Book Your Clarity Call
Book Your Clarity Call

Privacy Policy

Bespoke Health Clinic Ltd

Last updated: March 2026

1. Who We Are

Bespoke Health Clinic Ltd is the data controller for the personal data described in this policy. We are a CQC-registered, GMC-regulated private healthcare clinic specialising in preventative and lifestyle medicine.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Data (Use and Access) Act 2025, the Privacy and Electronic Communications Regulations 2003 (PECR), the Common Law Duty of Confidentiality, and GMC and CQC professional standards.

Contact: info@bespokehealthclinic.com

ICO registration: We are registered with the Information Commissioner’s Office. Our registration number can be verified at ico.org.uk.

2. What We Collect

Identity and contact details: name, date of birth, gender, address, email, phone, next-of-kin.

Health data (special category): medical history, symptoms, medications, blood results, diagnostic reports, consultation notes, treatment plans, prescriptions.

Financial data: billing details (processed by third-party payment providers; we do not store card details).

Communications: correspondence, feedback, complaints, consent records.

Website data: IP address, browser type, pages visited, cookie data.

Marketing data: email address, consent status, email engagement data.

Sources: directly from you; from healthcare professionals involved in your care (with your consent); and from laboratories processing your investigations.

3. Is Providing Your Data Required?

Where we provide clinical care, providing your personal and health data is a contractual requirement. Without it, we may be unable to deliver safe and effective healthcare. For marketing (newsletter), providing your data is voluntary and based on consent.

4. Why We Process It and Our Lawful Basis

Under the UK GDPR, we need a lawful basis (Article 6) and, for health data, an additional condition (Article 9).

Clinical care, consultations, investigations, prescriptions and treatment
Lawful basis: Contract, Article 6(1)(b)
Special category condition: Article 9(2)(h), provision of healthcare, Data Protection Act 2018 Schedule 1 Paragraph 2

Appointment scheduling and treatment related communications
Lawful basis: Contract, Article 6(1)(b)
Special category condition: Article 9(2)(h) where health information is involved

Sharing information with your GP (with your consent)
Lawful basis: Legitimate interests, Article 6(1)(f)
Special category condition: Article 9(2)(h), provision of healthcare

Payment processing, billing and fraud prevention
Lawful basis: Contract, Article 6(1)(b)

Clinical audit and quality improvement
Lawful basis: Legitimate interests, Article 6(1)(f)
Special category condition: Article 9(2)(h) healthcare provision or Article 9(2)(j) scientific or statistical purposes

Regulatory and legal compliance
Lawful basis: Legal obligation, Article 6(1)(c)
Special category condition: Article 9(2)(h) where health data is involved

Complaints handling and legal claims
Lawful basis: Legitimate interests or legal obligation
Special category condition: Article 9(2)(f), establishment or defence of legal claims

Newsletter and marketing communications
Lawful basis: Consent, Article 6(1)(a)

Website analytics and cookies
Lawful basis: Legitimate interests, Article 6(1)(f)

We maintain an Appropriate Policy Document as required by the DPA 2018 for processing special category data, available on request.

We do not sell your personal data. Health data is never used for marketing without your explicit consent.

5. Who We Share It With

We only share your data where necessary, and we have Data Processing Agreements in place with our processors. We share with the following categories of recipient:

Clinical software provider — our GDPR-compliant, cloud-based practice management system, which stores patient records, appointments, and clinical correspondence.

External diagnostic laboratories — to process blood tests and other investigations you have consented to.

Dispensing pharmacies — to fulfil prescriptions.

Your GP — where clinically necessary and with your consent. We cannot prescribe medication without consent to share prescribing details with your GP. You may request we do not share, but we strongly advise against this.

Other healthcare professionals involved in your care (with your consent).

Nurse home visit provider — where you request a home phlebotomy or nursing service.

Online form provider — to host our intake questionnaires and enquiry forms.

Email marketing platform — to send newsletters and health information to subscribers who have opted in.

Workflow automation provider — to connect form submissions to our email platform.

Payment processors — for secure payment handling. We do not store your card details.

Regulatory bodies (CQC, GMC, ICO) where required by law.

Professional advisers (lawyers, accountants, insurers) where necessary.

Debt collection agencies in the event of unpaid accounts.

Law enforcement or courts where required by law.

A full list of named processors and recipients is maintained in our internal Records of Processing Activities (ROPA), which is available to the ICO on request. If you would like to know the specific organisations with whom your data has been shared, you may request this by contacting us.

6. International Data Transfers

Some of our service providers may process data outside the United Kingdom, including in the United States and the European Economic Area. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including UK adequacy decisions, the EU–US Data Privacy Framework with UK Extension, and Standard Contractual Clauses or the ICO’s International Data Transfer Agreement. Contact us for details of safeguards for any specific transfer.

7. How Long We Keep It

We follow the NHS Records Management Code of Practice 2021, which the GMC directs private practitioners to apply:

Adult medical records: minimum 8 years from date of last treatment or last contact. May be retained longer where there is an ongoing complaint, adverse event, or potential litigation.

Children’s medical records: until the patient’s 25th birthday, or 26th if the patient was 17 at conclusion of treatment, or 8 years after death — whichever is longest.

Financial records: 6 years (HMRC requirement).

Complaints: 10 years from closure of the complaint or related process.

Marketing data: until you unsubscribe. Consent records retained for a reasonable period as evidence.

Data no longer required is securely deleted or anonymised.

8. Your Rights

Under the UK GDPR and the Data (Use and Access) Act 2025, you have the right to:

Access your personal data (Subject Access Request).

Rectify inaccurate or incomplete data.

Erase your data in certain circumstances. Note: the right to erasure does not override our legal and professional obligations to retain medical records. Clinical records must be retained for the minimum periods set out in Section 7, even after treatment has concluded. We can erase non-clinical data (e.g. marketing data) on request.

Restrict processing in certain circumstances.

Data portability — receive your data in a machine-readable format.

Object to processing based on legitimate interests. You have an absolute right to object to direct marketing.

Withdraw consent at any time (does not affect prior processing).

We do not use solely automated decision-making that produces legal or significant effects in our clinical services. Our email platform may use basic list segmentation based on your consent, which you can opt out of at any time.

To exercise any right: email info@bespokehealthclinic.com. We may verify your identity before acting.

9. How to Complain

To us: Email info@bespokehealthclinic.com with the subject “Data Protection Complaint”. We will acknowledge within 30 days and respond without undue delay.

To the ICO: You may also complain to the Information Commissioner’s Office at any time. ICO: Wycliffe House, Water Lane, Wilmslow, SK9 5AF | 0303 123 1113 | ico.org.uk

10. Cookies

Our website uses cookies. Strictly necessary cookies require no consent. Under the Data (Use and Access) Act 2025, certain analytics and functional cookies may be used without prior opt-in, provided clear information and an opt-out mechanism are available. Marketing cookies require prior consent. See our Cookie Policy for details.

11. Marketing Emails

We send marketing emails only to individuals who have opted in, in compliance with PECR. Every email includes an unsubscribe link. We record proof of consent. To unsubscribe, click the link in any email or contact info@bespokehealthclinic.com.

12. Email Security

Email is not inherently secure. Where possible, we use our GDPR-compliant clinical system for sharing sensitive medical information. We recommend avoiding sending sensitive health information by unencrypted email.

13. Data Security

We use appropriate technical and organisational measures including encrypted clinical systems, two-factor authentication, HTTPS/TLS encryption, strict access controls, Data Processing Agreements with processors, and staff training on data protection. In the event of a breach posing a risk to your rights, we will notify the ICO within 72 hours and notify you where required.

14. Changes to This Policy

We may update this policy. Significant changes will be communicated via our website or by email.

Last updated: March 2026

Complaints Policy

Disclaimer

Privacy Policy

Contact Us

info@bespokehealthclinic.com
07500 812459

Safeguarding