My Health & Wellbeing Clinics Ltd is a company incorporated in England and Wales. Our company number is 14811638 and our trading address is 97–99 Whitechapel Road, London, E1 1DT. Throughout this document, references to “we”, “our” or “us” refer to My Health & Wellbeing Clinics Ltd.
We are committed to protecting the privacy, confidentiality, and integrity of all personal data entrusted to us. As a healthcare provider, we recognise that we process highly sensitive information, including special category data relating to health, and we therefore apply a high standard of care in how such information is handled. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and all associated legislation, guidance, and regulatory expectations. This includes adherence to the Records Management Code of Practice for Health and Social Care and alignment with Care Quality Commission (CQC) expectations regarding information governance.
For the purposes of data protection law, My Health & Wellbeing Clinics Ltd acts as the data controller. This means that we determine the purposes for which, and the manner in which, your personal data is processed. Any queries relating to this policy or the processing of your data can be directed to us at info@mhwclinic.co.uk.
As part of delivering modern, efficient, and safe healthcare services, we use secure digital systems, including artificial intelligence-supported tools such as Heidi AI and Lyngo AI. Heidi AI is used within clinical consultations to assist clinicians in accurately documenting medical notes, ensuring that records are comprehensive, structured, and contemporaneous. Lyngo AI is used in an administrative capacity, supporting appointment booking, handling patient enquiries, and facilitating communication with the clinic. These technologies are implemented to support, not replace, human staff and clinicians. They operate under strict governance frameworks and are subject to human oversight at all times. They do not make independent clinical decisions, and all outputs are reviewed and validated by appropriately qualified professionals.
These systems may process personal data, including sensitive health information, but only to the extent necessary for the provision of healthcare services. In doing so, they act as data processors on our behalf, and we ensure that appropriate contractual arrangements are in place in accordance with Article 28 of UK GDPR. We also undertake due diligence to ensure that such systems meet appropriate standards of data protection, security, and clinical safety.
This Privacy Policy, together with our Terms and Conditions and Cookie Policy, explains how we collect, use, and protect your personal data. By accessing our website at https://mhwclinic.co.uk/, you acknowledge and accept the practices described in this policy. If you do not agree with these terms, you should not submit personal data to us.
We collect personal information in a number of ways. This includes information that you provide directly to us when you complete forms on our website, book an appointment, contact us by telephone or email, or attend a consultation. The information you provide may include your name, date of birth, address, email address, telephone number, and any medical or health information that is relevant to your care. As a healthcare provider, much of the information we process falls into the category of special category data under UK GDPR, meaning that it is afforded additional protection due to its sensitive nature.
We process your personal data on the basis of lawful grounds set out in UK GDPR. For general personal data, this includes processing that is necessary for the performance of a contract, such as providing you with medical services, as well as processing required to comply with legal obligations and to support our legitimate interests, such as maintaining service quality and preventing fraud. For health data and other special category data, we rely on Article 9(2)(h) of UK GDPR, which permits processing where it is necessary for the purposes of medical diagnosis, the provision of healthcare, and treatment.
We retain your personal data only for as long as necessary and in accordance with legal and regulatory requirements. In healthcare, retention periods are guided by the Records Management Code of Practice for Health and Social Care. In general, adult medical records are retained for a minimum period of eight years following the last contact. In certain cases, such as where treatment involves children or where there are ongoing legal or clinical considerations, records may be retained for longer. Retention decisions are based on a combination of clinical need, legal requirements, and patient safety considerations.
In addition to the information you provide directly, we may collect technical information when you use our website. This can include your IP address, browser type, operating system, and information about how you interact with the website. This information is used to ensure that the website functions correctly, to improve user experience, and to maintain security. We may also receive information about you from other sources involved in your care, such as laboratories, diagnostic providers, or specialists. This information is integrated into your medical record and used solely for the purpose of providing safe and effective healthcare.
We use your personal data in order to deliver healthcare services, maintain accurate clinical records, communicate with you regarding your care, arrange referrals and investigations, process payments, and comply with legal and regulatory obligations. We may also use data in an anonymised or aggregated form to improve our services, monitor performance, and support quality improvement initiatives.
We may process your data for legitimate business purposes, including improving the functionality of our services, ensuring system security, preventing fraud, and understanding how patients interact with our systems. Where we rely on legitimate interests, we ensure that such processing is proportionate and does not override your rights and freedoms.
We will only send marketing communications where you have provided explicit consent. You have the right to withdraw this consent at any time, and we will provide clear mechanisms for doing so.
We do not carry out solely automated decision-making that produces legal or similarly significant effects. While AI systems may assist in processing information, all clinical decisions are made by qualified healthcare professionals.
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect it. These include secure clinical systems, encryption, access controls, and staff training on confidentiality and data protection. However, it is important to note that the transmission of information via the internet is not completely secure, and there are inherent risks associated with electronic communication.
We may share your personal data with third parties where this is necessary for your care or where we are required to do so by law. This includes laboratories, imaging providers, specialists, pharmacies, IT providers, and regulatory bodies such as the Care Quality Commission or the Information Commissioner’s Office. We may also share data with our AI providers, Heidi AI and Lyngo AI, strictly within the scope of their role as data processors. We do not sell your personal data to third parties.
In some cases, your data may be transferred outside the United Kingdom or the European Economic Area. Where this occurs, we ensure that appropriate safeguards are in place, such as the use of Standard Contractual Clauses, to ensure that your data remains protected to an equivalent standard.
You have a number of rights in relation to your personal data. These include the right to access the data we hold about you, the right to request correction of inaccurate information, the right to request deletion in certain circumstances, the right to restrict processing, the right to object to processing, and the right to data portability. Requests will be handled in accordance with legal requirements, typically within one month.
If you have concerns about how your data is handled, you have the right to make a complaint to the Information Commissioner’s Office, which is the UK’s supervisory authority for data protection.