Privacy notice

Privacy Policy

This notice explains how Optimum Health Screening Ltd collects, uses and protects your personal information. We have written it in plain English first, with a more formal legal section at the end for completeness.

Last updated: 6 May 2026  · Version: 1.0

In short

A quick summary

If you only read one part of this notice, read this:

  • We are Optimum Health Screening Ltd, a private health screening business with clinics in Kingston upon Thames and Crawley. We are registered with the Information Commissioner’s Office under registration number ZB158528.

  • We collect personal information when you contact us, book an appointment, attend a health check or use our patient portal. We treat health information with extra care.

  • We do not sell your data. We share it only with the suppliers we need to deliver our service to you, such as the laboratory that processes your blood sample.

  • Your data is stored in the United Kingdom wherever possible. Some suppliers operate from outside the UK; where this happens, we use legally recognised safeguards.

  • You have rights over your data. You can ask to see it, correct it, delete it (where we are not legally required to keep it) or complain about how we use it.

  • To contact us about privacy, email privacy@optimumhealthscreening.com.

1. Who we are

Who we are and how to reach us

Data controller
Optimum Health Screening Ltd
Company number
12899119 (registered in England and Wales)
Registered office
167–169 Great Portland Street, 5th Floor, London, W1W 5PF
ICO registration
ZB158528
Privacy contact
privacy@optimumhealthscreening.com

We are the “data controller” for the personal information described in this notice. That means we decide why and how it is used, and we are responsible for protecting it.

This notice covers our public website at optimumhealthscreening.com and our patient portal at portal.optimumhealthscreening.com.

2. What we collect

The information we collect

We only collect the information we need. What we collect depends on how you interact with us.

When you visit our website

If you choose to allow analytics cookies, we collect anonymised information about how you use the site — which pages you visit, how long you spend on them and the type of device you are using. We use this to improve the site. If you reject cookies, we collect none of this.

When you contact us through our website

Our contact form collects your name, email address, an optional phone number and the message you write. We also automatically record your IP address and the type of browser you are using; this helps us identify spam submissions and is not used for any other purpose.

When you book an appointment

We collect the information needed to confirm your appointment and prepare for your assessment: your name, email address, phone number, date of birth (optional), and details of which service, clinic and time you have chosen. If you ask us to invoice a company, we will also collect the company name, address and any purchase order reference.

No payment is taken on the booking form. Payment is taken in clinic by card or cash after your assessment.

When you complete an intake form

Before your appointment, we send you a secure link to a pre-assessment intake form. The form asks about your medical history, current medications, family history, lifestyle (such as smoking and alcohol) and any conditions relevant to your health check. This information is health data and is treated with extra care — see “Health information” below.

When you attend your appointment

Your Health Adviser records the clinical measurements taken during your check (such as blood pressure, heart rate, body composition and ECG) and, where applicable, the results of laboratory blood tests. These are combined into a personal health report which we make available to you through your patient portal account.

When you use the patient portal

After your first appointment we set up a portal account for you. The portal lets you view your reports and any documents we have shared with you. To do this, we store your email address, an encrypted password (we never see it) and a record of when you log in or view documents.

3. Health information

How we handle health information

Health information is given the strongest legal protection under the UK GDPR (it is a “special category” of personal data). We take that seriously.

Confidentiality

Your health information is handled only by people who need it to deliver the service and who are under confidentiality obligations. We do not discuss your results with anyone outside the service team or relevant healthcare and lab partners without your consent, unless required by law.

Lawful basis

For health information, we rely on the UK GDPR conditions that apply to providing the service you have requested, including Article 9(2)(h) (provision of healthcare) where applicable, and your explicit consent where required.

What we share with labs

Lab partners receive the sample and the information needed to process and report the requested tests, such as identifiers, date of birth, sex, requested tests and sample/reference numbers. They do not receive your full health record.

4. How we use your information

Why we use your information

We use your information for the purposes set out below. The right-hand column lists the lawful basis we rely on under UK GDPR.

  • Respond to enquiries you send us through the website, email or phone.
    Legitimate interests — to operate the business and respond to people who contact us.
  • Confirm and manage your appointment, send reminders and process changes.
    Performance of a contract.
  • Provide your health check, generate your report and make it available in the portal.
    Performance of a contract. For health information, we rely on the UK GDPR conditions that apply to providing the service you have requested, including Article 9(2)(h) where applicable and explicit consent where required.
  • Issue invoices and keep accounting records.
    Legal obligation (HMRC and the Companies Act 2006).
  • Detect and prevent spam submissions on our contact form.
    Legitimate interests — to keep our systems secure and useful.
  • Send marketing emails about our services to existing customers (you can unsubscribe at any time).
    Legitimate interests, in line with the soft opt-in under PECR.
  • Improve our website using anonymous analytics.
    Your consent (cookie banner).
  • Use AI tools to extract numbers from lab reports and to draft replies to enquiries.
    Legitimate interests, with appropriate safeguards — see "AI tools and your data" below.

5. AI tools

AI tools and your data

We are open about where we use AI in our service. We use the Claude AI service from Anthropic in two specific ways. We do not use AI to make decisions about your health, and a human always reviews any output before it is sent to you.

Reading lab reports

When your blood test results come back from the laboratory, we use AI to read the numbers off the report and put them into your record. Before this happens, the report is cropped so that only the clinical values are sent — your name, date of birth and sample ID are not shared with the AI service. The only personal context shared is your gender, which is needed to apply the correct reference ranges.

Drafting replies to enquiries

When you send us an enquiry, we may use AI to draft a first version of our reply. The AI sees the text of your enquiry and your first name (so it can address you), along with our internal knowledge base about our services. It does not have access to any patient records, booking history or other accounts. A human always reviews and edits the draft before it is sent.

According to Anthropic’s API and data processing terms, API inputs and outputs are not used to train its models. International transfers are protected by Standard Contractual Clauses.

6. Cookies

Cookies and tracking technologies

A cookie is a small text file that a website saves on your device. We use a small number of them, and we ask for your consent before setting any that are not strictly necessary.

Strictly necessary cookies

These keep the site working — for example, remembering your cookie choice or keeping you logged in to the patient portal. They are always on because the site cannot function without them. They are never used to identify you for marketing.

Analytics cookies (with your consent)

We use Google Analytics 4 and Microsoft Clarity to understand how visitors use the site so we can improve it. These tools tell us things like which pages are visited and how long people stay; they do not tell us who you are. We only set these cookies where you have given consent through our cookie banner.

You can change your cookie preferences at any time using the “Cookie preferences” link in the footer of every page. You can also delete cookies through your browser settings.

7. Who we share with

Who we share your information with

We do not sell your information, and we do not share it for advertising. We do use a small number of carefully chosen suppliers to run our service. Each one is bound by a written data processing agreement.

Supabase

Database, authentication and file storage for our patient portal and booking system.

Location: United Kingdom (London region)

Vercel

Website and portal hosting, including default request logs.

Location: United States, with a global edge network. Data in transit is secured by TLS.

Resend

Transactional email delivery (booking confirmations, reminders, reports, invoices, replies to enquiries).

Location: European Union / United States

Twilio

Appointment SMS reminders and confirmations. We never send clinical information by SMS.

Location: European Union / United States

Anthropic (Claude)

AI assistance with (a) extracting numerical results from cropped lab report images and (b) drafting replies to enquiries. See "AI tools and your data" below.

Location: United States, with international processing (covered by Anthropic’s Data Processing Agreement and Standard Contractual Clauses).

Google (Calendar API)

Syncing appointments to the practitioner’s private clinic calendar.

Location: European Union / United States

DigitalOcean

Server (virtual machine) used to generate report and invoice PDFs and to send SMS reminders on a schedule.

Location: United Kingdom (London region)

SumUp

Card payment processing in clinic. We do not see or store your card number — SumUp handles this directly.

Location: European Union

Acculabs Diagnostics UK Ltd, Eurofins Clinical Diagnostics UK and Nationwide Pathology Ltd

UKAS-accredited medical laboratories that analyse blood samples we collect from you. Each is a separate data controller for the testing it performs.

Location: United Kingdom

GitHub

Hosting our application source code. No patient data is stored here.

Location: United States

We may also share your information where we are legally required to — for example, with HMRC, with regulators such as the ICO, with law enforcement under a valid order, or with our professional advisers (such as accountants and lawyers) under their own duty of confidentiality.

8. Where it’s stored

Where your data is stored

Our primary database, the patient portal and our PDF generation service are all hosted in the United Kingdom (London region). Backups are kept in the same region.

Some of our suppliers operate from outside the UK — most notably Anthropic, which provides our AI tools, and certain components of Vercel, Resend and Twilio. Where personal data is transferred outside the UK, we rely on legally recognised safeguards, including the UK’s adequacy regulations for the EEA, the UK Extension to the EU–US Data Privacy Framework where applicable, and Standard Contractual Clauses with appropriate supplementary measures.

You can request a copy of the safeguards in place for any specific transfer by emailing privacy@optimumhealthscreening.com.

9. Retention

How long we keep your information

We keep your information for as long as we need it. The table below sets out our retention periods for the main categories of data.

  • Patient clinical records (assessments, intake forms, lab results, reports)

    8 years from the date of your last appointment

    Aligned with the NHS Records Management Code of Practice for adult health records.

  • Booking records (without clinical data)

    8 years from the date of the booking

    Kept in line with clinical records for operational consistency.

  • Enquiries that do not lead to a booking

    24 months, then deleted

    Retained so we can respond to follow-up questions and resolve any disputes.

  • Marketing email list

    Until you unsubscribe, or after 24 months of no engagement — whichever is sooner

    You can unsubscribe at any time using the link in any marketing email.

  • SMS delivery logs

    24 months

    Used to investigate delivery issues and resolve disputes.

  • Activity logs (portal access, document views)

    24 months

    Used as an audit trail for security and to evidence that documents were delivered.

  • Invoices and accounting records

    6 years from the end of the relevant accounting period

    Retained as required by HMRC and the Companies Act 2006.

  • Website analytics data (where consent is given)

    14 months (Google Analytics 4 default)

    Anonymised or aggregated where possible.

Once a retention period ends, we delete the information or anonymise it so it can no longer be linked to you.

10. Your rights

Your rights over your information

Under UK GDPR you have the following rights. To exercise any of them, email privacy@optimumhealthscreening.com. We will respond within one calendar month, and the service is free.

Be informed

You have the right to clear information about how your data is used — which is what this notice provides.

Access your data

You can request a copy of the personal data we hold about you. We will respond within one calendar month.

Correct inaccurate data

You can ask us to correct anything that is wrong or incomplete.

Erase your data

You can ask us to delete your data. This right is not absolute — for clinical records we are required to retain, we will explain why we cannot delete in full and what we can do instead.

Restrict processing

You can ask us to limit how we use your data while a query or correction is being investigated.

Data portability

For data you have provided to us under a contract or with consent, you can ask for a copy in a machine-readable format.

Object to processing

You can object to processing based on our legitimate interests, including direct marketing, which we will always honour.

Withdraw consent

Where we rely on your consent (for example, for non-essential cookies or marketing emails), you can withdraw it at any time.

Complaints

We hope you will come to us first if you are unhappy with how we have used your information. You also have the right to complain to the Information Commissioner’s Office at ico.org.uk/make-a-complaint or by calling 0303 123 1113.

11. Marketing

Marketing communications

If you are an existing customer, we may occasionally email you about similar services we already provide — for example, annual rebooking reminders, updates about relevant health check services, or occasional offers. We rely on the “soft opt-in” under the Privacy and Electronic Communications Regulations (PECR), which allows us to email existing customers about similar services we already provide.

Every marketing email contains an unsubscribe link. You can also email privacy@optimumhealthscreening.com at any time and we will remove you. If you have not booked with us before, we will only send marketing if you have specifically asked us to.

12. Other matters

A few other things you should know

Children

Our services are for adults aged 18 to 79 only. We do not knowingly collect information about children. If you believe a child has provided us with information, please contact us and we will remove it.

Security

We protect your information using technical and organisational measures appropriate to the sensitivity of the data. These include encryption in transit, access controls, audit logging in the patient portal, and the use of suppliers who meet recognised security standards. No system is perfectly secure, but we work to keep risks as low as we reasonably can.

If something goes wrong

If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will report it to the Information Commissioner’s Office within 72 hours. If the risk is high, we will also let you know directly without undue delay.

Changes to this notice

We may update this notice from time to time — for example, if we add a new supplier or change how we use information. The version number and last updated date at the top of the page will always reflect the most recent version. For significant changes, we will let existing customers know by email.

Contact

For any privacy-related question, please email privacy@optimumhealthscreening.com or write to us at our registered office: 167–169 Great Portland Street, 5th Floor, London, W1W 5PF.

Appendix

Formal legal disclosures

The following section sets out the disclosures required by Articles 13 and 14 of the UK GDPR in formal terms, supplementing the plain-English notice above.

A. Identity and contact details of the controller

Optimum Health Screening Ltd, a company incorporated in England and Wales (company number 12899119) with its registered office at 167–169 Great Portland Street, 5th Floor, London, W1W 5PF, registered with the Information Commissioner’s Office under registration number ZB158528 (“the Controller”).

The Controller has not appointed a statutory Data Protection Officer, having determined that it is not required to do so under Article 37 of the UK GDPR. The privacy contact is privacy@optimumhealthscreening.com.

B. Categories of personal data processed

Identification and contact data; demographic data such as date of birth and gender, and where you choose to provide it, ethnicity and postcode; health data including medical history, current medications, family history, lifestyle factors, clinical measurements (e.g. blood pressure, heart rate, ECG, body composition, urinalysis) and laboratory test results; appointment, payment and invoicing data; account credentials (in hashed form) and authentication metadata; communications data; technical data (IP address, user agent) collected for spam triage; and, where consent is given, website analytics data.

C. Purposes and lawful bases of processing

Provision of healthcare and management of the data subject’s appointment and clinical record — Article 6(1)(b) UK GDPR (performance of a contract). For the special category (health) data involved, the Controller relies on the UK GDPR conditions that apply to providing the requested service, including Article 9(2)(h) (provision of healthcare and treatment) where applicable, and Article 9(2)(a) (explicit consent) where required. Personal data within these activities is handled only by personnel who need access to deliver the service and who are bound by contractual obligations of confidentiality.

Response to enquiries, including the use of AI tools to assist drafting; spam mitigation — Article 6(1)(f) UK GDPR (legitimate interests, namely the operation of the business and the security of its systems). Where an enquiry contains health information, processing of that health information is on the basis of Article 9(2)(a) (explicit consent) by virtue of the data subject’s voluntary submission, with the contact form making the use of such data clear.

Marketing communications to existing customers — Article 6(1)(f) UK GDPR (legitimate interests), conducted in compliance with regulation 22(3) of the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “soft opt-in”), with an unsubscribe mechanism in every communication.

Compliance with legal obligations including tax and accounting record-keeping — Article 6(1)(c) UK GDPR.

Use of non-essential cookies — Article 6(1)(a) UK GDPR (consent), in compliance with regulation 6 of PECR.

D. Recipients and categories of recipient

Personal data is disclosed only to the processors and joint controllers listed in Section 7 above (cloud infrastructure, transactional communications, AI services, payment processor, accredited laboratories and source-code hosting). Personal data may also be disclosed to professional advisers (legal, accounting, insurance) under duties of confidence; to public authorities pursuant to a lawful request; and to a successor entity in the event of a corporate reorganisation, sale or merger.

E. International transfers

Where personal data is transferred outside the United Kingdom, the Controller relies on (i) the United Kingdom adequacy regulations in respect of the European Economic Area; (ii) the United Kingdom Extension to the EU–US Data Privacy Framework where the recipient is certified; and (iii) the International Data Transfer Agreement or the United Kingdom Addendum to the EU Standard Contractual Clauses, supplemented by additional safeguards where appropriate. A copy of the relevant safeguards may be obtained on request.

F. Retention periods

Retention periods for each category of personal data are set out in Section 9 above. At the end of the relevant retention period the data is deleted or irreversibly anonymised.

G. Data subject rights

The data subject has the rights set out in Articles 15 to 22 of the UK GDPR, namely the right of access, the right to rectification, the right to erasure, the right to restriction of processing, the right to data portability, the right to object to processing (including the right to object to direct marketing under Article 21(2), which is absolute), and the right not to be subject to a decision based solely on automated processing producing legal or similarly significant effects. Where processing is based on consent, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal.

H. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the Information Commissioner’s Office (Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF; telephone 0303 123 1113; ico.org.uk/make-a-complaint).

I. Statutory or contractual requirement to provide data

Provision of the personal data required to book and attend a health check is necessary for the performance of the contract between the data subject and the Controller. Failure to provide such data will mean the Controller is unable to provide the requested services.

J. Automated decision-making

The Controller does not engage in automated decision-making producing legal or similarly significant effects within the meaning of Article 22 of the UK GDPR. The AI assistance described in Section 5 above is in all cases reviewed by a human before any output is acted upon.

K. Source of data

Personal data is obtained from the data subject directly, save that test results are obtained from the accredited laboratories listed in Section 7 having been generated from samples taken with the data subject’s consent.

Privacy Policy version 1.0, dated 6 May 2026.

Questions about your data?

Email privacy@optimumhealthscreening.com and we’ll respond within one calendar month, usually much sooner.