your data protection rights. You are entitled, at any time, to:

  • the right to access – you have the right to request copies of your personal data.

  • the right to rectification – you have the right to request that we correct any information you believe is inaccurate, where MWDH Ltd is the data controller.

  • the right to erasure – you have the right to request that we erase your personal data, under certain conditions.

  • the right to restrict processing – you have the right to request that we restrict the processing of your personal data, under certain conditions.

  • the right to object to processing – you have the right to object to our processing of your personal data, under certain conditions.

  • the right to data portability – you have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.

You have additional rights under the General Data Protection Regulation, the two main ones are:

  • The right to withdraw consent.

  • The right to request that you are not subject to a decision based solely on automated processing (note this is not relevant to this service)

Please note our Cookie pop up will appear every 30 days to enable you to review and change your choices if you wish.

If you make a request, we will aim to get back to you as soon as possible but will respond within one month, dependent on the complexity of the request.

If you would like to exercise any of these rights, including your withdrawal for your consent to your data to be processed, please contact us at our email: support@mwdh.co.uk or by using the ‘Contact Us‘ form. Note exercising these rights relates to the data retained or processed by MWDH Ltd only. For detailed data protection queries, you may be directed to your GP practice or another local Data Controller, with whom we will partner to support your request.

If you wish to opt-out of the MWD service or unsubscribe from our Newsletter, please notify us via the ‘Contact Us‘ form and your information will be promptly and securely removed from our system.

Privacy Policy of other websites

The MyWay Diabetes website may contain links to other websites. Our privacy policy applies only to our website. If you click on a link to another website, you should read their privacy policy or related Terms and Conditions.

Changes to our Privacy Policy

We keep our privacy policy under regular review and place any updates on this web page. This privacy policy was last updated on 20th April 2026. For material or substantial changes to this policy, please note you may be contacted by email to request re-consent where a substantive change has been made to the policy e.g., if the purpose of data collection should change.

How to Contact us?

If you have any questions about our privacy policy, the data we hold on you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us at email: support@mwdh.co.uk or by using the ‘Contact Us‘ form on this website where you will be directed to the most appropriate member of the data protection team. Please note if this is not suitable, a phone number is listed on the contact-us page but is not preferred for privacy or data protection issues. Our Data Protection Officer is Dr Scott Cunningham who can be contacted at support@mwdh.co.uk. You may also find more information in our FAQs.

In the event of any personal data breach or security incident, we will inform you of any serious adverse consequences without undue delay. We will also inform the ICO, within 72 hours, where required and document all evidence.

MWDH control your self-input or other direct updates to your personal data. For more detailed queries you may be passed to the Data Protection Officer in your region.

Any clinical questions must be directed to your local healthcare team.

How to Contact the appropriate authorities?

If you are not satisfied with how we handle your data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO). Details are available at: https://ico.org.uk/make-a-complaint/ or by calling 0303 123 1113.