Privacy Policy

Last updated: 20 June 2026

1. Our Commitment to Your Privacy

Brooksby Medical is committed to safeguarding your privacy. This Privacy Policy explains how we collect, use, store, and share your personal data in compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and Care Quality Commission (CQC) regulations.

We have tried to make this policy clear and easy to understand. We review it at least annually, and the current version is always the one published on this page (see section 18).

2. Who We Are

• Organisation: Brooksby Medical Ltd
• Registered Office: The Old Rectory, Hoby Road, Brooksby, Leicestershire, LE14 2LE
• Email: enquiries@brooksbymedical.com
• Telephone: 01664 434741
• ICO Registration: ZB874479

Data Protection Officer:

• Name: Glen Mansbridge
• Email: glen@gdpr-guru.co.uk

We are registered as a data controller with the Information Commissioner's Office (ICO).

3. What Personal Data We Collect

We collect data required to deliver safe, personalised medical care, including:

• Identity Data: title, full name, date of birth, gender
• Contact Data: home address, telephone number, email address
• Health Data (Special Category): medical history, current medications, allergies, blood test results, health questionnaire answers, clinical notes
• Transaction Data: payment records, order history. We do not store credit or debit card details.
• Technical Data: IP address, device type, browser version, cookies, login timestamps
• Communication Data: emails, SMS messages, consent forms, feedback, complaints
• Appointment Data: booking date and time, collection method, consultation type
• Audit Log Data: access logs, login activity, two-factor authentication records

4. Lawful Basis for Processing

We process your data under the following lawful bases:

• Contract: To deliver the blood tests, consultations, results, and referrals you have ordered from us.
• Legal Obligation: To comply with regulatory duties including CQC, GMC, safeguarding obligations, and notifiable disease reporting to the UK Health Security Agency (UKHSA).
• Legitimate Interest: For service improvement, cybersecurity, fraud prevention, and system maintenance, where our interests do not override your rights.
• Consent: For optional activities such as marketing emails, or sharing your data with third parties not essential to your care. You may withdraw consent at any time.
• Provision of Healthcare (Article 9(2)(h)): To process special category health data for medical diagnosis and treatment under the management of a registered health professional.

5. How We Use Your Information

We use your personal data to:

• Deliver medical consultations and health assessments
• Arrange and process blood tests via our laboratory partners
• Provide you with your blood test results and clinical commentary
• Prescribe medications where clinically appropriate
• Maintain accurate clinical records
• Respond to your queries, complaints, or clinical concerns
• Send essential transactional communications (appointment confirmations, result notifications, 2FA codes)
• Ensure compliance with legal, clinical, and regulatory standards
• Report notifiable diseases to the UK Health Security Agency (UKHSA) where required by law

6. Who We Share Your Data With

We share your data only when necessary and with appropriate safeguards in place:

• Inuvi Laboratories (Data Processor): Processing of laboratory blood test orders, hosted on AWS UK infrastructure.
• Registered UK Pharmacies, e.g. SignatureRx (Independent Data Controller): Dispensing of prescribed medications.
• Superdrug Clinics (Data Processor): Venous blood sample collection at clinic locations.
• Amazon Web Services (Data Processor): UK-based (London region) website hosting, member portal and encrypted data storage.
• Trustpilot A/S (Independent Data Controller): We invite and display independent customer reviews via Trustpilot. If you choose to leave a review, Trustpilot processes the information you submit under its own terms and privacy policy. Its review widget loads on our website only after you accept non-essential cookies.
• Google (Data Processor): Website analytics (Google Analytics 4) and advertising measurement (Google Ads). These run only after you opt in to non-essential cookies; Google Ads operates under Google Consent Mode, so no advertising cookies are set before you consent.
• Meta Platforms (Data Processor): Advertising measurement (Meta Pixel) for our Facebook and Instagram advertising. This runs only after you opt in to non-essential cookies.
• CQC, GMC, UKHSA, Safeguarding Teams: Regulatory obligations and notifiable disease reporting, as required by law.

We do not sell your data. We do not use your data for profiling or automated marketing without your explicit consent.

7. Security Measures

We take the security of your personal data seriously and apply the following safeguards:

• Encryption of data in storage and in transit
• Role-based access controls ensuring staff only access data relevant to their role
• UK-based, GDPR-compliant cloud infrastructure
• Two-factor authentication (2FA) for all member portal logins
• Regular audit logging of access to clinical records
• Regular cybersecurity reviews and data protection training for all staff
• Secure disposal of data in accordance with UK GDPR and the Data Protection Act 2018

8. Data Retention

We retain your data only for as long as necessary, in line with the UK GDPR storage limitation principle and recognised clinical record-keeping standards:

• Adult clinical records: minimum 8 years from last contact
• Financial and transaction records: 6 years
• Security and audit logs (sign-in, account and access events, and records of actions taken on your data): up to 2 years
• Operational and diagnostic logs (technical records used to run and troubleshoot the service): up to 90 days

After the applicable retention period, data is securely deleted or irreversibly anonymised. We review retained data regularly to ensure it is still necessary.

9. Your Rights

Under UK GDPR, you have the following rights in relation to your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure: Request deletion of your data where there is no ongoing legal or clinical reason for retention.
• Restriction: Request we limit how we process your data in certain circumstances.
• Objection: Object to processing based on legitimate interests.
• Portability: Receive your data in a structured, machine-readable format.
• Withdraw Consent: For any processing based on consent (e.g. marketing), you may withdraw at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, please contact us at enquiries@brooksbymedical.com. We will respond within one calendar month.

If you are not satisfied with our response, you may complain to the Information Commissioner's Office (ICO): www.ico.org.uk / 0303 123 1113.

10. Cookies and Analytics

Our website uses essential cookies required for site functionality, member login, and security. These are always active.

With your consent, we also use non-essential cookies for analytics and advertising measurement (Google Analytics, Google Ads and the Meta Pixel) and to display the Trustpilot review widget. None of these load or set a cookie until you opt in via our cookie banner. Google Ads operates under Google Consent Mode, so it sets no advertising cookies before you consent.

You can accept or reject non-essential cookies via our cookie banner and change your choice at any time. You can also manage cookies through your browser settings. Disabling essential cookies may affect your ability to use our secure member portal.

11. International Data Transfers

We primarily process and store your data within the United Kingdom. Some of the third-party providers we use (for example Google, Meta or Trustpilot) may process limited data outside the UK. Where they do, we rely on the GDPR-compliant transfer safeguards those providers maintain as part of their standard data-processing terms — such as their certification under the UK Extension to the EU–US Data Privacy Framework, Standard Contractual Clauses incorporated into their terms, or processing in countries covered by UK adequacy regulations.

We will not transfer your personal data to any country that does not provide adequate protection for your rights without appropriate safeguards.

12. Children's Privacy

We do not offer services to individuals under 18 years of age. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.

13. Use of AI-Assisted Tools

We may use AI-assisted tools (such as Heidi) to support the clinical note-taking process during consultations. Patients are informed before or during the consultation and may decline the use of AI. All AI-generated notes are reviewed and confirmed by the treating clinician before being added to your medical record.

No solely automated decisions with legal or significant effects are made about you. All clinical outputs are reviewed by a registered clinician before being communicated to you.

14. SMS Communications

Brooksby Medical uses SMS messaging for essential, transactional communications including:

• Two-factor authentication codes for secure login
• Appointment confirmations and reminders
• Notifications that test results are available

These messages form part of our secure service delivery. Patients provide a mobile phone number at registration and consent to receive these essential communications. Opting out of transactional SMS will prevent access to secure services such as login and result retrieval.

For non-essential communications such as marketing or service updates, you may opt out at any time by contacting us or updating your communication preferences.

15. Research and Development

We may use anonymised and aggregated data (from which you cannot be identified) for the purposes of service improvement, statistical analysis, and healthcare research. This data is stripped of all personally identifiable information before use.

We will never use your identifiable health data for research purposes without your explicit consent.

16. Third-Party Links

Our website may contain links to third-party websites or services. We are not responsible for the privacy practices or content of those external sites. We encourage you to read the privacy policy of any website you visit.

17. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will notify the ICO within 72 hours of becoming aware of the breach, in accordance with UK GDPR Article 33. Where the breach is likely to result in a high risk to you, we will also notify you directly without undue delay, explaining the nature of the breach and the steps we are taking.

18. Updates to This Policy

We review this policy at least annually or upon any significant change to our services, data processing activities, or applicable legislation. The date of the most recent update is shown at the top of this document.

Any changes take effect as soon as the updated policy is published on this page, so we encourage you to review it periodically. Where a change materially affects how we use your personal data, we will take reasonable steps to make it prominent on our website.

19. Contact Us

• Brooksby Medical Ltd
• Email: enquiries@brooksbymedical.com
• Phone: 01664 434741
• Data Protection Officer: Glen Mansbridge — glen@gdpr-guru.co.uk