Privacy Policy

We care about your privacy

Introduction to Montu Group UK Ltd

Montu Group UK Ltd (or “we,” “our,” or “us”) branded as, and henceforth referred to as Alternaleaf, respects your privacy, and we are committed to protecting it through our compliance with this policy. Transparency and clarity are important for us and we want you to feel in control of and understand how we handle your personal data.

Our company is registered with the Companies House (number 14043081) and has its London office at 140 Wharfedale Road, Winnersh Triangle, Reading, Berkshire, United Kingdom RG41 5RB, UK.

What we do

At Alternaleaf, we are dedicated to improving the lives of people with various conditions that can be managed through treatment using medical cannabis. We bring together patients, healthcare providers, academia, life science companies and regulators to evolve medical cannabis  and treatment; combining the most advanced technology, data- driven knowledge and our expertise in medical cannabis. We work closely with pharmacies to ensure that you receive the medication we prescribe, by sending pharmacies your prescription.

Please be advised that Alternaleaf and Montu Pharmacy Ltd are UK group companies and work closely with one another including sharing personal data for the purposes of providing clinical and pharmacy services.

We may use trusted administrative support based in countries outside the UK or EU (including, for example, South Africa) to help us manage our administrative services. This may involve access to necessary personal data for administrative processing purposes only.

We remain fully responsible for your information and comply with all applicable data protection laws, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Where personal data is transferred outside the UK, we ensure that appropriate safeguards are in place. See the section below titled “Data Storage, Security and Transfers” for details. 

We require all overseas staff to work under strict confidentiality agreements, follow our data security policies, and access only the minimum information necessary to perform their role.

Your data will never be sold, and it is only used to support the safe and efficient delivery of our services. If you have any concerns about how your information is handled, you can contact our Governance and Compliance team, or raise a complaint with the Information Commissioner’s Office (ICO) in the UK.

About this policy

This Privacy Policy sets out what personal information we may collect from you and how that information may be used when using Alternaleaf's website and the Alternaleaf application (our “Application”).

In particular, this Privacy Policy explains

  • how we will manage your personal information, from the point of collection and onwards;
  • how we use and handle your information, and how we will comply with any relevant laws; and
  • your rights in relation to your personal data, and how you can exercise them.

This Privacy Policy does not cover any links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy policies. When you leave our website, we encourage you to read the privacy policy of every website you visit.

We may revise this policy from time to time and will notify you if we are making any significant changes.

Please read this policy carefully so that you understand the terms and how they apply to you.

If you have any questions about how we process your information, please do not hesitate to get in touch by contacting us at qa@montugroup.com

​Our role

For the purposes of the General Data Protection Regulation (GDPR), when you access our Services we are acting as the ‘data controller’ (this is a legal term that describes a person or entity that controls the way your information is used and processed). 

We are registered under the Data Protection Act 2018 with the Information Commissioner’s Office (the UK data protection regulator). Our registration number is ZB357212 and can be viewed online on https://ico.org.uk/. You can also access useful guidance and information about your rights in relation to your personal data on that website.

By accessing or using our Services you acknowledge and consent to the collection and use of information in accordance with this Privacy Policy, our Terms of Service together with our End-User Licence Agreement (EULA) if applicable and any additional terms of use incorporated by reference into the EULA. 

By accessing our Services you agree that we may treat your information as set out in this Privacy Policy. If you do not agree with any of the terms of this Privacy Policy, our EULA or Terms of Service, you are advised not to use our Services.

​Please take the time to read and understand how this policy applies to you.

It does not apply to information collected by:

  • us offline or through any other means, including on any other website operated by Alternaleaf or any third party;
  • any third party through any application or content (including advertising) that may link to or be accessible from or on the website or Application.

Information we may collect from you

We may collect information about you when you request any information about us or our services, submit your personal details and/or complete any forms on the website, contact us via social media. In limited circumstances we may also receive information about you on your behalf, such as where you have asked a family member to contact us, or if your GP contacts us directly. Personal information, or personal data, means any information about an individual from which that person can be identified. It does not include data where the identity has been removed (anonymous data).

We may also collect special categories of personal information about you. This includes personal information relating to details about your health, and genetic and biometric data, race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, or trade union.

If you provide personal information to us about other individuals (including medical or financial information) you should inform the individual about the contents of this Privacy Notice. We will process such information in accordance with this Privacy Notice.

We have set out details below about the types of personal information we are likely to collect and use about you when you use our websites or interact with us via social media. The extent of the information we collect and use will depend on what information you choose to provide to us or what information is provided to us on your behalf.

Personal data

  • General information you provide, such as your name, address, contact details, date of birth, gender and next of kin
  • Information relating to appointments or other enquiries you make
  • Information regarding your ability to pay for services and payment information
  • Information regarding your experiences with us
  • Information you provide in surveys or feedback
  • Information relating to any complaint you may make against us or our staff
  • Information about your areas of interest, if you are signing up to receive our update emails
  • Information you send in any job application or speculative enquiries in relation to job vacancies, such as employment history or qualifications
  • Information when you visit our websites. Alternaleaf uses Google Analytics and cookies in order to improve our service and user experience and to analyse how the website is used. The information collected by Google Analytics is analysed as anonymous traffic including browser information, device information, and trends related to page views and sessions. The collected information is used to provide an overview of how people are accessing and using Alternaleaf's websites. For more information about our use of cookies, please see our cookie policy.

Special categories of personal data

  • Details of your current or former health condition, including information about medication, lifestyle and other information that may be relevant to your health e.g. employment history, family conditions; race; ethnicity; sex life or sexual orientation, religious or philosophical beliefs
  • Information relating to criminal convictions (including offences and alleged offences and any court sentence or unspent criminal conviction)
  • In limited circumstances, we may process other sensitive personal information including details of your political opinions; and trade union membership, for example, where it is relevant to your health or social history

How is your personal information collected?

We use different methods to collect information from and about you, including

  • Direct interactions: you may provide us with your identity and contact details when you register to use our Services. You may provide further data by submitting information via the website, responding to surveys or providing feedback.
  • Automated technologies or interactions: when you interact with our Services, we will automatically collect technical data about the device you are using, your browsing actions and patterns and (if you enable location sharing) your location data, using cookies or other similar technologies (explained further below).
  • Integration with third-party health information sites: if you choose, when prompted, to grant them permission to access other health related applications, we may access and use your Third-party Health information sites data collected by those third-party applications. You may disable such permissions at any time via the relevant third- party application.

Please be advised that unless otherwise instructed, our clinical consultations are not recorded.

Why do we collect your personal information?

We process your personal information for the purposes set out in this Privacy Notice. We will only use your personal data when the law allows us to. Each time we use your data we must have a legal justification to do so. The particular justification will depend on why we are using your data. When the information that we process is classed as "special categories of personal information", we must have a specific additional legal justification in order to use it as proposed.

Generally, we will rely on the following legal grounds for processing your personal data:

  • Taking steps at your request so that you can enter into a contract with Alternaleaf to receive healthcare services from us, or for the purposes of that contract. If we have a contract with you, we will process your personal information in order to fulfil that contract (that is, to provide you with our products and services).
  • Taking steps at your request so that you can enter into an employment contract with Alternaleaf, or for the purposes of that contract.
  • We have an appropriate business need (a 'legitimate interest') to process your personal information and those interests are not overridden by your privacy rights. We will rely on this for activities such as administration and service improvement. Further details of those legitimate interests are set out in more detail below.

We may process special categories of personal information about you because:

  • It is necessary for the purposes of preventive or occupational medicine, providing you with medical diagnoses, providing you with healthcare or for the management of our healthcare services.
  • It is necessary for reasons of substantial public interest, such as insurance-related purposes or for preventing or detecting fraud.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.

You will find further details of our "legal grounds" for each of our processing purposes set out below.

Please be aware that recording, or publishing any interactions with our staff that include staff personal and/ or biometric information (such as voice or video recordings) is a violation of their privacy rights and may result in legal action.

Providing healthcare and related services

Legal grounds:
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
Additional legal grounds for special categories of personal data:
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.
  • The use is necessary for an insurance-related purpose.

The use is necessary to protect your vital interests where you are physically or legally incapable of giving consent.

Administration and management of healthcare services (such as maintaining records, receiving professional advice)

Legal grounds:
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary to comply with a legal or regulatory obligation.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
Additional legal grounds for special categories of personal data:
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.

Service improvement, evaluation and audit (in order to improve the healthcare services that we provide)

Legal grounds:
  • The use is necessary for compliance with a legal or regulatory obligation.
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
Additional legal grounds for special categories of personal data:
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • You have given us your explicit consent.

Communicating with you and resolving any queries or complaints that you might have. Communicating with any other individual that you ask us to update about your care.

Legal grounds:
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our contract with you for the delivery of healthcare.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your explicit consent.
Additional legal grounds for special categories of personal data:
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us or a third party to establish, exercise or defend our legal rights.
  • You have given us your explicit consent.

Complying with our legal and regulatory requirements

Legal grounds:
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your explicit consent.
Additional legal grounds for special categories of personal data:
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • The use is necessary in order for us to establish, exercise or defend our legal rights.
  • You have given us your explicit consent.

Clinical review and development

Legal grounds:
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for compliance with a legal obligation.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your consent.
Additional legal grounds for special categories of personal data:
  • The use is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.
  • We need to use the information for reasons of substantial public interest such as, in response to COVID-19
  • The use is necessary for reasons of public interest in the area of public health, such as ensuring high standards of quality and safety of health care.
  • The use is necessary for public interest or scientific research purposes so long as it is subject to appropriate safeguards.
  • You have given explicit consent.

Safeguarding purposes (for example, in order to ensure the health and safety of an individual)

Legal grounds:
  • The use is necessary for compliance with a legal obligation.
  • We need to use the information to protect your vital interests or the vital interests of a third party.
  • The use is necessary to provide you with healthcare and other related services.
Additional legal grounds for special categories of personal data:
  • We need to use the information to protect your vital interests or the vital interests of a third party and you or the third party are physically or legally incapable of giving consent.
  • We need to use the information for reasons of substantial public interest, such as the use being necessary in protecting an individual from neglect or physical, mental or emotional harm and protecting the physical, mental or emotional wellbeing of an individual.
  • You have given us your explicit consent.

Preventing and investigating fraud. This might include sharing your personal information with third parties such as the police or fraud prevention agencies, or carrying out fraud, credit, anti-money laundering and other checks

Legal grounds:
  • The use is necessary to provide you with healthcare and other related services.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
Additional legal grounds for special categories of personal data:
  • We need to use the information for reasons of substantial public interest.

Carrying out marketing activities and providing marketing information to you

Legal grounds:
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have given us your consent.

For employment and pre-employment purposes, such as considering job applications from you, carrying out pre-employment checks and entering into an employment contract

Legal grounds:
  • Taking steps at your request so that you can enter into an employment contract with Alternaleaf, or for the purposes of that contract.
  • We have a legal or regulatory obligation to use your personal information.
  • The use is necessary for fulfilling our legitimate interests (e.g. an appropriate business need) and those interests are not overridden by your privacy rights.
  • You have provided your consent to our use of your personal information.
Additional legal grounds for special categories of personal data:
  • We need to use the information for reasons of substantial public interest.
  • It is necessary for the management of our healthcare services.
  • It is information that you have made public.
  • You have provided your explicit consent.

No General Marketing

To better track your progress pre- or post- treatment, we may contact you via email, over the phone or through SMS, requesting you to fill out a survey or answer questions about your treatment and recovery progress. We may still contact you, even if you de-register via the website. 

Please note, we will only contact you with information related to your treatment and use of the website, including to share articles, referrals or other content related to your treatment which we think would be of particular interest to you. We will not, without your express opt-in permission, use it to send you general marketing emails on behalf of third-parties.

Your Rights for Marketing

You have the right to request to opt out of any marketing.

You also have the right to ask that we update any information we hold about you that may be incorrect. It is important that the information we hold about you is accurate and up to date.

In certain circumstances, you have the right to request that we restrict the way in which we process your data, or that we erase all personal information that we hold about you.

You have the right to object to certain types of processing including marketing.

We will do our best to respond to your request within one month, however, if that is not possible due to the number or complexity of requests we will notify you and keep you updated. Please write to  qa@montugroup.com

For further information on your rights, please visit ICO Your Data Matters

Who do we share your information with?

From time to time, we may share your personal information with others. We will keep your personal information confidential and only share it with those listed below for the purposes explained in the previous section.

Sharing with third parties

We may share information with the following third parties:

  • Clinicians or other healthcare professionals involved in your treatment
  • Other staff involved in your healthcare, such as receptionists, secretaries and administrative assistants
  • Organisations from which you are receiving healthcare services, such as your GP
  • Third parties who are involved in your healthcare, such as pharmacies
  • Third parties involved in research or audit projects 
  • Government bodies such as the Home Office and HMRC
  • Regulators, such as the ICO, the Care Quality Commission, the General Pharmaceutical Council, the General Medical Council Health Inspectorate Wales, and Health Improvement Scotland
  • The police and other third parties where it is reasonably necessary for the prevention or detection of crime
  • Anyone that you have asked to communicate with us on your behalf, or have named as an emergency contact, such as your representative, next of kin or carer
  • Debt collection agencies
  • Our insurers
  • Our third party services providers and advisers, such as IT suppliers, actuaries, auditors, lawyers, marketing agencies, document storage, administrative and/or business process services providers and management providers and tax advisers
  • Preferred partners for credit agreements
  • Credit referencing agencies
  • Any third parties involved in the sale, transfer or disposal of all or a part of our business
  • We may communicate with these third parties in a variety of ways including, but not limited to, email, post, fax and telephone.

Security

We place great importance on the security of all personal information associated with our users. We have security measures in place to attempt to protect against the loss, misuse and alteration of personal information under our control. For example, our security and privacy policies are periodically reviewed and enhanced as necessary and only authorised personnel have access to personal information. Whilst we cannot ensure or guarantee that loss, misuse or alteration of information will never occur, we use all reasonable efforts to prevent it.

You should bear in mind that submission of information over the internet is never entirely secure. We cannot guarantee the security of information you submit via the website whilst it is in transit over the internet and any such submission is at your own risk.

You are responsible for keeping your password confidential to prevent unauthorised access to your personal data and we ask that you do not share your password with anyone.

​Data Storage, Security and Transfers

We are committed to protecting the security of your data by endeavouring to ensure appropriate technologies and processes are maintained to avoid unauthorised access or disclosure. We store all your personal data on secure servers.  

Where you have chosen a password that enables you to access certain parts of our website, you are responsible for keeping this password confidential. We ask you not to share the password with anyone.

Your personal information which we collect is generally transferred to and stored on secure third-party servers located in the UK or European Economic Area (EEA). Such storage is necessary in order to process the information. Where your data is processed or stored outside of the UK or EEA, we ensure a similar degree of protection is afforded to it by ensuring that at least one of the following safeguards is in place:

  • we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
  • where we use certain service providers, we may use specific contractual terms approved for use in the UK       which give personal data the same protection it has in the UK     , namely the International Data Transfer Agreement or The International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers;

Any transfers made will be in full compliance with the Data Protection Legislation.

We encrypt your data at transmission to and from and at rest. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorised access. We ensure that processing, analysis and research environments in relation to anonymised data and personal data are separated and that access to this data is restricted. We will take all steps reasonably necessary to ensure that your data is treated securely and in accordance with this Privacy Policy.

Retention

We retain personal data for as long as necessary for the purposes for which the data is being processed.

In the event of being notified of the death of a service user, we will ensure that no emails are sent and the data will be reviewed and retained for two years from when the website was last accessed by the user.

We may also retain aggregate information without limit beyond this time for research purposes and to help us develop and improve our services. You cannot be identified from aggregate information retained or used for these purposes.

Your rights under GDPR

The information we provide in this section is a brief summary of your rights under the GDPR and relevant local legislation (such as the Data Protection Act 2018 in the UK) and you should still read the relevant laws and guidance from the regulatory authorities for a full explanation of these rights.

Right to understand how your data is used: You have the right to know how we will use your personal information and this is described in this Privacy Policy.

Right to withdraw consent: To the extent that we process data on the basis of your consent, you have the right to withdraw that consent at any time by emailing  qa@montugroup.com . If you have given additional consent for your data to be shared to a third-party, you have the right to withdraw this consent at any time by email. Withdrawal will not affect the lawfulness of any processing undertaken prior to your withdrawal. Please note that withdrawing consent to share information with your GP will result in discharge, as we require this to provide treatment to you;

Right of access: Understand and request a copy of information we hold about you (known as a Subject Access Request). Recordings of your phone calls and video calls (if applicable) with us and other medical notes can be accessed via the website. For other information, you can make a request by email;

​Right to rectification of your Personal Information: Ask us to rectify any information which you believe is inaccurate or erase information we hold about you, subject to limitations relating to our obligation to store medical records for prescribed periods of time;

Right to restrict our processing: Ask us to restrict our processing of your personal data or object to our processing of your data for any specific purpose;

Rights in relation to automatic decision making: If we use any systems which make decisions about you by automated means, we will tell you about the existence of such systems and the outcome of such decisions and you have the right to appeal such decisions to a human decision-maker;

Right to data portability: You may ask for your data to be provided in exercise of this right, and we will provide an extract of your data record in our standard format. However, we will not carry out any reformatting, conversion or migration of that data to other systems; and

Right to object to use of data for marketing: Prevent the use of your personal information for direct marketing purposes.

Right to be forgotten: You also have the right to ask us to erase or remove your personal data in certain circumstances, unless it's a legal requirement, or we have a valid business reason not to erase it.

You may also contact the Information Commissioner’s Office (the data protection regulator in the UK): Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

Cookies & other technologies

When you interact with the Services, we try to make that experience simple and meaningful. When you visit the website, a web server sends a cookie or other similar technology to your computer or mobile device (as the case may be). Cookies are small pieces of information which are issued to your computer or mobile device when you visit a website or access or use a mobile or other devices and store and sometimes track information. A number of cookies we use last only for the duration of your web session and expire when you close your browser. Other cookies are used to remember you when you return to the website and will last for longer.

The cookies and/or other similar technologies we use collect information, such as the type of internet browser or mobile device you use, any website from which you have come to the website, your IP address and/or the operating system of your computer or mobile device.

We use cookies to remember that you have viewed us before. This means we can identify the number of unique visitors we receive. This allows us to:

Make sure we have enough capacity for the number of users that we get; customise elements of the promotional layout and/or content of the pages of the Services; and collect anonymous statistical information about how you use the Services (including how long you spend on the Services and which devices you use to access them) and where you have come to the Services from, so that we can improve the website and learn which parts of the Services are most popular with users.

Some of the cookies used by the Services are set by us, and some are set by third-parties who are delivering services on our behalf. These third-parties each have their own cookie policies. As we make changes to our website and Services, the list of third-parties is subject to change. An up to date list of third-parties can be provided on request.

Most web and mobile device browsers automatically accept cookies but, if you prefer, you can change your browser to prevent that or to notify you each time a cookie is set. You can also learn more about cookies by visiting the ’All About Cookies‘ website which includes additional useful information on cookies and how to block cookies using different types of browser or mobile device.

Please note, however, that by blocking or deleting cookies used on the Services, you may not be able to take full advantage of the Services.

​External links

The Services may, from time to time, contain links to external websites. We have not reviewed the content of and are not responsible for the privacy policies or the content of such websites.

Changes to this Privacy Policy and Further Information

We may revise this Privacy Policy from time to time and in doing so we may change what kind of information we collect, how we store it, who we share it with and how we use it. The most current version of the policy will govern our use of your information and will always be found on our website. Please regularly refer to this page for the latest version of our privacy policy. If we make a change to this policy that we believe, in our sole discretion, is material, we will notify you via an email to the email address associated with your account. By continuing to access or use our services after those changes become effective, you agree to be bound by the revised Privacy Policy.

Please submit any questions, concerns or comments you have about this Privacy Policy or any requests concerning your personal data by emailing  qa@montugroup.com

References:

Data Protection Act 2018 - ensures data protection laws fit for the digital age where increasing amount of data is being processed.

NHS Digital - NHS Digital has responsibility for standardising, collecting and publishing data and information from across the health and social care system in England.

Information Commissioners Office - The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals​

General Data Protection Regulation - The legal framework that sets guidelines for the collection and processing of personal information from individuals who live in the European Union (EU).

NHS Records Management Code of Practice - The Records Management Code of Practice for Health and Social Care 2016 sets out

what people working with or in NHS organisations in England need to do to manage records correctly.

RMCOP - Retention Schedule as at 2019