Nerivio Website Privacy Policy
Data Controller
Dr. Reddy’s Laboratories (UK) Ltd
410 Cambridge Science Park,
Milton Road,
Cambridge,
CB4 0PE,
United Kingdom
Telephone: + 44 (0) 1223 728010
On this page, we provide you with information regarding the processing of your personal data on our website.
Last Updated: 21 June, 2024
General Information on Data Processing
How we collect and use your personal data will depend on how you interact with us or the services you use on https://www.nerivio.co.uk (“our website”). We only collect, use or share your personal data where we have a legitimate purpose and a legal basis for doing so.
- Consent (Art. 6(1) (a) UK General Data Protection Regulation (“UK GDPR”), Regulation (EU) 2016/679)– Where you have given us your consent to process your personal data for a specific purpose. To understand the purposes of processing your personal data, please see the subsection ‘Purposes of Processing Personal Data’ of this Privacy Policy. You have the right to withdraw your consent at any time. For further information on how to withdraw consent, please see the ‘Exercising your rights’ subsections in the subsequent sections of this Privacy Policy.
- Performance of a Contract (Art 6(1) (b) UK GDPR) – Where we don’t have your explicit consent but have entered into a contract with you, we will use your data to fulfil the obligations under that contract. Alternatively, we will use your data, where necessary, because you have asked us to, or you have taken it on yourself, to undertake specific steps before entering into that contract.
- Legal Obligation (Art 6(1) (c) UK GDPR) – We need to use your personal data, if we have to, when complying with the law.
- Vital Interests (Art 6(1) (d) UK GDPR) – Processing your data is necessary to protect your vital interests or that of another person. For example, to prevent you from serious physical harm or in case of a serious medical emergency where you are otherwise incapable of giving us your consent.
- Public Task (Art 6(1) (e) UK GDPR) – Using your data is necessary for the performance of a task carried out in the public interest, or because it is covered by a task set out in law, for example, for a statutory function.
- Legitimate Interests (Art 6(1) (f) UK GDPR) – Processing your data is necessary to support a legitimate interest we or another party has, only where this is not outweighed by your own interests.
Please note where your data is processed under the performance of a contract or for a legal obligation, if you do not provide the data requested, we may be unable to provide you with our service.
Personal Data Collected and Processed
When you access our website, we collect the following personal data about you:
- General Identification and Contact Information: First Name, Last name, Email Address, (enable collection of parent/ legal guardian consent in case the patient is a minor), Terms of Use& Privacy Policy Consent, Newsletter & Subscription consent and any information you choose to share when you contact us through this website.
- Health Information: When you reach out to us for customer service or to report adverse events, you may choose to share or be asked to share information related to your health to help us understand the concern you are facing. This includes details of the health care professional that prescribed the device to you, your diagnosis and prescribed treatment and any other information such as medical symptoms and date of birth, sex included in the prescription shared by the prescribing health care professional and, any adverse events reported. Our customer service providers will request for your explicit consent before collecting any of this information.
- Cookies: When you visit our website, we use technical aids for various functions, in particular cookies, which can be stored on your end device. When you visit our website and at any time thereafter, you can choose whether you want to generally allow the setting of cookies or which individual additional functions you want to select. You can make changes in your browser settings or via our consent manager. Cookies are text files with small pieces of data that our (Nerivio/Dr. Reddy’s Laboratories (UK) Ltd) websites place on your device as you are browsing. For more information on types of cookies we use, please refer to our Cookie Policy.
- Other Electronic Identifiers: Internet Protocol (IP) address, Geolocation data.
Purposes of Processing Personal Data
We will process your personal data for the following purposes:
- To make the website available to users.
- To allow you to register to our website – www.nerivio.co.uk.
- For assisting you with any queries or concerns you share with us through this website in relation to the device, its purchase and delivery.
- For assisting you with any adverse events reported by you. Please note that we will share any Adverse Event reports you send to us to Theranica, an independent data controller as required by the applicable regulations. To learn more on how we share personal data with “Theranica” please see the section in this notice titled “Transfer of Personal data”.
- For the overall improvement of our products and services including how we interact with you directly or through our website.
- To fulfil our legal and regulatory obligations under applicable Laws.
Additional purposes when using optional services/features:
- Newsletter
You can voluntarily subscribe to our newsletter. When subscribing for the newsletter, the data from the input mask is transmitted to us. We process your e-mail address in order to provide this service.
Your consent will be obtained for the processing of your data during the registration process and reference will be made to this privacy policy. You have the right to withdraw your consent at any time.
The data will be used exclusively for sending the newsletter. No data will be passed on to third parties in connection with data processing for the dispatch of newsletters. - Contact Form
A contact form is available on our website, which can be used for electronic contact. If you make use of this option, the data entered in the form will be transmitted to us and stored.
If you contact us via the input mask of the contact form or by e-mail, you can object to the storage of your personal data at any time. You can object to the storage of your personal data at any time in the following ways. You can revoke your consent or object to the storage of your personal data by writing to us at.
In this case, all personal data stored during the contact will be deleted. - Corporate Web Profiles on Social Networks
If you carry out an action on our company social network profiles/pages (e.g. comments, contributions, likes etc.), you may make your personal data (e.g. clear name or photo of your user profile) public.
However, as we generally or to a large extent have no influence on the processing of your personal data by such Social Network companies, we cannot make any binding statements regarding the purpose and scope of the processing of your data.
You can find our corporate social network profiles/pages on:
- LinkedIn
Our corporate profiles on social networks are used for communication and information exchange with (potential) customers. We use the company's profile for Publications that contain content related to our products and services. We also maintain a corporate presence on professionally oriented social networks where we provide information on available positions with our company, job applications and general company related updates. Every user is free to publish personal data.|
As far as we process your personal data to evaluate your online behaviour, to offer you sweepstakes or to conduct lead campaigns, this is done on the basis of your express declaration of consent, Art. 6 (1) (a), Art. 7 UK GDPR. The legal basis for processing personal data for the purpose of communicating with customers and interested parties is Art. 6 (1) (f) UK GDPR. Thereby, our legitimate interest is to answer your request optimally or to be able to provide the requested information. If the aim of contacting you is to conclude a contract, the additional legal basis for the processing is Art. 6 (1) (b) UK GDPR. The data generated on the company profile are not stored in our own systems.
You can object at any time to the processing of your personal data that we collect within the framework of your use of our corporate web profiles and assert your rights as a data subject mentioned the "Exercising your Rights" section of this privacy policy. - Specialist Circles
If you are a Health Care Professional (“HCP”) who wishes to access information and receive updates related to the Nerivio device, case studies on migraines and additional medical developments in this field, you may choose to subscribe to the “Specialist Circles” feature on the website.
We will collect your name and email address for the purpose listed above.
For the processing of your personal data in third countries, we have provided appropriate guarantees in form of standard data protection clauses pursuant to Art. 46(2)(c) GDPR. A copy of the standard data protection clauses can be requested from us.
Lawful Basis of Processing
The legal basis for the temporary storage of data and logfiles when loading the website is Art. 6 (1) (f) UK GDPR.
The legal basis for the processing of the data when ordering the product is Art. 6 (1) (a) UK GDPR if you have given consent.
If the registration serves the fulfilment of a contract to which you as the user are a party or the execution of precontractual measures, the additional legal basis for the processing of the data is Art. 6 (1) (b) UK GDPR.
Legal basis for the processing of data of a child below the age of 14 years is Art. 6 (1) (a), Art. 8 (1)(2) UK GDPR and will be considered to be valid only if the consent is given or authorised by the holder of parental responsibility over the child.
Exercising Your Rights
When your personal data is processed, you are a data subject within the meaning of the GDPR and have the following rights:
- Right of access (Art. 15 UK GDPR)
You have the right to request us, the data controller, to confirm whether your personal data is being processed by us. If such processing occurs, you can request the following information from us:- The purposes for which we process your personal data.
- Categories of personal data that are being processed.
- Recipients or categories of recipients to whom the personal data has been or will be disclosed.
- Planned storage period or the criteria for determining this period.
- The existence of the rights of rectification, erasure or restriction or opposition.
- The existence of the right to lodge a complaint with a supervisory authority.
- If applicable, the origin of the data (if collected from a third party).
- If applicable, the existence of any automated decision-making including profiling with meaningful information about the logic involved, the scope and the effects to be expected.
- f applicable, the transfer of personal data to a third country or international organisation.
- Right to rectification (Art. 16 UK GDPR)
You have a right to request that we rectify and/or modify the data about you, if your processed personal data is incorrect or incomplete. Upon receiving such a request, we will correct the data without any undue delay. - Right to erasure (“Right to be forgotten”) (Art. 17 UK GDPR)
You have the right to request us to delete your personal data without undue delay. We will fulfil this obligation immediately if one of the following applies:
- Personal data concerning you is no longer necessary for the purposes for which it was collected or processed.
- You withdraw your consent on which the processing is based pursuant to and where there is no other legal basis for processing the data.
- You object to the processing of the data and there are no longer overriding legitimate grounds for processing, or you object pursuant to Art. 21(2) GDPR.
- Your personal data has been processed unlawfully.
- We have a legal obligation to delete your personal data in order to comply with a legal obligation in Union law or Member State law to which we are subject.
- A child’s personal data was collected in relation to information society services offered pursuant to Art. 8 (1) GDPR.
Note that, the right to erasure or to be forgotten does not exist if:
- the processing is necessary to exercise the right to freedom of speech and information;
- we are using the personal data to comply with legal ruling or obligation required by the law of the Union or Member States to which we are subject;
- we are using the personal data to perform a task of public interest or in the exercise of public authority delegated to the representative;
- for reasons of public interest in the field of public health;
- your personal data represents important information that serves the public interest, scientific research, historical research, or statistical purposes where erasure of the data would likely to impair or halt progress towards the achievement that was the goal of the processing; and
- your data is being used to enforce, exercise or defend legal claims.
Also note that we may request a “reasonable fee” or deny a request to erase personal data if we can justify that the request was unfounded or excessive. - Right to restriction of process (Art. 18 UK GDPR)
You may request the restriction of the processing of your personal data by us under the following conditions:
- If you challenge the accuracy of your personal data, you can request us to restrict processing for a period that enables us to verify the accuracy of your personal data.
- The processing is unlawful, you can request us to restrict the use of your personal data if you oppose the erasure of the personal data.
- We or our representative no longer need the personal data for the purpose of processing, but you need it to assert, exercise or defend legal claims.
- If you have objected to the processing of your personal data (under the conditions set out under Article 21 (1)) and it is not yet certain whether our legitimate interests override your interests. - Right to data portability (Art. 20 UK GDPR)
You have the right to request that we transfer your personal data that we collected on the basis of your consent or under a contractual obligation, in a commonly used structured and machine-readable format. You have the right to request us to make such a transfer directly to you, to another person or to another organization without hindrance by us, under certain conditions.
This right shall not apply if we believe that the processing is necessary for the performance of task we are carrying out in the public interest, in the exercise of an official authority vested upon us or if it adversely affects the rights and freedoms of other.
If you make such a request, we will respond to you within a month. - Right to object (Art. 21, Art. 6(1)(e) or Art. 6(1)(f) UK GDPR)
For reasons that arise from your particular situation, you have, at any time, the right to object to the processing of your personal data pursuant to Art. 6 (1) (e) or 6 (1) (f) GDPR; this also applies to any profiling activities undertaken by us based on these provisions.
Where we are processing your personal data for the purposes of direct marketing, you have the right to object at any time to the processing of your personal data in regard to such advertising; this also applies to profiling activities associated with direct marketing.
You can exercise your rights by writing to our Data Protection Officer at [email protected]. - Right to complain to a supervisory authority (Art. 77 UK GDPR)
Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a single supervisory authority in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data concerning you infringes your rights the GDPR.
The supervisory authority to which the complaint has been lodged shall inform the complainant of the status and outcome of the complaint, including the possibility of a judicial remedy under Art. 78 GDPR.
Duration of storage of personal data
Your personal data will be deleted as soon as it is no longer necessary to achieve the purpose for which it was collected.
This is the case for the data collected during the registration process for the fulfilment of a contract or for the execution of pre-contractual measures if the data is no longer required for the implementation of the contract. Even after the conclusion of the contract, it may be necessary for us to store your personal data as the contractual partner in order to comply with our contractual or legal obligations. Your personal data will be deleted as soon as we have complied with these obligations.
Transfer/Disclosure of personal data
- Sharing with Data Processors: We may share your personal data with third parties who act as our Data Processors:
- Partners engaged for the implementation and management of eCommerce platform, order management system, warehousing solution, and Customer Relationship Management (“CRM”) system.
- Call centre-based customer care support.
- Other technology providers e.g., those who provide solutions related to Identity and Access Management, Optical Character Recognition for prescriptions, generate automate email notifications and provide other value-added services such as newsletters.
- Partners engaged to process Adverse event reports.
- Sharing with other Data Controllers: We may also share your personal data with third parties who will act as independent Data Controllers:
- Theranica – We ( Dr. Reddy’s Laboratories (UK) Ltd) have a sales and distribution license to sell Nerivio in the UK (a Theranica product). Theranica also owns and manages the Nerivio App that you download. To know more, please visit www.nerivio.com/privacy-policy
- Please note that your personal data will be processed by such Data Controllers in accordance with their Privacy Policies and we ( Dr. Reddy’s Laboratories (UK) Ltd) will not be liable for their actions. Our Privacy Policy only applies to the extent that we process the personal data for the purposes listed in this document.
We recommend you read the Privacy Policies of the abovementioned third parties to understand how they handle your personal data.
- Sharing with Dr. Reddy’s Laboratories affiliates and/or subsidiaries: Dr. Reddy’s Laboratories (UK) Ltd is part of the international pharmaceutical group Dr. Reddy's Laboratories Ltd.
We may share your personal data with other affiliates or subsidiaries within the Dr. Reddy’s Laboratories group for analytics purposes which will help us improve our products and services. Data for such purposes will be protected with safeguards including pseudonymisation to prevent you from being identified by those who use your data.
Where we or our third parties transfer or allow access to your personal data to jurisdictions outside of the United Kingdom or European Economic Area (i.e. the EU Member States plus Iceland, Liechtenstein and Norway, the "EEA"), it is done on the basis of standard contractual clauses, or other secure and lawful methods for transfer, approved by the European Commission and Information Commissioners Officer (UK).
Protection of Personal Data
We have implemented appropriate technical and organisational measures to provide an adequate level of security and confidentiality to your personal information, based on industry standards. The purpose of these measures is to protect your personal data against accidental or unlawful destruction or alteration, accidental loss, unauthorized disclosure, or access and against other unlawful forms of processing. Our third parties (Data processors) are contractually obliged to protect the confidentiality and security of your personal information, in compliance with applicable law and our policies and standards.
- Content Delivery Networks
A Content Delivery Network (CDN) is a network of regionally distributed servers connected via the Internet to deliver content, especially large media files such as videos. - Google Cloud CDN: On our website we use functions of the content delivery network Google Cloud CDN. Google Cloud CDN features are used to deliver and accelerate online applications and content.
Google Cloud CDN provides web optimization and security services that we use to improve the load times of our website and to protect it from misuse. When you visit our website, a connection to the servers of Google Cloud CDN is established, e.g. to retrieve content. This allows your personal data to be stored and evaluated in server log files, including your activity (e.g. which pages have been visited) and your device and browser information (e.g. IP address and operating system).
Further information on the collection and storage of data by Google Cloud CDN can be found here: https://policies.google.com/privacy?hl=es.
Your personal data is collected on the basis of Art. 6 (1) (f) GDPR. The website operator has a legitimate interest in the technically error-free presentation and optimization of his website - and server log files are therefore recorded.
Your personal data will be retained for as long as necessary to fulfil the purposes described in this Privacy Policy or as required by law. Information about objection and removal options regarding Google Cloud CDN can be found at: https://policies.google.com/privacy?hl=es.
Third party services
We use various service providers to deliver the service we offer through the website. Generally, where such services are essential to providing the basic service offered by us, we have a legitimate interest in collecting your data via these third-party providers.
Where such services are required for additional services, enhanced functionalities, or additional purposes, your personal data will only be transferred to service providers if you provide your explicit consent. You have the right to revoke your declaration of consent at any time. The revocation of the consent does not affect the lawfulness of the processing carried out on the basis of the consent up to the revocation.
Your personal information will be stored for as long as is necessary to fulfil the purposes described in this Privacy Policy or as required by law, e.g. for tax and accounting purposes.
You can prevent third party-services from collecting and processing your personal data by preventing the storage of third-party cookies on your computer, by using the "Do Not Track" feature of a supporting browser, by disabling the execution of script code in your browser, or by installing a script blocker such as NoScript (https://noscript.net/) or Ghostery (https://www.ghostery.com) in your browser.
We are using the services of the following third parties for our website:
- Google Marketing Platform
Google places a cookie on your computer. This allows personal data to be stored and evaluated, in particular the user's activity (which pages have been visited and which elements have been clicked on), device and browser information (specifically the IP address and the operating system), data about the advertisements displayed (in particular which advertisements have been displayed and whether you have clicked on them) and also data from advertising partners (in particular pseudonymised user IDs).
Based on the marketing tools used, your browser automatically establishes a direct connection with Google's server.
We have no influence on the scope and further use of the data collected by Google through the use of this tool and therefore inform you according to our state of knowledge. If you are registered with a Google service, Google can assign the visit to your account. Even if you are not registered with Google or have not logged in, it is possible that the provider may find out and store your IP address. Further information on the collection and storage of data by Google can be found here: https://policies.google.com/privacy?hl=es - Google Analytics 4
Google Analytics examines, among other things, how website visitors use our site. Google sets cookies on your terminal device. During the visit, your behaviour is recorded in the form of "events". As a result, personal data can be stored and analysed, including: First visit to the website, Interaction with the website, usage path, clicks on external links, video usage, file downloads, advertising impressions and clicks, scroll behaviour (if to end of page), searches on the website, language selection, page visits, location (region), your IP address (in shortened form), technical information about your browser and the end devices you use (e.g. language setting, screen resolution).
Your internet provider has IP address anonymisation enabled. This means that your IP address is shortened by Google within the member states of the European Union or other contracting states to the Agreement on the European Economic Area.
Exceptionally, only in rare cases will the full IP address be transmitted to a Google server in the USA and shortened there. Google states that the IP address transmitted by your browser will not be merged with other Google data within the scope of Google Analytics. You can obtain further information on the processing of data by Google here: https://policies.google.com/privacy - Google My Business
We use Google My Business for customer acquisition with optimized company profiles including the possibility of statistical analysis and contacting users. Cookies from Google are stored on your device. The following personal data is processed by Google My Business: Further information on the collection and storage of data by Google My Business can be found at: https://policies.google.com/privacy- Contact data / Company data
- Address data
- E-mail addresses
- Phone number
- Opening hours
- Location data
- Credit card data
- Reviews
IP address
- Google Tag Manager
With Google Tag Manager, tags from Google and third-party services can be managed and bundled and embedded on an online presence.
Tags are small code elements on an online presence that are used, among other things, to measure visitor numbers and behaviour, capture the impact of online advertising and social channels, use remarketing and targeting, and test and optimize online presences.
When you visit the online presence, the current tag configuration is sent to your browser. It contains statements about which tags are to be triggered. Google Tag Manager triggers other tags that may themselves collect data.
For more information about the Google Tag Manager, please visit https://www.google.com/intl/de/tagmanager/faq.htmlhttps://www.google.com/intl/de/tagmanager/faq.html and see Google's privacy policy: https://policies.google.com/privacy?hl=es
You will find information on this in the passages of the privacy policies referring to the use of the corresponding services in this data protection declaration. Google Tag Manager does not access this data.
-
Hotjar
Hotjar uses cookies, i.e. small text files, which are stored locally in the cache of your web browser on your end device and which enable an analysis of the use of our online presence by you.
Personal data can thus be stored and evaluated, in particular your activity (specifically which pages have been visited and which elements have been clicked on), device and browser information (in particular the IP address and the operating system) and a tracking code (pseudonymised user ID).
The information thus collected will be transferred by Hotjar to a server in Ireland and stored there in an anonymised form. Further information on the collection and storage of data by Hotjar can be found at: https://www.hotjar.com/legal/policies/privacy
-
Sendgrid
We use the service provider Sendgrid of SendGrid, Inc., to send e-mails and notifications.
SendGrid is a cloud-based SMTP provider that acts as an email delivery system and allows emails to be sent without its own email server. SendGrid manages the technical details of email delivery, such as infrastructure scaling, reputation monitoring and real-time analytics.
Cookies and web beacons (tracking pixels) are used in e- mails sent by Sendgrid. These allow you to see whether the e-mail sent via the SendGrid platform has been delivered, opened, clicked, blocked or treated as spam. As a rule, the following data is processed:
-
IP address
-
Browser types
-
Log files
-
Information about the operating system
-
Information about the connection
-
Which pages are displayed
-
Which parts of the services are used
-
Information about the performance of the services
-
Metrics about the deliverability of e-mails and other electronic communication
-
Further information on the collection and storage of data by Sendgrid can be found here: https://sendgrid.com/policies/privacy/services-privacy-policy/
- Securiti.Ai
Securiti.Ai offers a cookie consent management solution designed to handle the collection and management of user consent regarding cookie usage and online tracking.
Purpose:
Securiti.Ai’s cookie management system informs users about the cookies utilized on our website. It allows users to deactivate specific cookie groups, except for essential cookies necessary for the website’s proper functioning. This ensures compliance with data protection regulations.
Data Processed:
In accordance with Art. 7 para. 1 UK GDPR, Securiti.Ai records and stores your consent or refusal. The data processed includes:-
The anonymized IP address of the user.
-
Date and time when consent was provided.
-
User’s browser information.
-
Categories of Cookies to which consent was given.
-
The URL where consent was given.
-
An anonymous, randomly generated, encrypted key.
-
The consent status of the user, which serves as proof of consent.
-
Domain URL
-
Cookie Storage:
Cookies from Securiti.Ai are stored on your device. The key and consent status are saved in your browser as notified in Strictly Necessary Cookie Category section for Securiti.Ai. This allows the website to automatically recognize and adhere to your consent across subsequent page visits and future sessions for up to 12 months.
Data Hosting:
All data is hosted on secure cloud infrastructure provided by Amazon Web Services (AWS) and Google Cloud Platform (GCP). AWS and GCP are responsible for securing the underlying cloud infrastructure, while Securiti.Ai secures the workloads deployed on them. These environments undergo continuous auditing and hold certifications from various accreditation bodies, including ISO 27001, FedRAMP, DoD CSM, and PCI DSS. You can learn more about their practices here: [AWS](https://aws.amazon.com/compliance/) and [GCP](https://cloud.google.com/security/compliance).
Certifications:
Securiti.Ai is SOC2 Type II certified and holds ISO 27001:2013 and ISO 27701:2019 certifications. A copy of the SOC2 certificate can be made available upon request to prospective and current customers.
Securiti.Ai solution is designed to utilize multiple availability zones within an AWS or GCP region, and it autoscales as needed to ensure a highly available and reliable service.
For further information on data processing by Securiti.Ai, please visit [Privacy Policy] (https://www.security.ai/privacy-policy).
Integration of plugins via external service providers
We integrate certain plugins on our website via external service providers in the form of content delivery networks. When you access our website, a connection is established to the servers of the providers used by us to retrieve content and store it in the cache of your browser. This allows personal data to be stored and evaluated in server log files, in particular device and browser information (e.g. IP address and operating system). We use the following services:
- Google Hosted Libraries
- The use of the functions of these services serves the delivery and acceleration of online applications and content. You can find information on objection and removal options regarding Google at: https://policies.google.com/privacy?hl=en;
Changes to this Privacy Notice
We may change or update this notice from time to time by posting a new privacy notice on our website (https://www.nerivio.co.uk). Please keep checking this notice occasionally so that you are aware of any changes.