Skip to content

Draft document — pending legal sign-off

This document must be reviewed and approved by a qualified solicitor or GDPR specialist before publication. Do not share this page publicly until written sign-off is confirmed. Once received, untick “Show draft warning banner” in Sanity Studio to remove this notice.

Legal

Clinical Privacy & Cookie Policy

How Innate Healthcare collects, uses, stores and protects your personal and clinical data. Prepared in compliance with UK GDPR, the Data Protection Act 2018, and the common law duty of confidentiality.

Last updated: 1 May 2026

Data controller

Innate Healthcare Ltd is the data controller for the personal data described in this notice.

  • Company number: [REPLACE WITH COMPANIES HOUSE NUMBER]
  • ICO registration number: [REPLACE WITH ICO REFERENCE — register at ico.org.uk]
  • Registered address: 120 Union Street, Oldham, OL1 1DU
  • Contact for data matters: hello@innatehealthcare.co.uk

What data we collect

Personal data

  • Name, date of birth, address, telephone number, email address
  • GP details and emergency contact
  • Appointment history and correspondence
  • Payment information (processed via our payment provider; we do not store card numbers)

Special category data (clinical)

  • Medical history, current medications, relevant past treatments
  • Clinical assessment findings, treatment notes and progress records
  • Referral letters and diagnostic reports where provided
  • Information about lifestyle, occupation and physical activity relevant to care

We process your data on the following legal bases:

  • Contract (UK GDPR Art. 6(1)(b)): processing necessary to provide the healthcare services you have requested.
  • Legal obligation (Art. 6(1)(c)): for example, to comply with CQC regulations, tax law, or a court order.
  • Legitimate interests (Art. 6(1)(f)): improving our services, fraud prevention, and direct communications about your care.
  • Explicit consent (Art. 6(1)(a) + Art. 9(2)(a)): for certain research or marketing uses where we ask for your permission.
  • Healthcare purposes (Art. 9(2)(h)): processing special category clinical data for preventive or occupational medicine, medical diagnosis, and the provision or management of health services.

Data retention

  • Adult patient records: 8 years from last contact (NHS Records Management Code)
  • Children's records: until the patient's 25th birthday, or 26th if treatment ended when aged 17
  • Deceased patients: 8 years from date of death
  • Financial records: 7 years (HMRC requirement)
  • CCTV footage (if applicable): 31 days

Sharing your data

We will not sell or share your data for marketing purposes. We may share data with:

  • Your GP or other treating clinicians, with your knowledge, to coordinate your care
  • Our IT and booking system suppliers (Cliniko) under data processing agreements
  • HMRC or other regulatory bodies where legally required
  • CQC inspectors under their statutory powers

Where data is transferred outside the UK, we ensure adequate safeguards are in place.

Your rights

Under UK GDPR you have the right to:

  • Access your personal data (Subject Access Request)
  • Rectify inaccurate data
  • Erase data (where no legal basis for retention exists)
  • Restrict processing
  • Data portability (in a structured, machine-readable format)
  • Object to processing based on legitimate interests
  • Withdraw consent at any time (without affecting the lawfulness of prior processing)

To exercise any right, contact us at hello@innatehealthcare.co.uk. We will respond within one month.

Complaints about data use

If you have a concern about how we handle your data, you can contact the Information Commissioner's Office (ICO):

Cookies

Please see our separate Cookie Policy for full details of the cookies we use. In summary:

  • Essential cookies: required for the site to function
  • Analytics cookies (Google Analytics via Stape): only active if you consent
  • Booking cookies (Cliniko): active when you use the online booking form

You can manage your cookie preferences at any time using the Manage Cookies link in the footer.

This document was drafted as a starting point and must be reviewed and approved by a qualified solicitor or GDPR specialist before publication. Do not publish without written legal sign-off.