Freetesting.hiv is operated by SH:24 in partnership with the Department of Health and Social Care and English local health authorities.
SH:24 respects your privacy and is committed to protecting your personal data.
This privacy policy will inform you as to how we look after your personal data and sets out the basis on which any personal data we collect from you, or that you provide to us, will be processed by us.
Your visit to freetesting.hiv collectively referred to as the “Site” and is subject to the terms set out in this privacy policy.
Please read the following carefully to understand our views and practices regarding your personal data and how we will treat it.
For the purposes of this service SH:24 Community Interest Company (collectively referred to as "SH:24", "we", "us" or "our" in this privacy policy) is the data processor and is responsible for processing your personal data. Department of Health and Social Care and the local authorities where users reside are the data controllers.
If you have any questions about this Privacy Notice, including any requests to exercise your legal rights, please contact
Personal data, or personal information, means any information about an individual from which that person can be identified.
It does not include data where the identity has been removed (anonymous data).
We may collect, use, store and transfer different kinds of personal data about you when you do so which we have grouped together follows:
Identity Data includes first name, maiden name, last name, username or similar identifier, marital status, title, date of birth and gender.
Contact Data includes delivery address, email address and telephone numbers.
Health Data includes any information about your physical health including your medical history and/or current health status including but not limited to data regarding test results, diagnoses and medications.
Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access this Site.
Usage Data includes information about how you use our Site, products and services.
We also collect, use and share aggregated data such as statistical or demographic data for any purpose.
Aggregated data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.
For example, we may aggregate your usage data to calculate the percentage of users accessing a specific website feature.
However, if we combine or connect aggregated data with your personal data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used in accordance with this privacy policy.
We do not collect, use and / or share any of your personal data for marketing purposes.
We know that data security is important to you and it is therefore important to us.
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed.
In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know.
They will only process your personal data on our instructions in accordance with this policy and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
We use SMS (text messaging) a lot. We think it’s the best and most private way to keep you up to date with the progress of your order with us, whether it’s for STI testing, contraception or support and advice.
Most phone handsets provide a preview of incoming SMS on receipt - be aware that this may make your interaction with SH:24 visible to people around you.
However, it is possible to adjust your phone’s settings to prevent SMS previewing – very easy to change on most handsets. Learn more by visiting:
You may also wish to periodically delete your SMS history with us, just in case you lose your handset.
We use different methods to collect data from and about you including through:
Direct interactions
You may give us any of the categories of data identified above by filling in forms on our Site or by corresponding with us by phone, e-mail or otherwise.
Automated technologies or interactions
As you interact with our Site, we may automatically collect Technical Data about your equipment, browsing actions and patterns.
We collect this personal data by using cookies, and other similar technologies. We may also receive Technical Data about you if you visit other websites employing our cookies.
Please see our cookie policy for further details.
Identity and Contact Data from data brokers or aggregators such as Google Analytics (or similar organisations) based inside the EU.
Why we will use your data
The lawful basis for processing are set out in Article 6 and 9 of the General Data Protection Regulation (GDPR), as amended in the UK following the UK’s withdrawal from the European Union.
We may process your personal data on more than one lawful ground depending on the specific purpose for which we are using your data.
At least one of these must apply whenever we process personal data:
Consent: you have given clear consent for us to process your personal data for a specific purpose. You can let SH:24 know at any time that you would like to withdraw your consent and this will be reviewed. Please note that, under certain circumstances, if you withdraw your consent, we cannot always delete your data. Where this is the case, we will inform you before you give your consent (for example, during the order journey on our website). For more information, please see the section on ‘your legal rights’ below.
Contract: the processing is necessary for a contract we have with you, or because you have asked us to take specific steps before entering into a contract.
Legal obligation: the processing is necessary for us to comply with the law (not including contractual obligations).
Vital interests: the processing is necessary to protect someone’s life.
Public task: the processing is necessary for us to perform a task in the public interest or for our official functions, and the task or function has a clear basis in law.
Legitimate interests: the processing is necessary for our legitimate interests or the legitimate interests of a third party unless there is a good reason to protect your personal data which overrides those legitimate interests.
Healthcare provision: the processing of data concerning your health is necessary for us to provide you with a medical diagnosis and/or healthcare treatment.
For more information on how we process your personal data and what lawful basis we rely on please see the table below.
Reason | Lawful Basis | Additional legal basis for special categories of personal data |
Handling an initial request for a test kit and/or other services provided by SH:24. | The use is necessary in order to take steps so that you can enter into a contract with us for the delivery of healthcare. The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. | This is necessary to provide you with a medical diagnosis and/or healthcare treatment. |
Processing information about your sexual or medical history | The use is necessary in order to take steps so that you can enter into a contract with us for the delivery of healthcare. The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. | This is necessary to provide you with a medical diagnosis and/or healthcare treatment. |
Providing healthcare (or health assessment) and related services. | This is necessary to provide you with a medical diagnosis and/or healthcare treatment. | This is necessary to provide you with a medical diagnosis and/or healthcare treatment. |
Administration and management of healthcare services (such as maintaining records including patient medical records, receiving professional advice, and sharing your information with your GP where relevant). | The use is necessary for fulfilling our contract with you for the delivery of healthcare. The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. | This is necessary to provide you with a medical diagnosis and/or healthcare treatment. |
Communicating with you and resolving any queries or complaints that you might have, including responding to any data subject rights. | The use is necessary for fulfilling our contract with you for the delivery of healthcare. The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. | The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services. The use is necessary in order for us or a third party to establish, exercise or defend our legal rights. |
Complying with our legal and regulatory requirements including investigating complaints or claims and defending or exercising our legal rights. | The use is necessary for compliance with a legal obligation. The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights. | This is necessary to provide you with a medical diagnosis and/or healthcare treatment. The use is necessary in order for us to establish, exercise or defend our legal rights. |
Provision of feedback to help us improve our services. | The use is necessary for fulfilling our legitimate interests (e.g. to help us improve our service) and those interests are not overridden by your privacy rights. |
Find out more about the types of lawful basis that are available to process your personal data.
We may have to share your personal data with the parties below in order to provide our services to you.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law.
We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
Examples of our third parties include:
We transfer personal data from the UK to the EEA, which the UK government has recognised as adequate for the purposes of the UK implementation of the GDPR. We may also transfer personal data from the UK to the US on the basis of the EU approved standard contractual clauses.
Consider whether you want a digital log of your visit to sh24.org.uk to be recorded in your browser.
If you don’t want a record to be kept, you can choose to delete your browser history afterwards or view our pages in incognito mode / private browsing, which won’t store your browser history, cookies, or search history after you’ve closed your browsers. However, you are not invisible.
Using incognito mode / private browsing does not hide your browser history from your internet service provider, SH:24 or your employer (if you are using a company device).
You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies.
If you disable or refuse cookies, please note that some parts of this Site may become inaccessible or not function properly.
For more information about the cookies we use, please see cookies.
We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose.
If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please Contact us.
If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.
Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.
We will only retain records in accordance with the minimum periods required by law, NHS directions, orders and guidance, and guidance published by the British Association for Sexual Health and HIV. This means that we will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our records management policy which you can request from us by contacting us.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
You have certain rights in respect of your Personal Data. These rights include:
You have the right to be informed about the collection and use of your personal data. We ensure we do this with our internal and external Privacy Notices (including this document). These are regularly reviewed and updated to ensure these are accurate and reflect our data processing activities.
You have the right to access the Personal Data that we hold about you in many circumstances, by making a request. This is sometimes called a ‘Data Subject Access Request’. If we agree that we are obliged to provide Personal Data to you (or someone else on your behalf), we will provide it to you or them free of charge and aim to do so within 1 month from when your identity has been confirmed. We would ask for proof of identity and sufficient information about your interactions with us that we can locate your Personal Data. If you would like to exercise this right, please contact us as set out below.
If any of the Personal Data we hold about you is inaccurate, incomplete, or out of date, you may ask us to correct it. We will take steps to confirm your identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
Please note that there may be circumstances where the data we hold about you cannot be rectified for legal reasons, such as insertions onto your medical record. However, where you indicate to us that the data is inaccurate, or you dispute the accuracy, we will add a clear note to the file to indicate that this is the case.
You have the right to have personal data erased. This is also known as the ‘right to be forgotten’. The right is not absolute and only applies in certain circumstances. For instance, the right to erasure does not apply where we have a legal obligation to retain your Personal Data. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
There will be occasions where you ask us to delete your data, but where we are unable to do so. An example is where we have a legal obligation to process the data about you for a specific period of time. If this is the case, we will respond to you to advise you of this. Please note that if you provide us with information that forms part of your medical record, we will not be able to delete this information (after the order is placed, this will include your answers to the questions that we ask on our website). Additionally, if we have sent out a testing kit to you, we will be unable to delete your data. This is because once a test kit is sent out, we cannot determine whether or not you go ahead and submit the test to a laboratory. If we delete your data at this point and you decide to go ahead with the test, we would have no way of informing you of the results of the test.
You have the right to ask us to restrict the processing of your personal data. For example, this may be because you have issues with the accuracy of the data we hold or the way we have processed your data. The right is not absolute and only applies in certain circumstances. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
Where we are processing your Personal Data on the lawful bases of consent or contractual obligation, the right to portability gives you the right to receive personal data you have provided to a controller in a structured, commonly used, and machine-readable format. It also gives you the right to request that a controller transmits this data directly to another controller. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
You have the right to object to our processing of some or all of the personal data that we hold about you. This is an absolute right when we use your data for direct marketing but may not apply in other circumstances where we have a compelling reason to do so, e.g., a legal obligation. We would ask for proof of identity in order to process this Request. If you would like to exercise this right, please contact us as set out below.
You have the right to object to our processing where a decision is made about you solely based upon automated processed and which has significant or legal effects. At SH:24, no decisions are made about you based solely on automated processing, including profiling, where that decision has a significant or legal effect. If you would like to contact us regarding this right, please contact us as set out below.
Where the lawful basis for processing your Personal Data is your Consent, you can withdraw your consent at any time, and we will no longer process your Personal Data for that purpose going forward. If you would like to exercise this right, please contact us as set out below.
As stated elsewhere in this notice, please note that there may be circumstances where you withdraw your consent, but we will not be able to delete the data that we hold about you. However, if you withdraw your consent, we will provide the next steps to give you the options to remove yourself from any further activity, for which you originally gave your consent. The data that we hold will only be kept on file to comply with the legal obligations to which we are subject, such as maintaining your medical record.
Where we are processing your Personal Data for the purposes of direct marketing, you can object to this purpose, and we will no longer process your Personal Data for this purpose going forward. If you would like to exercise this right, please contact us as set out below.
You can make a complaint to the Information Commissioner’s Office (ICO), or any other supervisory authority, at any time about the way we use your information. You can contact the ICO through their website located here. However, we hope that you would consider raising any issue or complaint you have with us first. Your satisfaction is extremely important to us, and we will always do our very best to solve any problems you may have.
We do not seek or knowingly collect any personal information about children under 13 years of age. If we become aware that we have unknowingly collected personal information from a child under the age of 13, we will make commercially reasonable efforts to delete such information from our database. If you are the parent or guardian of a minor child who has provided us with personal information, you may contact us using the information below to request it be deleted.
Depending on your jurisdiction, it is possible that a different regulator or supervisory authority may govern the processing of Personal Data. Your government’s website should be able to point you in the right direction of the relevant regulatory body. If you are a Data Subject in the EU, you can find your country’s regulatory body here. If you have any questions about which supervisory authority applies in your jurisdiction, please contact us as set out below.
In the UK, the Information Commissioner's Office (ICO) regulates data protection and privacy matters. They make a lot of information accessible to consumers on their website.
If you have any questions about this Privacy Notice, or should you need to raise a complaint concerning your Personal Data, please contact us at dpo@sh24.org.uk.