top of page

Privacy Policy

Last updated: 24/02/2026

​

 

1. Our Commitment to Your Privacy

Brooksby Medical is committed to safeguarding your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and Care Quality Commission (CQC) regulations.

We have tried to make this policy clear and easy to understand. We review it at least annually and will notify you of significant changes by email or through our website.

​

 

2. Who We Are

• Organisation: Brooksby Medical Ltd

• Registered Office: The Old Rectory, Hoby Road, Brooksby, Leicestershire, LE14 2LE

• Email: enquiries@brooksbymedical.com

• Telephone: 01664 434741

• ICO Registration: ZB874479

​

Data Protection Officer:

• Name: Glen Mansbridge

• Email: glen@gdpr-guru.co.uk

​

We are registered as a data controller with the Information Commissioner’s Office (ICO).

​

 

3. What Personal Data We Collect

We collect data required to deliver safe, personalised medical care, including:

• Identity Data: title, full name, date of birth, gender

• Contact Data: home address, telephone number, email address

• Health Data (Special Category): medical history, current medications, allergies, blood test results, health questionnaire answers, clinical notes

• Transaction Data: payment records, order history. We do not store credit or debit card details.

• Technical Data: IP address, device type, browser version, cookies, login timestamps

• Communication Data: emails, SMS messages, consent forms, feedback, complaints

• Appointment Data: booking date and time, collection method, consultation type

• Audit Log Data: access logs, login activity, two-factor authentication records

 

4. Lawful Basis for Processing

We process your data under the following lawful bases:

• Contract: To deliver the blood tests, consultations, results, and referrals you have ordered from us.

• Legal Obligation: To comply with regulatory duties including CQC, GMC, safeguarding obligations, and notifiable disease reporting to the UK Health Security Agency (UKHSA).

• Legitimate Interest: For service improvement, cybersecurity, fraud prevention, and system maintenance, where our interests do not override your rights.

• Consent: For optional activities such as marketing emails, or sharing your data with third parties not essential to your care. You may withdraw consent at any time.

• Provision of Healthcare (Article 9(2)(h)): To process special category health data for medical diagnosis and treatment under the management of a registered health professional.

 

5. How We Use Your Information

We use your personal data to:

• Deliver medical consultations and health assessments

• Arrange and process blood tests via our laboratory partners

• Provide you with your blood test results and clinical commentary

• Prescribe medications where clinically appropriate

• Maintain accurate clinical records

• Respond to your queries, complaints, or clinical concerns

• Send essential transactional communications (appointment confirmations, result notifications, 2FA codes)

• Ensure compliance with legal, clinical, and regulatory standards

• Report notifiable diseases to the UK Health Security Agency (UKHSA) where required by law

 

6. Who We Share Your Data With

We share your data only when necessary and with appropriate safeguards in place:

• Inuvi Laboratories (Data Processor): Processing of laboratory blood test orders, hosted on AWS UK infrastructure.

• Semble (Data Processor): Secure clinical record storage and management.

• Registered UK Pharmacies, e.g. SignatureRx (Independent Data Controller): Dispensing of prescribed medications.

• Superdrug Clinics (Data Processor): Venous blood sample collection at clinic locations.

• Wix (Data Processor): Website hosting and member portal.

• CQC, GMC, UKHSA, Safeguarding Teams: Regulatory obligations and notifiable disease reporting, as required by law.

We do not sell your data. We do not use your data for profiling or automated marketing without your explicit consent.

 

 

7. Security Measures

We take the security of your personal data seriously and apply the following safeguards:

• Encryption of data in storage and in transit

• Role-based access controls ensuring staff only access data relevant to their role

• UK-based, GDPR-compliant cloud infrastructure

• Two-factor authentication (2FA) for all member portal logins

• Regular audit logging of access to clinical records via Semble

• Regular cybersecurity reviews and data protection training for all staff

• Secure disposal of data in accordance with NHS guidelines

 

 

8. Data Retention

We retain your data in accordance with NHS Records Management Code of Practice and relevant regulatory requirements:

• Adult clinical records: minimum 8 years from last contact

• Financial and transaction records: 6 years

• Technical and audit logs: 2 years

After the applicable retention period, data is securely deleted or irreversibly anonymised. We review retained data regularly to ensure it is still necessary.

​

 

9. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Access: Request a copy of the personal data we hold about you.

• Rectification: Request correction of inaccurate or incomplete data.

• Erasure: Request deletion of your data where there is no ongoing legal or clinical reason for retention.

• Restriction: Request we limit how we process your data in certain circumstances.

• Objection: Object to processing based on legitimate interests.

• Portability: Receive your data in a structured, machine-readable format.

• Withdraw Consent: For any processing based on consent (e.g. marketing), you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at enquiries@brooksbymedical.com. We will respond within one calendar month.

If you are not satisfied with our response, you may complain to the Information Commissioner’s Office (ICO): www.ico.org.uk / 0303 123 1113.

​

 

10. Cookies and Analytics

Our website uses essential cookies required for site functionality, member login, and security.

We do not currently use analytics or marketing cookies. Should we introduce these in the future, we will update this policy and obtain your consent where required.

You can manage cookie preferences through your browser settings. Disabling essential cookies may affect your ability to use our secure member portal.

For full details, please see our Cookie Policy at www.brooksbymedical.com/cookie-policy.

​

 

11. International Data Transfers

We primarily process and store your data within the United Kingdom. Where any data is processed outside the UK, we ensure GDPR-compliant safeguards are in place, such as Standard Contractual Clauses or processing in countries with an adequacy decision.

We will not transfer your personal data to any country that does not provide adequate protection for your rights without appropriate safeguards.

​

 

12. Children’s Privacy

We do not offer services to individuals under 18 years of age. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.

​

 

13. Use of AI-Assisted Tools

We may use AI-assisted tools (such as Heidi) to support the clinical note-taking process during consultations. Patients are informed before or during the consultation and may decline the use of AI. All AI-generated notes are reviewed and confirmed by the treating clinician before being added to your medical record.

No solely automated decisions with legal or significant effects are made about you. All clinical outputs are reviewed by a registered clinician before being communicated to you.

 

 

14. SMS Communications

Brooksby Medical uses SMS messaging for essential, transactional communications including:

• Two-factor authentication codes for secure login

• Appointment confirmations and reminders

• Notifications that test results are available

These messages form part of our secure service delivery. Patients provide a mobile phone number at registration and consent to receive these essential communications. Opting out of transactional SMS will prevent access to secure services such as login and result retrieval.

For non-essential communications such as marketing or service updates, you may opt out at any time by contacting us or updating your communication preferences.

 

 

15. Research and Development

We may use anonymised and aggregated data (from which you cannot be identified) for the purposes of service improvement, statistical analysis, and healthcare research. This data is stripped of all personally identifiable information before use.

We will never use your identifiable health data for research purposes without your explicit consent.

 

 

16. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those external sites. We encourage you to read the privacy policy of any website you visit.

 

 

17. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, explaining the nature of the breach and the steps we are taking.

 

 

18. Updates to This Policy

We review this policy at least annually or upon any significant change to our services, data processing activities, or applicable legislation. The date of the most recent update is shown at the top of this document.

We will notify you of material changes by email or through a prominent notice on our website.

 

 

19. Contact Us

• Brooksby Medical Ltd

• Email: enquiries@brooksbymedical.com

• Phone: 01664 434741

• Data Protection Officer: Glen Mansbridge — glen@gdpr-guru.co.uk

bottom of page