IMPORTANT NOTICE
This Privacy Policy ("Policy") constitutes a legally binding agreement between you and The London Wellness Clinic Ltd ("The Wellness," "Company," "we," "us," or "our"). By accessing, using, or continuing to use our Services in any manner, you expressly acknowledge and agree that you have read, understood, and consent to all terms herein.
1. Definitions and Interpretation
For the purposes of this Policy:
- "Services" means all services provided by The Wellness including our website, mobile applications, health assessments, treatments, and consultations
- "Personal Data" means any information relating to an identified or identifiable natural person
- "Special Category Data" means personal data revealing health data, genetic data, or biometric data
- "Processing" means any operation performed on Personal Data
2. Data Controller Information
The London Wellness Clinic Ltd, incorporated under the laws of England and Wales, with registered office at 6 Eardley Crescent, London SW5 9JZ, UK, is the data controller for Personal Data processed under this Policy.
3. Categories of Personal Data Collected
We collect and process the following categories of Personal Data:
Identity Data
- Full name, title, date of birth, gender
- Identification documents (passport, driving license)
- Photographs for treatment records
Contact Data
- Address, email address, telephone numbers
- Emergency contact information
Health Data (Special Category Data)
- Medical history, current health conditions, medications
- Test results, treatment records, consultation notes
- Allergies, lifestyle information relevant to treatment
Financial Data
- Payment card details, bank account information
- Insurance information, transaction history
4. How We Collect Personal Data
We collect Personal Data through:
- Direct interactions when you book appointments, receive treatments, or contact us
- Automated technologies including cookies and analytics tools
- Third parties including healthcare providers, laboratories, and insurance companies
5. Purposes of Processing
We process your Personal Data for the following purposes:
- Providing medical and wellness services
- Managing appointments and patient records
- Processing payments and insurance claims
- Complying with legal and regulatory obligations
- Improving our services and conducting research (with consent)
- Marketing communications (with consent)
6. Legal Basis for Processing
We process your Personal Data based on:
- Consent: For marketing communications and certain health data processing
- Contract: To provide services you have requested
- Legal obligations: To comply with healthcare regulations and laws
- Vital interests: In medical emergencies
- Legitimate interests: For business operations and service improvement, balanced against your rights and freedoms
6.1 Special-category (health) data — Article 9 UK GDPR
Health data is special-category personal data under Article 9(1) UK GDPR. We rely on one or more of the following Article 9(2) conditions, together with the corresponding condition in Part 1 or Part 2 of Schedule 1 of the Data Protection Act 2018, to lawfully process such data:
- Article 9(2)(a) — Explicit consent: for non-essential processing such as marketing communications, health-related research, or sharing data with third parties at your request (e.g., your insurer).
- Article 9(2)(h) — Provision of health or social care or treatment: for the coordination, delivery and follow-up of clinical care by GMC-registered clinicians, partner laboratories and other healthcare providers. Processing under this condition is subject to the duty of confidence owed by a health professional.
- Article 9(2)(c) — Vital interests: in a medical emergency where you are physically or legally incapable of giving consent.
- Article 9(2)(f) — Establishment, exercise or defence of legal claims: for example, where required for clinical-negligence or insurance proceedings.
- Article 9(2)(i) — Public health: where required to protect against serious cross-border threats to health or to ensure the safety of medicinal products or medical devices (e.g., MHRA Yellow Card reporting).
Where we rely on consent, you have the right to withdraw it at any time without affecting the lawfulness of processing carried out before withdrawal. Where we rely on Article 9(2)(h), processing is undertaken by, or under the responsibility of, professionals subject to a statutory obligation of professional secrecy under UK law (including the GMC's Good Medical Practice).
8. International Transfers
We may transfer your Personal Data outside the UK where necessary. When we do, we ensure appropriate safeguards are in place, including:
- Standard contractual clauses approved by the UK ICO
- Adequacy decisions recognizing equivalent data protection standards
- Your explicit consent where required
9. Data Retention
We retain your Personal Data for as long as necessary to fulfil the purposes for which it was collected, in accordance with our legal obligations and clinical-records guidance, including:
- Adult clinical records: minimum 10 years from the date of last contact, in line with the Department of Health and Social Care's Records Management Code of Practice 2021 (or longer where clinically or legally required).
- Adverse event / pharmacovigilance records: 10 years from the end of the marketing authorisation, in line with MHRA pharmacovigilance requirements where applicable.
- Financial and tax records: 6 years from the end of the relevant financial year (Companies Act 2006; HMRC).
- Booking and account data: for the duration of your account, plus 3 years for limitation-period purposes.
- Marketing data: until you withdraw consent or 2 years of no engagement, whichever comes first.
- AI Doctor conversation data: retained only for the period necessary to deliver the service and audit safety. Identifiable conversations are not used to train AI models.
9a. Personal Data Breach Notification
In the unlikely event of a Personal Data breach that is likely to result in a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of it, in accordance with Article 33 UK GDPR. Where the breach is likely to result in a high risk to you, we will also inform you directly without undue delay, in accordance with Article 34 UK GDPR.
10. Your Rights
Under data protection law, you have the right to:
- Access: Request copies of your Personal Data
- Rectification: Request correction of inaccurate data
- Erasure: Request deletion of your data (subject to legal obligations)
- Restriction: Request limitation of processing
- Portability: Receive your data in a portable format
- Object: Object to processing based on legitimate interests
- Withdraw consent: Where processing is based on consent
To exercise any of these rights, please contact us at privacy@thewellnesslondon.com.
11. Data Security
We implement appropriate technical and organizational measures to protect your Personal Data, including:
- Encryption of data in transit and at rest
- Access controls and authentication systems
- Regular security assessments and audits
- Staff training on data protection
- Incident response procedures
13. Children's Privacy
Our Services are not directed to individuals under 18 years of age without parental consent. We do not knowingly collect Personal Data from children under 13. If you believe we have collected such data, please contact us immediately.
14. Changes to This Policy
We may update this Policy periodically. We will notify you of any material changes by posting the new Policy on our website and updating the "Last Updated" date. Your continued use of our Services after such changes constitutes acceptance of the updated Policy.
15. Contact Information
Data Protection Officer
The London Wellness Clinic Ltd
6 Eardley Crescent
London SW5 9JZ
United Kingdom
Email: privacy@thewellnesslondon.com
Phone: +44 (0) 7399 323620
Supervisory Authority
You have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Phone: 0303 123 1113