Twenty One Again
Privacy Policy

Twenty One Again is on a mission to become the go-to global platform for online health. Through this website (our “Site”) we provide people with easy access to advice, medical support, and treatment choices they need to help them make proactive decisions about their wellbeing.

We understand that lengthy legal documents are no fun. However, we ask that you read this Privacy Notice (“Notice”) carefully as it contains important information including who we are, how and why we collect, store, use and share personal information, your rights in relation to your personal information, and how to contact us or the supervisory authority in the event you have a complaint.

We have designed this policy to be as user-friendly as possible. Click on the headings on the left hand side to navigate directly to the topic.

What does this Privacy Policy cover?

This Notice covers any personal information we might collect from you or which we have obtained about you from a third party: (1) when you use our Site; (2) when you register an account with us, (3) when you purchase our products or services, (4) when you interact with our social media channels, (5) when you provide feedback, take part in market research or user testing, or provide customer testimonials, (6) where you provide services to us as a Supplier, or (7) where you have requested to receive information about our products and services.

Our Site, products and services are not intended for individuals under the age of 18, and we do not knowingly collect data relating to children.

If you do not agree with the contents of this Notice, you should not sign-up for an account, purchase products or services, or otherwise submit information to us.

Who collects information about you?

Twenty One Again is responsible for the personal information it collects, stores, uses and shares. When we do so we are responsible as a ‘controller’ of that personal information. When we refer to “Twenty One Again”, “we”, “our”, “us” or “the Company” in this Notice we are referring to IAM REWARD LTD (company number 13893603). For details of how to get in touch, please see the “Contact Us” Section of this Notice.

Useful Terms
In this Privacy Policy:

“Customer” means individuals who register an account on the Site who may or may not purchase products or services from Twenty One Again.

“Website Visitors” means individuals who visit our Site. Website Visitors may include Customers.

“Suppliers” means those external vendors and suppliers that provide products and/or services to Twenty One Again.

“Personal information” or “personal data” means any information about an individual from which that person can be directly or indirectly identified. It does not include data where the identity has been removed (i.e. anonymous data).

What personal information do we collect?

We may collect, use, store and transfer different kinds of personal information about you which we have grouped together as follows:

  • Identity Data such as your first name, last name, username, password, date of birth, user or device identifiers, job title and company.
  • Contact Data such as your email address, home address, business address, telephone number, and professional and/or social network contact details.
  • Financial Data which may include (i) credit card and/ or billing information so that we can take payment from you and verify your location and address details, (ii) your bank details so that we can pay for the services you provide to us (if this is part of the contractual arrangements between us).
  • Transaction Data such as information about payments and details of purchases you have made. In certain circumstances, Transaction Data may include Health Data.
  • Technical Data such as your internet protocol (IP) address, browser type and version, time zone setting and location, referral sources, browser plug-in types and versions, operating system and platform and other technology on the devices you use to access the Site.
  • Usage Data which may include information about how you use our Site (for example, information on the pages you have visited, the length of your visit, and actions taken), or social media channels.
  • Audio/Visual Data including your image and/or voice.
  • Assessment Data which may include information provided in response to questionnaires on the Site, and/or consultations with clinicians, to assess your suitability for a particular product or service. In certain circumstances, Assessment Data may include Health Data.
  • Feedback Data which may include any feedback you provide to Twenty One Again when you take part in user testing or market research, or when you agree to provide customer testimonials. Depending on the feedback you provide, Feedback Data may include Health Data.
  • Marketing and Communications Data including your preferences in receiving marketing or other communications from us.
  • Health Data includes information about your current health or medical history, for example, details of any health conditions or consultation notes.
How will we use your personal information?
Customers

When you create a user account on the Site, we will collect your Identity Data and Contact Data. To manage and administer your account we will process your Identity Data, Contact Data, Technical Data, Usage Data, Transaction Data, Assessment Data, Audio/Visual Data and Marketing and Communications Data. We need certain information from you, including your Assessment Data, to assess your suitability for treatments. Depending on the product or service you are interested in, we may also need to process your Audio/Visual and/or Health Data for this purpose. When you purchase products or services, we will use your Identity Data, Contact Data, Transaction Data and Financial Data to process and fulfil the transaction. Where necessary, we will also process your Audio/Visual and/or Health Data to assess your suitability and prescribe prescription medication.

Certain of our products and services either require you, or allow you, to consult with a medical professional to ascertain your needs, provide advice, and/or recommend relevant products or services. In order to facilitate and conduct these consultations we will process your Identity Data, Contact Data, Audio/Visual Data, and Assessment Data.

We may process some of your data in an anonymised form for clinical research purposes, to improve our services and treatments, and to contribute to a greater public understanding of how to make health treatment more engaging and effective. We will not provide third party researchers with data that identifies you personally, unless you have provided explicit, informed consent to this or there is legal justification to provide this information.

If you agree to take part in market research or user testing, provide a customer testimonial for use on our Site or in other promotional material, or otherwise provide feedback to Twenty One Again, we may process your Identity Data, Contact Data, Transaction Data, Audio/Visual Data and Feedback Data.

If you sign up to our mailing list, or during the checkout process, you tick the box to receive information on freebies, product discounts and special offers, we will use your Contact Data and Marketing and Communications Data to send you information about our products and services in accordance with your marketing preferences.

We may also use your Contact Data and Marketing and Communications Data to deliver advertisements via social media channels (including Facebook, Twitter, Instagram, and Tik Tok), in accordance with your marketing preferences. When you interact with our channels, the relevant social media company will also process your personal data as joint controllers. For more information we would encourage you to review the privacy notices published by the relevant social media company.

As a Customer, we may also use:

Your Identity Data, Contact Data and Transaction Data to administer and manage our relationship with you, such as responding to communications.

Your Contact Data to send transactional and service messages in relation to your order or account.

Your Identity Data, Contact Data, Transaction Data, Financial Data, Audio/Visual Data and Assessment Data to provide customer service and support.

Your Identity Data, Contact Data, Transaction Data, Assessment Data, Usage Data and Technical Data to help us detect and fix technical problems and to maintain the Site.

Your Identity Data, Contact Data, Transaction Data, Assessment Data, Audio/Visual Data, Usage Data and Technical Data to analyse, assess and improve the Site and the product and service offerings.

Your Identity Data, Contact Data, Transaction Data, Technical Data, Usage Data, Assessment Data, Audio/Visual Data, Feedback Data and Assessment Data for the day-to-day running of our business (for example, administering and maintain a centralised data warehouse, data back-up and recovery, obtaining appropriate insurance policies etc.).

Any of the categories of personal data listed above as necessary to comply with legal or regulatory requirements or to help us establish, exercise or defend legal claims.

Website Visitors

When you visit our Site, we automatically collect Technical Data and Usage Data about you through our and our technology partners’ use of cookies and similar technologies (for more information about this, please see our Cookie Policy) to deliver relevant website content to you, to measure and understand the effectiveness of the content we serve you, to improve our Site content, marketing and user experience, and to administer and protect the Site.

If you take one of our pre-treatment assessments as an unregistered user, we will process your Identity Data and Assessment Data to assess your suitability for treatment.

If you use the contact address shown on our Site to get in touch with us, we will collect your Identity Data and Contact Data together with the contents of your message.

Social Media Users

We use social media channels (including Facebook, Twitter, Instagram, and Tik Tok) to advertise Twenty One Again’s products and services. If you follow or otherwise engage with our social media channels, we will collect Usage Data and Technical Data to analyse how users interact with those channels. If you use social media to send us messages or posts, we may use your Contact Data together with the contents of your message to communicate with you. If you engage with advertisements published on social media channels, we may collect your Identity Data, Contact Data and Marketing and Communications Data in accordance with your marketing preferences.

When you interact with our channels, the relevant social media company will also process your personal data for the purposes set out above as joint controllers. For more information we would encourage you to review the privacy notices published by the relevant social media company.

Suppliers

If you are a Supplier, we collect Identity Data, Contact Data, Transaction Data, and Financial Data about you, or individuals at your organisation, in the course of the creation, negotiation and management of contracts and receiving products or services from you.

As a Supplier, we may also use:

Your Identity Data, Contact Data, and Transaction Data to store (and update where necessary) your contact details on our database, so that we can contact you in relation to our agreements and the services you provide.

Your Identity Data, Contact Data, Transaction Data and Financial Data to administer and manage our business relationship with you and to obtain services from you.

Your Identity Data, Contact Data, and Financial Data to comply with legal or regulatory requirements.

Any of the categories of personal data listed above as necessary to comply with legal or regulatory requirements or to help us establish, exercise or defend legal claims.

Other Individuals

If you agree to take part in market research or user testing, we may process your Identity Data, Contact Data, Audio/Visual Data and Feedback Data in order to analyse your feedback and identify areas for improvement in the Site and/or our products and services.

What is our legal basis for processing your personal information?

If you are a Customer:

Where we process your personal information to create, administer and manage your user account, to assess your suitability for treatments and to process and fulfil transactions, this processing is necessary to perform the contract we have entered into with you.

In the event that we process your Health Data for the above purposes, this processing is necessary for health care purposes (medical diagnosis, the provision of health care or treatment, and the management of health care systems or services) and is carried out under the responsibility of a health professional.

Please be aware that where we are processing your health data (including photos) on the basis of necessity for healthcare purposes, you will not necessarily have the right to erase that data. The integrity of health information is an important element of Clinical Governance and necessary to maintain a safe prescribing service with auditable records of care.

Where we process your personal information to obtain your feedback for market research, user testing, or customer testimonials, or to send you information about our products and services, we do so on the basis of your consent.

Where we process your personal information to administer and manage our relationship with you, to send transactional and service messages, to provide customer service and support, to help detect and fix technical problems and to maintain the Site, to analyse, assess and improve the Site and the product and service offerings, for the day-to-day running of our business, or to help us establish, exercise or defend legal claims, we consider this is necessary for our legitimate interests and that your interests and fundamental rights do not override those interests.

If we are legally required to process your personal information to comply with legal or regulatory requirements (such as disclosure to a regulator) we do so on the basis of compliance with a legal obligation.

If you are a Website Visitor:

Where we process your personal information to deliver relevant website content to you, to measure and understand the effectiveness of the content we serve you, to improve our Site content, marketing and user experience, to administer and protect the Site, and to receive, review and respond to messages sent to the contact address on our Site, we consider this is necessary for our legitimate interests and that your interests and fundamental rights do not override those interests.

Where we process your personal information provided through one of our pre-treatment assessments, this processing is necessary to take pre-contractual steps at your request with a view to entering into a contract with you. In the event that we process your Health Data for this purpose, this processing is necessary for health care purposes (medical diagnosis, the provision of health care or treatment, and the management of health care systems or services) and is carried out under the responsibility of a health professional.

Where we use cookies to collect personal information for the purposes of data analytics, we do so on the basis of your consent (for more information about this, please see our Cookie Policy).

If you are a social media user:

Where we process your information to analyse engagement with our social media channels and to communicate with you, we consider this is necessary for our legitimate interests and that your interests and fundamental rights do not override those interests.

Where we process your information to send you information about our products and services, we do so on the basis of your consent.

If you are a Supplier:

Where we process your personal information in the course of the creation, negotiation and management of contracts and receiving products or services from you, this processing is necessary to perform the contract we have entered into with you.

We will rely on legal obligation if we are legally required to hold or disclose your personal information to comply with legal or regulatory requirements, such as disclosure to regulators.

Where we process your information to administer and manage our business relationship with you, and for all other purposes listed above, we consider this is necessary for our legitimate interests and that your interests and fundamental rights do not override those interests.

Other individuals:

Where we process your personal information to obtain your feedback for market research or user testing, we do so on the basis of your consent.

How do we collect personal information about you?

We may collect information from the following sources:

Directly from you: This is the information you (or an individual with authority to act on your behalf) has provided to us for the purposes set out in this Notice. It includes any information you provide to us when consulting with one of our clinicians, and when you interact with us by phone, email, web form or otherwise.

Third-party sources: Where you are a Supplier, this will include information about you or your colleagues that is available through publicly available sources, such as professional networking sites (including LinkedIn) and general market research. Information we collect automatically: When you visit our Site, we collect certain Technical and Usage Data automatically from your device.

Who do we share your personal information with?

We may share and disclose your personal information with the following categories of third parties for the purposes described in this Notice:

Partner Clinicians. When you register a user account and purchase a product or service, your contract is with Twenty One Again. However, in order to provide our services to you, Twenty One Again may provide your personal information to our Partner Clinicians who will act as independent data controllers in respect of that information. These clinicians provide services to Twenty One Again including holding patient consultations, assessing the clinical appropriateness of treatment, and prescribing medication. Our Partner clinicians are all registered in the United Kingdom with the General Pharmaceutical Council, hold accredited pharmacist independent prescriber qualifications, and are trained in providing remote consultations and issuing prescription medicine online. Please see our general Website Terms of Use and Terms of Sale for further information on our Partners’ roles.

Our Medical Service Delivery Partners. For the provision of blood test services, Twenty One Again engages as its subcontractor its subsidiary company, INUVI DIAGNOSTICS LIMITED (“Inuvi”). Inuvi will use your personal information that we transfer to them to provide its services, specifically to:

Register you as a user of our service
Process your orders and provide your details: (a) to our clinicians to assess your medication needs; and (b) our pharmacy and doctors to enable you to purchase the applicable medication Process your orders and sell, supply, dispense and post prescription medicines to you in accordance with the Terms of Sale and the Website Terms and Conditions Manage our relationship with you (for example by dealing with any queries you raise or notifying you about changes to our terms or asking for feedback on our service) For more information on how Inuvi and our Medical Service Delivery Partners will process your data, please see their Privacy Policy.

For the provision of supplement purchase and delivery services, Twenty One Again engages as its subcontractor its subsidiary company, Troo Health Care Limited (THCL). THCL will use your personal information that we transfer to them to provide its services, specifically to:

  • Process your orders for supplements and manage delivery logistics
  • Provide customer service and address any queries related to supplement purchases

For the provision of Hair Transplant services, Twenty One Again engages as its subcontractor its subsidiary company, MEDICAL FIVE LIMITED (“My Cosmetic Centre”). My Cosmetic Centre is registered with the Care Quality Commission (CQC) and will use your personal information that we transfer to them to provide its services, specifically to:

Register you as a user of our service
Process your orders and provide your details: (a) to our clinicians to assess your medication needs; and (b) our pharmacy to enable you to purchase the applicable medication Process your orders and sell, supply, dispense and post prescription medicines to you in accordance with the Terms of Sale and the Website Terms and Conditions Manage our relationship with you (for example by dealing with any queries you raise or notifying you about changes to our terms or asking for feedback on our service) Service providers. We use a number of Suppliers who perform functions on our behalf and/or help us in providing the products and services to you, such as cloud-based software providers, online storage providers, web hosting providers, email service providers, and web analytics providers.

Our service providers are required to keep your personal information strictly confidential and are not allowed to use it for any other purpose than to carry out the services they are performing for us.

Professional advisors. We may disclose personal information to our professional advisers, such as lawyers, auditors, accountants, and insurers, if necessary, as part of the professional services they are performing.

Business transfers. We may share personal information with third parties to whom we choose to sell, transfer or merge part of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, the new owners may use your personal information in the same way as set out in this Notice.

Compliance with laws. We may very occasionally be required to disclose some personal information as required to comply with the law.

Security and international data transfers

Security
We work tirelessly to safeguard the security and integrity of our Site and the systems we use to process your personal data. We have implemented widely accepted standards of technology and operational security (having regard to the type and amount of personal data processed) to prevent against personal information being accidentally lost or used or accessed in an unauthorised or unlawful way. However, it is generally understood that no method of electronic storage or transmission online is 100% secure. As a result, whilst we have implemented appropriate technical and organisational measures, we cannot guarantee the absolute security of your personal data, or accept responsibility for any unauthorised access or loss of personal data that is beyond our control.

We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.

We also have procedures in place to deal with any suspected data security breach. We will notify you promptly in the event of any breach of your personal data which might expose you to serious risk.

We also suggest that our users take sensible steps to keep their data secure online; for example, by following guidance from the NHS and BCS Chartered Institute for IT: Keeping your online health and social care records safe and secure.

International data transfers.
Where personal information is shared and disclosed as set out above, these parties may be established outside the United Kingdom. For example, some of the service providers we use to support our services are based in the United States, and this involves a transfer of your personal information to the USA. Whenever we transfer your personal information outside the United Kingdom, we ensure that a similar degree of protection is afforded to it by ensuring appropriate safeguards are implemented. This may include, where appropriate, relying on an adequacy decision or signing up to an International Data Transfer Agreement or Standard Contractual Clauses. To find out more information regarding the specific mechanism used by us when transferring your personal information outside the United Kingdom, please contact Twenty One Again’s Data Protection Officer at support@twentyoneagain.com.

Our use of cookies and similar technologies

We may use cookies and other information gathering technologies to learn more about how you interact with our Website. You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our Site may become inaccessible or not function properly. Please see our Cookie Policy for more information about the cookies we use.

Third party links and services

This Website may include links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

How long do we keep your personal information for?

We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for purposes of satisfying any legal, accounting, or reporting requirements.

To determine the appropriate retention period for personal information, we consider the amount, nature and sensitivity of the personal information, the potential risk of harm from unauthorised use or disclosure of your personal information, the purposes for which we process your personal information, and whether we can achieve those purposes through other means, and the applicable legal requirements.

Marketing

If you receive marketing communications from us, you can ask us to stop sending you marketing messages at any time by following the unsubscribe links in any marketing message or by contacting Twenty One Again’s Data Protection Officer at support@twentyoneagain.com.

Please note that opting out of marketing communications does not opt you out of receiving important service-related communications.

Your Rights

Subject to any exemptions provided by law, you may have the right to:

Request access to your personal information (commonly known as a “data subject access request”) and to certain other supplementary information that this Notice is already designed to address.

Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal information. This enables you to ask us to delete or remove personal information in certain circumstances. However, given the nature of our products and services, it will not always be possible for Twenty One Again to delete your data upon request as there may be valid legal reasons for us to continue processing it (for example, the need to retain medical records to comply with legal requirements). You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).

Receive the personal information concerning you which you have provided to us in a structured, commonly used, and machine-readable format and have the right to transmit those data to a third party in certain situations.

Object to processing of your personal information at any time for direct marketing purposes.

Object to decisions being taken by automated means which produce legal effects concerning you or significantly affect you.

Object in certain other situations to our continued processing of your personal information.

Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.

Withdraw your consent to our processing of your personal information, where we have collected and processed it with your consent.

For more information, please refer to the appropriate data protection legislation or consult the Information Commissioner’s Office for guidance. If you would like to exercise any of these rights, please contact Twenty One Again’s Data Protection Officer at support@twentyoneagain.com and let us have enough information to identify you. We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request is clearly unfounded, repetitive, or excessive. Alternatively, we may refuse to comply with your request in these circumstances.

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

How to contact us

Please address requests and questions about this Notice to Twenty One Againx’s Data Protection Officer at support@twentyoneagain.com.

How to Complain

We hope that we can resolve any query or concern that you raise about our use of your personal information.

You also have the right to make a complaint to your supervisory authority. In the UK, this is the Information Commissioner’s Office (www.ico.org.uk).

Changes to this Notice

This version was last updated on 28/05/2024. To ensure that you are always aware of how we use your personal information we will update this Notice from time to time to reflect any changes to our use of your personal information and as required to comply with changes in applicable law or regulatory requirements. However, we encourage you to review this Notice periodically to be informed of how we use your personal information.

It is important that the personal information we hold about you is accurate and current. Please keep us informed if your personal information changes during your relationship with us.