Privacy Policy
Contents
- Our Commitment to Protecting Your Personal Data
- About Us
- Our Data Protection Officer and How to Contact Us
- Changes to This Privacy Notice
- Our Lawful Bases for Processing Your Data
- Personal Data We May Collect About You
- How We Collect Your Information
- The Purposes for Which We Use Your Data
- Third Parties with Whom We Share Your Data
- International Data Transfers
- How Long We Keep Your Information For
- Your Rights in Relation to Your Personal Data
- Data Security
- Other Important Information
1. Our Commitment to Protecting Your Personal Data
At Harley Weight Loss Clinic, we are strongly committed to respecting and protecting your privacy. Part of our commitment is being transparent with you about how we process your personal data. This Privacy Policy (the “Policy”) aims to do just that.
Within this policy we explain:
- Who we are and how to contact us
- What personal data we collect about you, and how we collect it
- Why we process your personal data (our purposes), and the lawful bases for doing so
- Who we share your data with, how long we retain your data for, and any transfers that take place
- What you can do (your rights) in relation to how we use your data and who to contact if you have any concerns
We endeavour to implement and maintain the highest standards regarding data protection and adopt policies in line with the highest level of compliance. As such, we align to the Data Protection Act 2018 (“DPA 2018”), the UK General Data Protection Regulation (“UK GDPR”), and the Privacy in Electronic Communication Regulations (“PECR 2003”) to handle your personal data in certain ways.
When we use the term “personal data” we mean any information that can be used to identify you as an individual, directly or indirectly.
2. About Us
We are Harley Street Specialist Hospital (London) Ltd. (“we”/”us”), trading as Harley Weight Loss Clinic. We are registered in England and Wales under company number 10006100. We are also registered with the Information Commissioner’s Office (“ICO”) under registration number ZB727254.
Our registered office is located at: Harley Street Specialist Hospital (London) Ltd, 18-22 Queen Anne Street, London, W1G 8HU.
Our Services
When you become a patient of Harley Weight Loss Clinic, you are likely to use one of our services, each designed to ensure that you enjoy your experience with us. These include:
- Our website at www.harleyweightlossclinic.co.uk
- Our weight management consultations (in-person and video)
- Our prescription services for weight management medications
- Our health coaching and ongoing support services
- Our body composition analysis and monitoring services
- Our dietary and lifestyle consultation services
3. Our Data Protection Officer and How to Contact Us
We have appointed a Data Protection Officer (“DPO”) to govern how we use your data and how to protect it.
If you need to contact the DPO, they can be reached directly via email at support@harleyweightlossclinic.co.uk.
They can also be reached by post. If you wish to contact the DPO in this way, please label correspondence ‘for the attention of the Data Protection Officer’ using the postal address above.
If you wish to make a telephone call to us, please contact our patient care team on +44 (0)20 4513 2244.
If you have any concerns regarding how we process your personal data we’d like the opportunity to address them in the first instance. If this is the case, please contact us via support@harleyweightlossclinic.co.uk.
If you feel that we have not addressed your concerns, you have a legal right to contact the Information Commissioner’s Office (ICO). The ICO is the UK’s independent data protection regulator, and you can get more information or raise a complaint on their website at https://ico.org.uk/make-a-complaint/.
If you are based outside of the United Kingdom, please contact your local regulatory authority responsible for data protection.
4. Changes to This Privacy Notice
This privacy policy was last updated on 01/09/2025. Historical versions can be provided by contacting us at support@harleyweightlossclinic.co.uk.
To make sure we can provide you with the best service, it’s important that we keep your personal details accurate and up to date. If any of your information changes, please let us know by emailing us at support@harleyweightlossclinic.co.uk.
We may update this Privacy Policy from time to time. Updates will be posted on our website, and your continued use implies acknowledgement of any changes. We will notify you of significant changes by email where appropriate.
5. Our Lawful Bases for Processing Your Data
When we process your data, we do it in a lawful manner. Under the UK GDPR, this means we use one or more of the following lawful bases:
- Your consent (“Consent”)
- When you undertake a contract with us (“Contract”)
- When it is necessary for us to comply with a law or regulation (“Legal Obligation”)
- When we process information to provide a service or improve our business (“Legitimate Interest”)
- In rare cases where we are asked to process information in the public interest (“Public Interest”)
- In extremely rare cases, we may need to process your information in order to protect life (“Vital Interests”)
When we need to process special category data (e.g., health information, biometric information, or data revealing racial or ethnic origin), we will only do so if we have a further lawful basis to do so, such as your explicit consent (“Explicit Consent”).
When we use Legitimate Interests as a lawful basis, this means we weigh privacy rights against the Legitimate Interests of the business for a particular activity. If we rely on our (or a third party’s) Legitimate Interests, these interests will normally be to:
- Operate, provide and improve our business, including our website
- Communicate with you and respond to your questions
- Improve our website or use the insights to improve or develop marketing activities and promote our products and services
- Detect or prevent illegal activities (for example, fraud) and/or to manage the security of our IT infrastructure, and the safety and security of our employees, patients, vendors and visitors
Where we require your data to pursue our legitimate interests or the legitimate interests of a third party, it will be in a way which is reasonable for you to expect as part of the running of our business, and which does not materially affect your rights and freedoms.
6. Personal Data We May Collect About You
As a patient of Harley Weight Loss Clinic, we may collect and use (“process”) certain information; your “personal data”, and what is called “special category” data.
Personal Data
Personal data is any information that can be used to identify you, this includes your:
- Identity Information: Name, surname, title, date of birth, gender
- Contact Information: Email address, telephone number, postal address
- Financial Information: Payment card details, billing information
- Technical Information: IP address, browser type and version, device information, operating system
- Usage Data: How you use our website, pages visited, time spent on pages
- Marketing Data: Your preferences in receiving marketing from us and third parties
When you enter into a contract with us we may use ‘Legal Obligation’ as a lawful basis. When we use Legal Obligation, we mean that in order to provide healthcare services, we require certain personal data, for example to:
- Confirm your identity (to ensure we are providing healthcare to the right person)
- Assess your suitability for weight management medication
- Monitor your health and treatment progress
- Manage side effects and ensure patient safety
- Comply with regulatory requirements
Our Legal Obligations in relation to the above include but are not limited to requirements set by the Care Quality Commission (CQC), Medicines and Healthcare Products Regulatory Agency (MHRA), the Health and Social Care Act 2008, and the Human Medicines Regulations 2012 (HMR 2012). Unfortunately, if you do not provide this information, you may not be able to use our services.
Special Category Data
Special category data is information about you that is more sensitive. We have further protections in place for this category of personal data.
Special category data we process about you may include:
- Health Information: Your physical and mental health, medical history, current medications, weight history, body measurements, responses to health questionnaires, treatment progress, side effects experienced
- Image Data: Body composition scans, progress photos (if consented), CCTV if you visit our clinic, images of formal identification
- GP Information: Details about your continued care by other health professionals or your GP
- Race/Ethnicity Data: Details about your race or ethnic background (where relevant to treatment)
- Biometric Information: Details contained within formal identification documents
- Disability Information: Details regarding any disability you may have
- Language Preferences: Your preferred language for communication
You must be at least 18 years old to use our services and provide us with your data. We do not knowingly collect information from children.
7. How We Collect Your Information
As a user of our services or as a patient, we may collect information about you in a number of ways, including:
Directly from you when you:
- Register for an account on our website
- Complete our weight management health questionnaire
- Attend consultations (in-person or video)
- Contact us via email, phone, or live chat
- Purchase services or products through our website
- Provide us with formal identification information
- Participate in surveys or provide feedback
- Make a claim or complaint
- Subscribe to our newsletter or marketing communications
From our website, such as:
- Marketing and communications preferences
- Cookie preferences and consent
- Contact and identity data
- Technical data (IP address, browser information)
- Usage data (pages visited, time on site)
We process all such data in accordance with this policy. Certain data must be provided to us so that we can fulfil your request (for example, to provide medical consultations or dispense medications), and we make this clear to you at the point of collecting the data.
Some information is collected using cookies and similar tracking technologies. If you want to find out more about the types of cookies we use, why we use them, and how you can control them, please see our Cookie Policy.
Data we receive from others
We work with third party identification verification providers to confirm your identity, who in turn may use credit reference agencies and the electoral register to verify identity.
We may also receive data about you from our third-party service providers, including our payment service providers and our analytic service providers.
As our business relies on collaboration with third parties such as our prescribers, pharmacies, and laboratory testing companies, we may also receive information about you from them.
8. The Purposes for Which We Use Your Data
When you use our website:
| Activity | Purpose of Processing | Data We Collect | Lawful Basis |
| When you register with us or book a consultation | To create your account and manage your booking | Email address, phone number, contact address, name | Legitimate Interest, Contract |
| When you use our website (marketing) | To market our weight management services | Email address, phone number, contact address | Consent (soft opt-in exemption) |
| When you use our website (analytics) | To improve our website and services | Pages visited, time spent, user behavior | Consent |
| Website functionality | To ensure effective customer service and technical support | IP address, browser type, operating system, pages visited | Legitimate Interest |
| Identity verification | For patient safety, accuracy and fraud prevention | Date of birth, contact details, formal identification | Legal Obligation |
When you answer our health questionnaire or take part in consultations:
Activity | Purpose of Processing | Data We Collect | Lawful Basis |
Health questionnaire | To assess your suitability for weight management treatment | Weight, height, existing health conditions, medication history, lifestyle factors | Legal Obligation, Explicit Consent |
Medical consultations | To provide appropriate medical care and treatment | Health information, medical history, current medications, treatment responses | Legal Obligation, Explicit Consent, Provision of health and social care |
Weight monitoring | To track treatment progress and effectiveness | Weight measurements, body composition data, progress photos | Contract, Explicit Consent, Provision of health and social care |
Laboratory tests | To undertake diagnostics when clinically necessary | Blood samples, test results, contact details | Contract, Explicit Consent, Provision of health and social care |
When you subscribe or make transactions:
Activity | Purpose of Processing | Data We Collect | Lawful Basis |
Account setup | To provide you with our services | Email, name, phone number, postal address | Consent, Legitimate Interest |
Payment processing | To complete transactions for services | Payment card information, bank account details | Contract, Legitimate Interest, Legal Obligation |
Service communications | To provide important information about your treatment | Email, name, phone number, postal address | Contract, Legitimate Interest |
Marketing communications | To inform you about our services and offers | Email, name, phone number, postal address | Consent (soft opt-in exemption) |
Feedback requests | To improve our services | Email, name, feedback responses | Legitimate Interest |
When you contact our Patient Care team:
Activity | Purpose of Processing | Data We Collect | Lawful Basis |
Queries and complaints | To manage and resolve issues and improve services | Email, name, contact details, call recordings | Contract, Legitimate Interest |
Identity verification | To ensure accuracy and prevent fraud | Date of birth, contact details, formal identification | Legitimate Interest, Legal Obligation |
9. Third Parties with Whom We Share Your Data
Our business relies on collaboration with third parties to provide our services to you. Each third party provides an element of our services, for example, IT and cloud services, prescriptions, delivery, diagnostics, or marketing services.
For all third parties we use, we undertake data protection and information security due diligence prior to sharing any personal information. We also have contracts in place with specific data processing and sharing clauses to ensure that third parties process shared data strictly for the purposes we have instructed them to, in lawful ways that we expect.
Third parties we may share your personal information with include:
Healthcare Service Providers:
- Qualified prescribers and healthcare professionals
- Registered pharmacies for prescription fulfillment
- Laboratory testing companies
- Medical device and equipment providers
Operational Service Providers:
- Payment processing companies
- Delivery and courier services
- Address and identification verification companies
- Customer service and communication platforms
- IT and cloud service providers
Business and Professional Services:
- Marketing and analytics service providers
- Professional advisors (auditors, accountants, lawyers)
- Insurance providers
- Website hosting and technical support providers
Legal and Regulatory:
- Regulatory authorities (CQC, MHRA, GMC, GPhC)
- Courts, governments, and law enforcement authorities
- Emergency services (when necessary for patient safety)
- Any entity who may acquire us or part of our business
10. International Data Transfers
Almost all data we collect about you is stored and processed in the UK or EEA. However, from time to time, it may be necessary to transfer your data outside of these areas to deliver our services.
Where your data is transferred outside the UK or the EEA, it will only be transferred where adequate safeguards can be applied, including:
- For transfers between the UK, EEA and countries with adequacy decisions: We safeguard transfers through implementing Standard Contractual Clauses (“SCCs”)
- For transfers between the UK and US: We safeguard transfers through implementing the UK-US Privacy Framework, or SCCs
- For third country transfers: We use SCCs with the UK International Data Transfer Addendum (“IDTA”)
Further information on SCCs + IDTA can be found at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/
Further information on the UK-US Privacy Framework can be found at: https://www.gov.uk/government/publications/uk-us-data-bridge-supporting-documents/
When you contact our Patient Care team, some data may be hosted in the United States through service providers who are signatories to appropriate privacy frameworks.
If you would like to receive a copy of the safeguards we have in place in relation to international transfers, please email support@harleyweightlossclinic.co.uk.
11. How Long We Keep Your Information For
We keep your personal data only as long as:
- It is necessary to provide you with our service
- For legitimate business purposes, such as providing you with medical information or prescriptions, maintaining the performance of our website, making data-driven business decisions about new features and offerings, resolving disputes
- Complying with our legal obligations
We keep your personal data for a set amount of time – this is called a ‘retention period’. Retention periods are set by our retention and records management policy and retention schedule.
We also set our retention periods according to statutory or industry standards. For example:
- Health records: 10 years after you stop using our services, in line with Care Quality Commission (CQC) and NHS retention guidelines
- Pharmacy records: 2 years from end of financial year, in line with CQC guidelines
- Financial records: 7 years for tax and accounting purposes
- Marketing data: Until you withdraw consent or 7 years, whichever is sooner
- Website analytics: 26 months from collection
Once retention periods are met, we destroy, anonymise or archive data according to our schedule. However, there are some exceptions to this, including:
If there is an unresolved issue relating to your account, such as an outstanding payment or unresolved complaint
Where we need to retain the personal data for our legal, tax, audit, and accounting obligations
Where necessary for our legitimate business interests such as fraud prevention or to maintain the security of our users
12. Your Rights in Relation to Your Personal Data
We strongly believe in the fair and transparent processing of your personal data and as such, we need to make you aware that you have rights under data protection law. These are called your ‘Individual Rights’, and include:
Your Right of Access
You have the right to ask us for copies of your personal information. This right always applies. However, there are some exemptions, which means you may not always receive all the information we process, for example, other people’s personal information, or information that is commercially sensitive.
Your Right to Rectification
You have the right to ask us to rectify (correct) information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete. This right always applies.
Your Right to be Forgotten (Erasure)
You have the right to ask us to erase your personal information in certain circumstances. While we will do our best to erase your personal data where we can, the right to be forgotten is not an absolute right – this is because we may need to keep certain elements of your information for legal obligations or other legitimate purposes. However, we will tell you if this is the case.
Your Right to Restrict Processing
You have the right to ask us to restrict the processing of your information in certain circumstances.
Your Right to Object to Processing
You have the right to object to the processing of your personal information in certain circumstances if you believe our processing impacts on your rights and freedoms and where we use either consent or legitimate interests. If we are processing on the basis of consent you can also withdraw your consent at any time.
Your Right to Data Portability
You can request that we transfer your data to another service provider, or to you. Your right applies if you initially provided consent for us to use the data, or were under, or in talks about entering into a contract – and that the processing is automated.
Your Right Not to be Subject to Automated Decision-Making
You have a right not to be subject to automated decision-making, including profiling, where such processing produces legal effects or similarly significantly affects you.
Exercising Your Rights
Please contact us at support@harleyweightlossclinic.co.uk, by post or over the phone if you wish to make a request. We will respond to your request without undue delay, and always endeavour to complete requests within one calendar month.
Please note that not all rights are absolute. For example, where we are required to process your data as part of a legal obligation, we may be required to maintain this information.
We won’t charge for exercising your rights. However, we do reserve the right to charge an administrative fee if your request is deemed to be manifestly unfounded or excessive.
For more information about your rights, we encourage you to visit the ICO’s relevant site at: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/individual-rights/
13. Data Security
We implement physical, technical, and organisational measures to protect your information against unauthorised access, disclosure, alteration, and destruction. Our security measures include:
Technical Safeguards:
- Encryption of data in transit and at rest
- Secure servers and networks with regular security updates
- Multi-factor authentication for staff access
- Regular security audits and penetration testing
- Secure backup and disaster recovery procedures
Organisational Safeguards:
- Staff training on data protection and security
- Strict access controls and need-to-know principles
- Regular review of data processing activities
- Incident response procedures
- Data protection impact assessments
Physical Safeguards:
- Secure office premises with controlled access
- Locked filing cabinets for physical documents
- Secure disposal of confidential waste
- CCTV monitoring of premises
However, no transmission method over the internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your personal information, we cannot guarantee its absolute security.
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the ICO within the required timeframes and take immediate steps to mitigate any potential harm.
14. Other Important Information
Children’s Privacy
Harley Weight Loss Clinic is not intended for individuals under 18. We do not knowingly collect personal data from children. If you are under 18, please do not use our services or provide us with any personal information.
External Links
If you click on a link external to our service, please understand that you are leaving our service and we cannot control the privacy practices and content of those third parties. We strongly encourage you to read their privacy policies to understand how they collect and process your personal data.
Password Security
Where we have given you (or where you have chosen) a password which enables you to access certain parts of our online services, you are responsible for keeping this password safe. We encourage you to:
- Use a strong, unique password
- Not share your password with anyone
- Change your password regularly
- Use three random but memorable words with numbers and symbols
For more information on password security, visit: https://www.ncsc.gov.uk/collection/top-tips-for-staying-secure-online/three-random-words
Changes to Our Business
In the event of a merger, acquisition, or sale of all or part of our business, your personal information may be transferred to the new owner. We will notify you of any such change and ensure that your data continues to be protected under the same standards.
Legal Compliance
This Privacy Policy is governed by English law. If any provision is held invalid or unenforceable, the remaining provisions shall remain in full force and effect.
Contact Us
For questions or concerns regarding our privacy practices, please contact us:
Data Protection Officer Email: support@harleyweightlossclinic.co.uk
Phone: +44 (0)20 4513 2244
Post: Harley Street Specialist Hospital (London) Ltd
18-22 Queen Anne Street, London, W1G 8HU
General Enquiries Email: support@harleyweightlossclinic.co.uk Phone: +44 (0)20 4513 2244
This Privacy Policy is effective from 01/09/2025.