HBSUK Privacy Notice
This Notice was last updated on 27 February 2025.
We are Healthcare Business Solutions (UK) Limited (HBSUK). We are the controller and responsible for your personal data covered by this Privacy Notice. Protecting your personal data is very important to us. We will always be transparent about how and why we collect it.
We have appointed a data protection officer (DPO) who is responsible for overseeing questions in relation to this Privacy Notice. If you do have any questions, including any requests to exercise your legal rights, please contact the DPO using the information set out in the contact details section below.
This Privacy Notice tells you what to expect us to do with your personal data. It is provided in a layered format so you can click through to the specific areas set out below:
- How can I contact you?
- What information we collect, use and why
- Where we get your information from
- Who we share your personal data with
- When we share your personal data outside the UK
- How we use artificial intelligence
- How we carry out analytics
- How long we keep your personal data
- What data security measures we have in place
- What are your data protection rights
- How to complain
- How we use cookies
- Changes to this Privacy Notice and your duty to inform us of any changes
- Third party links
1. How can I contact you?
If you have any questions about this Notice, including any requests to exercise your legal rights, you can contact us by:
Email: compliance@hbsuk.co.uk
Phone: 0115 857 3842
2. What information we collect, use and why
How we use your personal data will depend on how we’re interacting with you. This Notice covers when we interact with you on our website or our Virtual Lucy Platform when you are a website user, patient or referrer (for example an insurance provider administrator, NHS hospital or NHS Trust administrator or private GP).
If you are a clinician working via our clinican’s network for our insourcing services or on our Virtual Lucy platform, please see the privacy notice provided to you with your contract, via your registration form or a copy can be provided on request by our DPO.
If you are an applicant for a position at HBSUK please see our Candidate Privacy Notice.
NHS patients
Where we provide our insourcing service to NHS England, we process patient data as their processor, and we refer you to your NHS Trust’s privacy notice.
If you access our services using your NHS login details, the identify verification services are managed by NHS England. NHS England is the controller for any personal data you provided to NHS England to get an NHS login account and verify your identity and it uses that personal data solely for that single purpose. For this personal data, our role is a processor only and we must act under the instructions provided by NHS England (as the controller) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please Click Here. This does not apply to the personal data you provide to us separately.
If you are receiving care from a health or care organisation, that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number the health and care organisations can work together more closely to improve your care and support.
Your NHS number is accessed through a NHS digital service called the personal demographic service (PDS). A health or care organisation sends basic information such as your name, address, and date of birth to the PDS in order to find your NHS number. Once retrieved from the PDS the NHS number is stored in our case management system. We will share your personal data only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional, and where the user has a direct care relationship with you.
You have the right to object to the processing of your NHS number in this way. This will not stop you from receiving care but will result in the benefits outlined above not being realized. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options that you have. If you wish to opt-out from the use of your NHS number in this way please Contact Us.
We may process your personal data for a number of different purposes, and these are set out in more detail in the below sub sections.
Legal Grounds we rely on for each use of your personal data
Under data protection laws we can only process your personal data where we have one or more legal grounds or conditions for doing so as set out in the law. When the personal data we process about you is classed as sensitive information (for example criminal offences data and ‘Special Category Personal Data’ such as your health, sexual orientation and ethnic origin), we must have an additional legal condition for such processing or, where necessary, we will ask for your consent. We have set out our legal grounds for processing in the below sub-sections.
Clinical Consent
Where we are acting as a healthcare provider via our Virtual Lucy Platform, we also have to satisfy clinical confidentiality rules. This is in addition to meeting the ‘legal grounds’ and conditions for processing under data protection law. We do this, when necessary, by obtaining a clinical consent to process your clinical information or to share information from your clinical records with third parties, for example your insurer or another healthcare professional.
Our clinical consent processes are based on the General Medical Council (GMC) and British Medical Association (BMA) Confidentiality Guidance as well as laws such as the Access to Medical Reports Act 1988 (where applicable). Clinical consent is not the same as consent to process personal data under data protection law. We do not generally use consent as our legal ground or condition for processing personal data under data protection law. If we ever need your consent under data protection law to process your personal data, we’ll make that clear to you at the time.
Please click on the relevant button below to learn more about how we use your personal data.
Why we need your personal data | Type of personal data | Legal grounds for processing |
To enable you to contact us with a query by phone, email, via our “Contact Us” page or via social media.
| Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers, social media handle).
| Necessary for our legitimate interests (to respond to your query). |
To send you surveys or feedback forms to obtain information about your experience of our website to enable us to make improvements. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers, social media handle). | Necessary for our legitimate interests (to improve our website). |
To send you relevant marketing communications or updates about our services and offerings.
| Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
| Necessary for our legitimate interests (to carry out direct marketing, develop our services and grow or business)
Consent (having obtained your prior consent to receiving direct marketing communications).
Please note: We will only send such communications in line with any preferences you have told us about. Either because you have opted-in to receive them or we rely on your consent to contact you. You can unsubscribe from our updates at any time by clicking “unsubscribe” in the marketing email you receive from us or by responding to any marketing email you receive from us to tell us you wish to unsubscribe.
|
To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Technical data (including IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website)
| Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).
Necessary to comply with a legal obligation. |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy (b) Dealing with your requests, complaints and queries about the website. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers). | Performance of a contract with you.
Necessary to comply with a legal obligation.
Necessary for our legitimate interests (to keep our records updated and manage our relationship with you).
|
To use data analytics to improve our website, products/services, customer relationships and experiences and to measure the effectiveness of our communications and marketing
See the Analytics section below for further information
| Technical data (including IP address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website).
Usage data (including information about how you interact with and use our website, products and services). | Necessary for our legitimate interests (to define types of customers for our services, to keep our website updated and relevant, to develop our business and to inform our marketing strategy). |
Why we need your personal data | Type of personal data | Legal grounds for processing |
To register you as a patient on our Virtual Lucy Platform and create your profile. | Identity data (including name, username or similar identifier, title, NHS number).
Contact data (including email address, telephone numbers). | Legal grounds: Necessary for the performance of your insurance contract.
Necessary for our legitimate interests (to register and create your profile in order to provide you with a healthcare service as requested by your NHS Trust).
|
To set up a case for your condition for which you require a consultation. | Identity data (including name, username or similar identifier, title, NHS number).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case). | Legal grounds: Necessary for the performance of your insurance contract.
Necessary for our legitimate interests (to set up your case in order to provide you with a healthcare service as requested by your NHS Trust).
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
|
To enable our contact centres or other members of HBSUK staff to contact you via email, SMS or telephone to assist you with registration on Virtual Lucy, arranging further appointments, general queries and to carry out customer feedback. | Identity data (including name, username or similar identifier, title, NHS number).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case)
| Legal grounds: Necessary for our legitimate interests (to provide and improve our service).
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
|
To share your personal data with your referrer (Private GP, Insurer, NHS Trust) for administration and validation purposes. | Identity data (including name, username or similar identifier, title, NHS number).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case). | Legal grounds: Necessary for the performance of your insurance contract.
Necessary for our Legitimate interests (to set up your case in order to provide you with a healthcare service as requested by your NHS Trust).
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
Explicit Consent (We collect consent to share health data with your insurer on the Virtual Lucy Platform).
|
To triage your case using the Virtual Lucy Digital Triage Tool or Clinician’s triage. | Identity data (including name, username or similar identifier, title NHS number).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case). | Legal grounds: Necessary for the performance of your insurance contract.
Necessary for our legitimate interests (to provide you with a healthcare service as requested by your NHS Trust or Insurer).
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
|
To provide a Clinician’s consultation via video or telephone call and the recording of the consultation. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case). | Legal grounds: Necessary for the performance of your insurance contract.
Necessary for our legitimate interests (to provide you with a healthcare service as requested by your NHS Trust or Insurer)
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
|
To share data with our healthcare providers as part of the consultation (including for imaging, blood tests, prescriptions) or within a referral letter for a face to face appointment with a clinician. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case) | Legal grounds: Necessary for the performance of your insurance contract.
Necessary for our legitimate interests (to set up your case in order to provide you with a healthcare service as requested by your NHS Trust or insurer).
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
|
To store your medical records and your consultation recordings on the Virtual Lucy Platform in accordance with our retention policy. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case) | Legal grounds: Necessary for the performance of your insurance contract.
Necessary for our legitimate interests (to provide you with a healthcare service as requested by your NHS Trust or insurer).
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
Compliance with a legal obligation to which the controller is subject.
|
To collect and analyse patient satisfaction surveys via a third-party survey provider (for example Trust Pilot) to improve our products or services, data quality and operational processes and to publish any given feedback using the third-party survey provider.
See the Analytics section below for further information | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (only if you include any information about your condition in the feedback). | Legal grounds: Necessary for our legitimate interests (to enable us to improve our healthcare services).
Additional processing condition for sensitive information: Your consent if you provide health data in the survey response (collected via the Trust Pilot Form).
Necessary for scientific or historical research purposes or statistical purposes.
|
To collect and analyse patient satisfaction surveys within Virtual Lucy to improve our products and services, data quality and operational processes.
See the Analytics section below for further information | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (only health data about your condition that you have provided in the Virtual Lucy Platform). | Legal grounds: Necessary for our legitimate interest (to enable us to improve our healthcare services).
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
Necessary for scientific or historical research purposes or statistical purposes.
|
To anonymise patient health data in order to use it for analytics, training (including AI models), research and for publishing medical papers.
See the Analytics and AI section below for further information. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including medical information, recordings and images in relation to your case and from your consultation). | Legal grounds: Necessary for our legitimate interests (to enable us to improve our healthcare services).
Additional processing condition for sensitive information: Necessary for the provision of healthcare.
Necessary for scientific or historical research purposes or statistical purposes.
|
To carry out internal research including: To advance HBSUK’s digital healthcare services, generate new understandings or insights into patient engagement and outcomes of digital healthcare. To understand and identify different cohorts of patients for involvement in patient focus groups or patient and public involvement committee for research purposes.
| Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including medical information, recordings and images in relation to your case and from your consultation).
| Legal Ground: Legitimate Interests (This research is compatible with the original purpose that we collected your information to provide the Virtual Lucy healthcare service).
Additional processing condition for sensitive information: Necessary for scientific or historical research purpose or statistical purpose.
|
To contact you to ask if you will participate in a patient focus group or a patient and public involvement committee.
| Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers). | Legal Ground: Legitimate Interests (This initial contact is to enable the research which is compatible with the original purpose that we collected your information to provide the Virtual Lucy healthcare service).
* Please note that we will only contact you and proceed if you confirm you are happy to participate.
|
To carry out medical research studies and produce and publish medical research papers.
| Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case).
| Legal ground: Legitimate Interest This research is compatible with the original purpose that we collected your information to provide the Virtual Lucy Healthcare Service
Additional processing condition for sensitive information: Necessary for scientific or historical research purposes or statistical purposes.
*Please note that all medical research carried out by HBSUK will be conducted in accordance with the principles set out by the Health Research Authority. We often need to obtain common law consent from participants to take part in medical research. Common law consent is an important ethical standard that ensures and protects the autonomy and privacy of participants in research studies.
|
To assess or audit or assist others (such as the Care Quality Commission) to assess or audit the performance of our healthcare services to identify concerns regarding the care being provided to our patients. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case) | Legal grounds: it is in the public interest to identify, or help others identify deficiencies in the standards of care being provided.
Compliance with a legal obligation to which the controller is subject
Additional processing condition for sensitive information: Public interest in the area of public health, ensuring high standards of quality and safety of healthcare
Necessary for the provision of healthcare
|
To administer and protect our Virtual Lucy Platform (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data). | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers).
Sensitive information: Health data (including information, medical records and images in relation to your case) | Necessary for our legitimate interests (for running our platform, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise).
Necessary to comply with a legal obligation.
Additional processing condition for sensitive information: Necessary for the provision of healthcare |
To sign up as a referrer (for example as an insurance provider administrator, NHS hospital/Trust administrator or private GP) | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers, your organisation’s name and address). | Legal grounds: Necessary for the performance of a contract with you to provide our services to you (or in order to take steps at your request prior to entering the contract).
Necessary for our legitimate interest (to provide a healthcare services platform).
|
To send you relevant marketing communications when you sign up to receive our updates about our services and offerings. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers, your organisation’s name and address). | Legal grounds: Necessary for our legitimate interests (to carry out direct marketing, develop our services and grow or business).
Please note: We will only send such communications in line with any preferences you have told us about. Either because you have opted-in to receive them or we rely on your consent to contact you. You can unsubscribe from our updates at any time by clicking “unsubscribe” in the marketing email you receive from us or by responding to any marketing email you receive from us to tell us you wish to unsubscribe.
|
To enable you to complete feedback/survey | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers, your organisation’s name and address).
| Legal grounds: Necessary for our legitimate interests (to improve our services). |
To manage our relationship with you which will include: (a) Notifying you about changes to our terms or privacy policy. (b) Dealing with your requests, complaints and queries. | Identity data (including name, username or similar identifier, title).
Contact data (including email address, telephone numbers, your organisation’s name and address).
| Legal grounds: Necessary for our legitimate interests (to keep our records updated and manage our relationship with you).
Necessary to comply with a legal obligation. |
3. Where we get your information from
- Directly from you
- Regulatory authorities
- Other healthcare providers including the NHS or your GP
- Insurance companies
- Publicly available sources
4. Who we share your personal data with
We may share your personal data where necessary with the parties set out below for the purposes set out in the tables above.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
When you are a website user:
- Service providers who assist us in operating our website and business.
- Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.
When you are a patient:
- Personal Demographics Service to confirm your identity as an NHS patient, link your care records and support the management of NHS services using your name, address, and NHS number.
- Clinicians to provide services to you as a patient. This may include other clinicians and providers to the clinician who carried out the initial assessment such as medical imaging providers, physiotherapists and consultants. We may use GP Connect, the NHS e-Referral Service, NHS login and other platforms utilised by the NHS to synchronise your care and records.
- Your GP.
- Regulators/ Authorities/ Enforcement Agencies if we are under a duty to disclose or share your personal data to comply with any legal obligation, or to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of our clients, patients or others. This may include disclosures to the General Medical Council (GMC), the Medicines and Healthcare products Regulatory Agency (MHRA) and the Care Quality Commission (CQC).
- Administrative teams from the NHS Trust or private medical insurer who originally referred you to us, for the purposes of updating your treatment or insurance file (including insurance validations).
- Call centre operators from the NHS Trust or private medical insurer who originally referred you to us, to enable them to assist you with your questions.
- Finance teams from the NHS Trust or private medical insurer who originally referred you to us, for the purposes of invoicing for your care.
- Service providers who assist us in operating our Virtual Lucy Platform and business.
- Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.
When you are a referrer:
- Patients to enable to them to contact you to process their claim.
- Clinicians to enable them to contact you for administration purposes.
- Service providers who assist us in operating our business.
- Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.
We want to reassure you that we never sell personal data to third parties. We’ll only use your data in ways we are allowed to by law, which includes only collecting as much data as we need.
5. When we share your personal data outside the UK
Where do you store my data?
We store your personal data on servers within the UK and EU only. The EU is designated by the UK Government as “adequate” and therefore offers the same protection as UK Law.
Transfers out of the UK and EU
As we store your data in the UK and the EU, we do not routinely make transfers of data outside the UK or EU. However, we may, for example, work with third party service providers based both inside and outside of the UK and the EU. This may involve transferring personal data outside the UK to countries which have laws that do not provide the same level of data protection as the UK law.
Whenever such onwards transfers occur, we ensure that a similar degree of protection is afforded to your personal data by ensuring that the following safeguards are implemented:
- We use specific standard contractual terms approved for use in the UK which give the transferred personal data the same protection as it has in the UK, namely the International Data Transfer Agreement or the International Data Transfer Addendum to the European Commission’s standard contractual clauses for international data transfers.
- To obtain a copy of these contractual safeguards, please contact us at compliance@hbsuk.co.uk.
6. How we use Artificial Intelligence
Artificial Intelligence (AI) is an umbrella term for a range of technologies that replace manual processes and solve complex tasks by carrying out functions that previously required human action or input. Tasks that we have traditionally done by thinking and reasoning are increasingly being done by, or with the help of, AI.
We use AI to support our existing activities. This means that how we collect your personal data and the types of personal data we use do not change. To use AI, we combine information you have provided to us directly, information we derive about you from your use of our services or your interactions with us, and information from other people and organisations. We use AI for different purposes which we explain in more detail below.
Business process improvement and efficiency
We use AI to improve our business processes with a particular focus on simplifying complex processes, ensuring consistent standards and driving efficiencies. For example, we may use AI to help triage, organise and compile documents, extract data for entry into the relevant systems, translate or summarise text or transcribe recordings.
Training AI
We may use personal data as part of the development and training phase of an AI solution to be used in the provision of our services. Where we use personal data for such training the lawful basis, we will rely on is that it is necessary for the purposes of our legitimate interest to train an AI tool to assist in improving the efficiency and accuracy of our services, managing our business efficiently and maintaining accurate records.
When we process personal data on the basis that we have a legitimate interest to do so, we always balance this against your fundamental rights and freedoms and put in place robust safeguards to ensure that your privacy is protected.
Where we need to use health data to train an AI solution to be used in the provision of our services it will be anonymised.
7. How we carry out analytics
We analyse anonymous data to gain insights about how we can improve our services and the health and wellbeing of the people who use them. Further, it allows us to show our clients, for example the NHS or your insurer, how their patients or customers interact with our services. To do this we may bring together information from your use of Virtual Lucy and analyse it without using information from which you can be identified. For example, we may provide reports to your referrer about service utilisation. These are based on aggregated data to a level which means you cannot be identified.
We may use your personal data collected from customer satisfaction surveys and where possible, we will anonymise such information. However, sometimes we may need to use your personal data including health data. In such circumstances, if necessary, we will obtain your consent as our legal ground to process your personal data under data protection rules.
The way that we anonymise personal data is in line with regulatory guidance and is achieved using different techniques, for example removing identifying data or overwriting it with randomised non-identifiable data. In line with regulatory guidance our use of your personal data to create anonymised data relies on the same legal grounds and conditions that were relied on when we obtained your data: the processing is in our legitimate interests and is necessary for the purposes of the provision of healthcare services.
8. How long we keep your personal data
We will only retain your personal data for as long as we need it unless we are required to keep it for longer to comply with our legal, accounting or regulatory requirements.
Your medical records are retained by us in accordance with national best practice guidance in particular, advice provided by the Department of Health (2006) Records management: NHS code of practice, and summary guidance issued by the British Medical Association.
Where you have used our platform to provide or receive services, we will hold your relevant personal details to enable us to facilitate our services and meet our regulatory requirements. Different retention periods apply for different types of data, however the longest we will normally hold your data is eight years in line with prevailing NHS record keeping requirements.
In some circumstances we may carefully anonymise your personal data so that it can no longer be associated with you, and we may use this anonymised data indefinitely without notifying you. We use this anonymised data to improve our products and services.
9. The data security measures we have in place
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
10. What are your data protection rights?
You have various other rights under applicable data protection laws, including the right to:
access your personal data (also known as a “subject access request”)
You have the right to ask us for copies of your personal data. You can request other information such as details about where we get personal data from and who we share personal data with. There are some exemptions which means you may not receive all the personal data you ask for.
correct incomplete or inaccurate data we hold about you
You have the right to ask us to correct or delete personal data you think is inaccurate or incomplete, though we may need to verify the accuracy of the new data you provide to us.
ask us to erase the personal data we hold about you
You have the right, in certain circumstances, to ask us to delete your personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have successfully exercised your right to object to processing (see below), where we may have processed your data unlawfully or where we are required to erase your personal data to comply with local law. Note, however, that we may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.
ask us to restrict our handling of your personal data
You have the right to ask us to limit how we can use your personal data. This enables you to ask us to suspend the processing of your personal data in one of the following scenarios:
- If you want us to establish the accuracy of the data;
- Where our use of the data is unlawful, but you do not want us to erase it;
- Where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims; or
- You have objected to our use of your information, but we need to verify whether we have overriding legitimate grounds to use it.
ask us to transfer your personal data to a third party
You have the right to ask that we transfer the personal data you gave us to another third party, or to you. We will provide to you, or the third party you have chosen, your personal data in a structured, commonly used, machine-readable format. Note that this right only applies to automated information which you initially provided consent for us to use or where we used the information to perform a contract with you.
object to how we are using your personal data
You have the right to object to the processing of your personal data where we are relying on a legitimate interest (or those of a third party) as the legal basis for that particular use of your data. In some cases, we may demonstrate that we have compelling legitimate grounds to process your data which override your right to object.
You also have the absolute right to object at any time to the processing of your personal data for direct marketing purposes
withdraw your consent to us handling your personal data
You can read more about these rights here. If you make a request, we must respond to you without undue delay and in any event within one month.
11. How to complain
You also have the right to lodge a complaint with us or the Information Commissioner’s Office, the supervisory authority for data protection issues in England and Wales.
12. How we use cookies
Please see our Cookie Notice and Cookie Banner for information about the cookies used on our website and platform.
13. Changes to this privacy notice and your duty to inform us of any changes
We keep our Privacy Notice under regular review. This version was last updated 27 February 2025. Historic versions can be obtained by contacting us.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us, for example a new address or email address.
14. Third party links
Our website may include links to third party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
