Be Healthy Bucks is committed to ensuring all information we collect and process is secure and that information is always kept confidential.

Be Healthy Bucks is commissioned by Buckinghamshire Council, and for the purposes of the programme both Be Healthy Bucks and Buckinghamshire Council are joint controllers under UK-GDPR.

Data protection and confidentiality are essential aspects of the ethical codes of conduct, professional body guidelines and codes of practice that we and our employees are required to adopt. These are central to the relationship that we have with our employees and service providers as well as our customers and their families.

Services we provide

  • Adult Weight Management
  • Child Weight Management
  • Alcohol Reduction Support
  • Smoking Cessation Support
  • NHS Health Checks
  • Online / Digital Behaviour Change Support
  • Onward referral to third party healthy lifestyle service providers, such as exercise on referral


Data we hold about you and why

Personal data means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

  • Identity Data

includes first name, last name, username or similar identifier, marital status, title, date of birth and gender.

  • Contact Data

includes address, email address, telephone numbers, parental contact details

  • Special Category or Wellbeing Data

includes translation requirements, NHS number, GP surgery details, disability status, height, weight, BMI, smoking status, physical activity status, alcohol consumption levels, long-term health condition information, weight management service history, anxiety/PHQ assessment information, sleeping status, or ethnic origin.

  • Technical Data includes information about your internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices you use to access this website.
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, feedback and survey responses.
  • Usage Data includes information about how you use our website, products and services.
  • Marketing and Communication Data includes your preferences in receiving marketing from us and our third parties and your communication preferences.


Aggregated Data

We also collect, use and share Aggregated Data such as statistical or demographic data for any purpose. Aggregated Data may be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity, however, if we combine or connect Aggregated Data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

We will only use your personal data when the law allows us to, usually in the following circumstances:

  • Where we need to perform the contract, we are about to enter or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal obligation.
  • Where we have your consent before the processing starts.


The table below describes the ways we plan to use your personal data, and which legal base(s) we rely on to do so. We have also identified legitimate interests where appropriate.


Purpose/ActivityType of dataLawful basis for processing including basis of legitimate interest
To register you as a new participant


·     Identity

·     Contact

·     Technical

·     Public Interest (UK GDPR Article 6(1)(e))


Providing the services to you, and managing our relationship with you, which will include:

·       Notifying you about changes to our services, our terms or privacy policy

·       Asking you to review our services and / or complete a survey

·     Identity

·     Contact

·     Profile

·     Special Category or Wellbeing Data


·     Public Interest (UK GDPR Article 6(1)(e))

·     Necessary to comply with a legal obligation (UK GDPR Article 6(1)(c))

·     Necessary for our legitimate interests (to keep our records updated and to study how users engage with our products/services) (UK GDPR Article 6(1)(f))

·     Substantial Public Interest (UK GDPR Article 9(2)(g))

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)·     Identity

·     Contact

·     Technical or Device

·     Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, and to prevent fraud) (UK GDPR Article 6(1)(f))

·     Necessary to comply with a legal obligation (UK GDPR Article 6(1)(c))

To deliver relevant website content to you and measure or understand the effectiveness of the advertising we serve to you·     Identity

·     Contact

·     Profile

·     Usage

·    Technical

·     Public Interest (UK GDPR Article 6(1)(e))

·     Necessary for our legitimate interests (to study how customers use our products/services and to develop them) (UK GDPR Article 6(1)(f))

To use data analytics to improve our website, products/services, marketing, customer relationships and experiences·     Technical

·     Usage

·     Consent (UK GDPR Article 6(1)(a))

·     Necessary for our legitimate interests (to define types of customers for our products and services, to keep our website updated and relevant) (UK GDPR Article 6(1)(f))

To enable you to partake in a prize draw, competition or complete a survey·       Identity

·       Contact

·       Profile

·       Usage

·       Marketing and Communications

·       Consent (UK GDPR Article 6(1)(a))

·       Necessary for our legitimate interests (to keep our records updated and to study how users engage with our products/services) (UK GDPR Article 6(1)(f))


To refer you to other related services, provided by the Council, or other third parties on their behalf, that may be of interest to you


·       Identity

·       Contact

·       Profile

·       Location

·       Marketing and Communications

·       Special Category or Wellbeing Data


·       Consent (UK GDPR Article 6(1)(a))

·       Public Interest (UK GDPR Article 6(1)(e))

·       Necessary to comply with a legal obligation (UK GDPR Article 6(1)(c))

·       Necessary for our legitimate interests (to keep our records updated and to study how users engage with our products/services) (UK GDPR Article 6(1)(f))

·       Substantial Public Interest (UK GDPR Article 9(2)(g))



We may process your personal data for more than one lawful basis depending on the specific purpose for which we are using your data. If you require further details regarding the specific lawful basis we are relying on to process your personal data, please contact us.


How do we collect your personal data?

We use different methods to collect data from and about you including through:

  • Direct interactions.

You may give us your Identity, Contact, Special Category Data by using our portal, by filling in forms or by corresponding with us by post, phone, email or otherwise. This includes personal data you provide when you complete any lifestyle or other assessment with us, create an account on our website, or apply for or subscribe to our services.

  • Automated technologies or interactions.

As you interact with our website and our App, we will automatically collect Technical Data about your device or equipment, browsing actions and patterns. We collect this personal data by using cookies and other similar technologies. Please see our cookie policy here for further details.

  • Third parties.

We will receive personal data about you from various third parties as set out below:

○    Identity, Contact and Special Category from the following parties:

  • Local authorities, health or social care professionals and your GPs where those parties have completed a referral on your behalf; and
  • Other mobile application providers such as Google Health, Fitbit, and Apple Health to the extent that you opt-in to sync those applications with our platform.

○   Technical Data from the following parties:

  • analytics providers such as Google based outside the UK; and
  • advertising networks such as Facebook and Instagram based outside the UK.

Call Recording

Not all calls are recorded although we may record and/or monitor phone calls and/or consultations to:

  • Improve the quality of the services we provide.
  • Train and provide our employees with feedback.
  • Resolve any complaints or concerns that may arise.

Recordings are held in an encrypted state on our servers for up to 2 years after which they are fully deleted. Controls are in place to ensure that only authorised staff have access to phone recordings, and where it is held by us, we can provide a copy of any recording relating to an individual on request.

Please tell us as soon as possible or at the start of a call if you have any concerns with your call being recorded.

Audit and Reporting

We may audit records as part of our contractual requirements with the commissioner of the Be Healthy Bucks programme. When we provide aggregated reports, data will be anonymised, so no individual will be identifiable except in limited circumstances.

Customer Satisfaction Surveys and Feedback

Where we invite you to take part in a customer satisfaction survey, or you provide feedback via forms on this website, any data you provide will be handled in line with this privacy statement.

Right of Access Requests

Individuals may request copies of their records or parts thereof, at any time.

Where applicable, using your portal account you can access some of the information relating to your cases(s) directly.

If you require more information, you can submit a Right of Access Request (RoAR).

If you require access to your records, we ask that the request be made in writing to ensure the security of sensitive data.

You can send a letter or email, which must include the following information:

  • Full Name (including any previous names used)
  • Date of birth
  • Email /Address

You should also, where possible, include proof of identity which includes your signature. On receipt of your request, we may require further information to enable us to locate your records and we may make additional security checks to ensure you are who you say you are. This is designed to protect your personal information.


Further information

If you have any questions about this privacy statement, want to exercise your rights or want to make a complaint about how Be Healthy Bucks has processed your information please email: 

The ICO is the government body responsible for data protection in the United Kingdom. Should you have any queries regarding data protection there is further information available on the UK’s ICO website at