1. Who We Are
Arlington Health Limited ("Arlington Health", "we", "us", "our") is registered in England and Wales (Company No. 16943772). Our registered address and principal place of practice is:
Bollin Clinic, 33 Stamford Green, Altrincham WA14 1ES
+44 (0) 161 234 5678 ·
info@arlingtonhealth.co.uk
We are registered with the Information Commissioner's Office (ICO) under registration number ZA987654 as a data controller for the personal data we process.
2. Information We Collect
We collect and process the following categories of personal data:
- Identity and contact data: Full name, date of birth, address, phone number and email address.
- Special category health data: Medical history, current symptoms, diagnoses, prescribed medications, test results, clinical notes and treatment records.
- Financial data: Payment card details (processed securely via our payment provider — we do not store full card numbers), billing address and transaction history.
- Communication data: Information you provide when booking appointments, completing forms, sending emails or calling our clinic.
- Technical data: IP address, browser type and version, and pages visited when using our website (essential session cookies only — see Section 8).
We do not collect data from children under 16 without verified parental or guardian consent.
3. How We Use Your Information
We use your personal data for the following purposes:
- To provide, manage and coordinate your healthcare services, including consultations, investigations and referrals.
- To communicate with you about appointments, test results and follow-up care.
- To process payments for services rendered.
- To comply with our legal and regulatory obligations, including CQC registration requirements.
- To respond to enquiries submitted via our website contact form.
- Where you have given explicit consent, to send service-related communications by email or SMS.
- To improve the quality and safety of our services.
We will never sell your personal data to third parties or use it for unrelated commercial purposes.
4. Legal Basis for Processing
We rely on the following legal bases under UK GDPR:
- Consent (Article 6(1)(a)): For marketing communications and non-essential data processing where you have explicitly opted in.
- Contract (Article 6(1)(b)): For processing necessary to provide healthcare services you have requested and agreed to receive.
- Legal obligation (Article 6(1)(c)): For processing required to meet our regulatory and legal duties.
- Vital interests (Article 6(1)(d)): In circumstances where processing is necessary to protect life.
- Special category health data (Article 9(2)(h)): Processed for the purposes of preventive or occupational medicine, medical diagnosis, provision of health or social care, and management of health systems, under the responsibility of a registered health professional bound by a professional obligation of confidentiality.
5. Data Sharing
We may share your personal data only in the following limited circumstances:
- Referred specialists and laboratories: Where you consent to a referral or investigation, relevant clinical information will be shared with the receiving clinician or laboratory.
- Your NHS GP: Where you consent, we will send a summary of our consultation to your registered NHS GP to ensure continuity of care.
- Insurance companies: Only with your explicit written consent, for the purpose of insurance claims or medical reports you have requested.
- Legal and regulatory authorities: Where required by law, court order, or regulatory body (including the CQC, GMC, or MHRA).
- IT and software providers: Our clinical system and secure data storage providers, bound by data processing agreements under UK GDPR.
All data remains within the UK. We do not transfer personal data outside the United Kingdom or European Economic Area.
6. Data Retention
We retain your data only for as long as necessary for the purpose it was collected, subject to legal and regulatory requirements:
- Medical records: Retained for a minimum of 10 years from the date of the last entry, in accordance with NHS Records Management Code of Practice 2021 and GMC guidance.
- Children's records: Retained until the patient's 25th birthday, or 26th if the young person was 17 at conclusion of treatment.
- Financial records: Retained for 7 years in accordance with HMRC requirements.
- Contact and enquiry data: Retained for 2 years from last contact, unless you become a patient.
- Website technical data: Session data deleted at the end of your browser session.
At the end of the applicable retention period, data is securely deleted or anonymised.
7. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data:
| Right | What it means |
|---|---|
| Access | Request a copy of the personal data we hold about you (Subject Access Request). |
| Correction | Request that inaccurate or incomplete data is corrected. |
| Erasure | Request deletion of your data where there is no compelling reason for its continued processing. Note: clinical records are subject to mandatory retention periods. |
| Restriction | Request that processing of your data is restricted in certain circumstances. |
| Portability | Request a copy of your data in a structured, machine-readable format. |
| Objection | Object to processing based on legitimate interests or for direct marketing. |
| Withdraw consent | Withdraw any consent you have given at any time, without affecting the lawfulness of prior processing. |
To exercise any of these rights, contact us at info@arlingtonhealth.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the ICO at ico.org.uk.
8. Cookies
Our website uses only essential session cookies required for form functionality. We do not use:
- Third-party tracking or advertising cookies.
- Analytics cookies that track individual visitors across sessions.
- Social media tracking pixels.
Essential session cookies are deleted automatically when you close your browser. You can disable cookies in your browser settings, though this may affect form functionality on the site.
9. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, destruction or alteration, including:
- All patient data stored in encrypted UK-based data centres.
- Access controls limiting data access to authorised clinical and administrative staff only.
- SSL/TLS encryption for all data transmitted via our website and communication systems.
- Regular security reviews and staff training on data protection obligations.
In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO within 72 hours and inform affected individuals without undue delay.
10. Contact & Data Protection Officer
If you have any questions about this privacy policy, how we handle your data, or wish to exercise your rights, please contact our Data Protection Officer:
Data Protection Officer
Arlington Health Limited
Bollin Clinic, 33 Stamford Green, Altrincham WA14 1ES
info@arlingtonhealth.co.uk
+44 (0) 161 234 5678
If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):
ico.org.uk/make-a-complaint · 0303 123 1113
This policy was last reviewed in January 2026. We may update it from time to time — the current version will always be published at this URL. Continued use of our services after an update constitutes acceptance of the revised policy.