Privacy Policy

Example Weight Loss Clinic is the data controller for the personal data we collect. We are registered with the Information Commissioner's Office (ICO). Our ICO Registration Number is [ICO Registration Number — to be updated].

If you have any questions about this policy or how we handle your data, please contact our Data Protection Contact:

We collect the following categories of personal data:

• Identity data: name, date of birth, gender
• Contact data: email address, telephone number, postal address
• Health data (special category): BMI, medical history, current medications, weight measurements, clinical notes, and prescription information
• Financial data: payment information processed via our secure payment provider (Stripe). We do not store full card details.
• Technical data: IP address, browser type, device information, and usage data collected via cookies
• Communications data: messages sent through our secure patient portal

We process your personal data under the following legal bases:

• Contract: to provide the clinical services you have engaged us for
• Legal obligation: to comply with healthcare regulations and record-keeping requirements
• Vital interests: where necessary to protect your health and safety
• Consent: for marketing communications and non-essential cookies (you may withdraw consent at any time)
• Legitimate interests: for service improvement, fraud prevention, and security

For special category health data, we rely on Article 9(2)(h) UK GDPR (processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care treatment).

• To assess your eligibility for our weight loss programme
• To provide clinical consultations and prescribing services
• To manage your patient account and portal access
• To process payments and maintain financial records
• To communicate with you about your treatment and appointments
• To comply with our legal and regulatory obligations
• To improve our services (using anonymised or aggregated data)

We may share your data with:

• Prescribers and clinical staff involved in your care
• Pharmacy partners for dispensing prescribed medications
• Payment processors (Stripe) for secure payment handling
• IT service providers who support our platform under data processing agreements
• Regulatory bodies (e.g., MHRA, CQC) where required by law
• Your GP where clinically appropriate and with your consent

We do not sell your personal data to third parties.

We retain clinical records for a minimum of 8 years from the date of last treatment, in accordance with NHS and professional guidance. Financial records are retained for 7 years in compliance with HMRC requirements. We will securely delete your data when it is no longer required.

Under UK GDPR, you have the following rights:

• Right of access: to request a copy of the personal data we hold about you
• Right to rectification: to request correction of inaccurate data
• Right to erasure: to request deletion of your data (subject to legal obligations)
• Right to restrict processing: to request that we limit how we use your data
• Right to data portability: to receive your data in a structured, machine-readable format
• Right to object: to processing based on legitimate interests or for direct marketing
• Rights related to automated decision-making

To exercise any of these rights, please contact us at [email protected]. We will respond within 30 days.

We use cookies to improve your experience on our website. You can manage your cookie preferences at any time using the cookie consent banner. For full details, please see our Cookie Policy.

• Essential cookies: required for the website to function correctly
• Analytics cookies: help us understand how visitors use our site (only with your consent)
• Functional cookies: remember your preferences (only with your consent)

Your data is stored and processed within the United Kingdom and European Economic Area. Where data is transferred outside these areas, we ensure appropriate safeguards are in place in accordance with UK GDPR.

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These include encryption, secure access controls, and regular security assessments.

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of individuals, we are legally required to notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, in accordance with Article 33 of the UK GDPR.

Where a breach is likely to result in a high risk to individuals' rights and freedoms, we will also notify affected individuals without undue delay, providing information about the nature of the breach, the likely consequences, and the measures we have taken or propose to take to address it.

We maintain an internal data breach register and have a documented incident response procedure. If you believe your personal data has been compromised, please contact us immediately at [email protected].

If you are unhappy with how we have handled your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or through a notice on our website. The date at the top of this page indicates when the policy was last updated.