The Wellness Limited
Effective Date: January 2025
Last Updated: January 2025
This Privacy Policy ("Policy") constitutes a legally binding agreement between you and The Wellness Limited (Company No. [NUMBER]) ("The Wellness," "Company," "we," "us," or "our"). By accessing, using, or continuing to use our Services in any manner, you expressly acknowledge and agree that you have read, understood, and consent to all terms herein. If you do not agree to this Policy in its entirety, you must immediately discontinue all use of our Services.
For the purposes of this Policy, "Services" means all services provided by The Wellness including but not limited to our website (thewellnesslondon.com), all subdomains, mobile applications, online questionnaires, health assessments, treatment services, consultation services, wellness programs, and any related communications or interactions. "Personal Data" means any information relating to an identified or identifiable natural person as defined under UK GDPR. "Special Category Data" means personal data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data, health data, or data concerning sex life or sexual orientation. "Processing" means any operation performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction. "Data Incident" means any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data.
In interpreting this Policy, references to statutes include all amendments, replacements, and re-enactments. Headings are for convenience only and shall not affect interpretation. The singular includes the plural and vice versa. Any phrase introduced by "including," "include," "in particular," or similar expression shall be illustrative and not limiting.
The Wellness Limited, a company incorporated under the laws of England and Wales, with registered office at Unit 4, 10 Portman Square, W1H 6AZ, London, UK, is the primary data controller for Personal Data processed under this Policy. We reserve the absolute right to appoint, replace, or engage additional data controllers, joint controllers, or processors as necessary for business operations. Any such appointments will be governed by appropriate data processing agreements as required by law.
This Policy applies to all Processing of Personal Data by individuals physically present in the UK, regardless of nationality or residence, in connection with our establishment in the UK, related to offering goods or services to individuals in the UK, and related to monitoring behaviour of individuals in the UK. The Policy applies to all Processing of Personal Data wholly or partly by automated means and to manual Processing forming part of a filing system.
This Policy does not apply to anonymous data that cannot be linked to an identifiable individual, Personal Data processed by individuals for purely personal or household activities, or deceased persons' data, which is governed by separate policies where applicable.
We collect Personal Data that you provide directly to us, including basic personal information such as your full legal name, preferred name, title, date of birth, age, gender identity, contact details including multiple email addresses, phone numbers, and postal addresses, emergency contact information, nationality, residency status, preferred language and communication preferences.
When you engage with our health and wellness services, we collect Special Category Data including comprehensive medical history. This encompasses current and historical diagnoses, medications both prescription and over-the-counter, allergies and sensitivities, previous treatments and procedures, family medical history, mental health information, substance use history, sexual and reproductive health data, genetic information where provided, biometric data for health monitoring, lifestyle factors affecting health, treatment goals and preferences, medical practitioner details, and insurance information.
For payment processing, we collect financial information including payment card details, which are processed through PCI-DSS compliant providers only, banking information for refunds, billing addresses, transaction history, insurance policy details, and credit references where applicable. We also collect professional information such as occupation and employer details, work-related stress factors, and occupational health requirements. Authentication credentials including usernames and passwords stored in encrypted format, security questions and answers, and multi-factor authentication data are also collected for account security.
We automatically collect technical data including IP addresses and geolocation data, device identifiers such as IMEI and MAC addresses, browser type, version, and settings, operating system and platform, time zone settings and location, browser plug-in types and versions, screen resolution and device capabilities. Our systems gather usage and analytics data including full clickstream data, page response times and download errors, visit duration and frequency, page interaction information, methods used to browse to and from our site, heat mapping and session recording data, and A/B testing participation and results. Cookie data collected includes first-party and third-party cookies, web beacons and pixel tags, local storage data, and session identifiers.
We also receive data from third-party sources. Professional sources provide referrals from healthcare providers, information from insurance companies, and data from partner wellness facilities. From public sources, we may collect publicly available professional registrations, social media profiles where relevant to services, and data from public health databases where permitted. Commercial sources may provide data from credit reference agencies, anti-fraud databases, and marketing data providers with appropriate consent.
We process your Personal Data under various legal bases as prescribed by UK GDPR. For general Personal Data, we rely on consent under Article 6(1)(a) UK GDPR for marketing communications, non-essential cookies, participation in research or surveys, and sharing data with third parties beyond service provision. Contract performance under Article 6(1)(b) UK GDPR justifies our processing for account creation and management, service delivery and appointment scheduling, processing payments and refunds, and customer service communications.
Legal obligations under Article 6(1)(c) UK GDPR require us to process data for tax and accounting requirements, health and safety obligations, regulatory compliance with bodies such as CQC and ICO, and court orders and legal proceedings. We may process data based on vital interests under Article 6(1)(d) UK GDPR in cases of medical emergencies and safeguarding concerns. Public task processing under Article 6(1)(e) UK GDPR applies to public health monitoring where applicable and research in the public interest.
Following careful legitimate interests assessments, we rely on Article 6(1)(f) UK GDPR for fraud prevention and security, network and information security, direct marketing to existing clients, business intelligence and analytics, debt recovery, legal claims management, and group administration and reporting.
For Special Category Data, particularly health data, we process under explicit consent as outlined in Article 9(2)(a) UK GDPR, which serves as our primary basis for health data processing, documented through clear affirmative action and specific to stated purposes. Healthcare provision under Article 9(2)(h) UK GDPR permits processing for preventive or occupational medicine, medical diagnosis, provision of health or social care, and management of health or social care systems. Public health purposes under Article 9(2)(i) UK GDPR may require processing under appropriate safeguards. In situations where you are physically or legally incapable of giving consent, we may process based on vital interests under Article 9(2)(c) UK GDPR.
We process your Personal Data for primary service delivery, which includes conducting health assessments and consultations, developing personalised treatment plans, monitoring treatment progress and outcomes, coordinating care with other healthcare providers, managing appointments and scheduling, and providing aftercare and follow-up services.
Administrative purposes encompass account creation and management, identity verification and fraud prevention, billing, payment processing, and debt collection, insurance claim processing, managing complaints and feedback, and maintaining accurate records. We use your data for communication purposes including service-related notifications, appointment reminders and confirmations, health and wellness information with consent, marketing communications with consent, and surveys and feedback requests.
Business operations require processing for quality assurance and service improvement, staff training and development, business planning and strategy, risk management and insurance, mergers, acquisitions, or business transfers, and regulatory compliance and audit. For research and development, we process data for clinical research with specific consent, service development and innovation, statistical analysis and reporting, and machine learning and AI development using anonymised data.
Legal and compliance purposes include complying with legal obligations, establishing, exercising, or defending legal claims, regulatory reporting and inspection, and safeguarding and protection duties.
We share your Personal Data with carefully selected categories of recipients to deliver our services effectively. Service providers and processors include cloud hosting providers such as AWS and Microsoft Azure, payment processors including Stripe and PayPal, email service providers, analytics providers like Google Analytics and Mixpanel, customer relationship management systems, appointment booking systems, IT support and maintenance providers, and professional advisors including lawyers, accountants, and auditors.
Within the healthcare ecosystem and with appropriate legal basis, we share data with referring healthcare practitioners, specialist consultants, diagnostic laboratories, pharmacies, NHS bodies where required, and private health insurers. Legal and regulatory recipients include courts and tribunals, law enforcement agencies, regulatory bodies such as ICO, CQC, and GMC, government departments, and legal representatives.
Under strict confidentiality agreements, we may share data with business partners including joint venture partners, franchisees or licensees, marketing partners who receive anonymised data only, and research institutions with consent. All data sharing is subject to written data processing agreements, confidentiality obligations, security requirements, limited purpose restrictions, and data minimisation principles. We do not and will not sell, rent, or lease your Personal Data to any third party for monetary consideration. Any data sharing is strictly for the purposes outlined in this Policy.
Where Personal Data is transferred outside the UK, we implement appropriate safeguards. Transfers to countries with UK adequacy decisions require no additional safeguards. For other transfers, we use appropriate safeguards including the UK International Data Transfer Agreement (IDTA), Binding Corporate Rules (BCRs), approved Codes of Conduct, and certification mechanisms.
Limited transfers may occur based on derogations including explicit consent after you have been informed of risks, contract performance, important public interests, legal claims, and vital interests. We conduct and document Transfer Impact Assessments for all international transfers, considering laws and practices in the destination country, technical and organisational measures, and supplementary measures where required.
Personal Data is retained based on legal requirements, limitation periods for legal claims, professional indemnity requirements, and legitimate business needs. Adult health records are retained for 8 years from last treatment, while children's health records are kept until their 25th birthday or 8 years after last treatment, whichever is longer. Records of deceased patients are maintained for 8 years from date of death.
Financial records including transaction records are kept for 7 years to meet HMRC requirements, while anti-money laundering records are retained for 5 years. Employment records are maintained for 6 years from termination, with work-related accident records kept for 12 years. Marketing consents are reviewed every 2 years, with inactive contacts suppressed after 3 years. CCTV footage is retained for 30 days unless required for investigation.
Upon expiry of retention periods, we ensure secure disposal through electronic data secure overwriting or cryptographic erasure, physical records cross-cut shredding or incineration, with certificates of destruction maintained.
You have the right of access through Subject Access Requests, which includes confirmation of whether we process your data, access to your Personal Data, information about processing activities, and a copy of data in intelligible form. We respond within one month, extendable by two months for complex requests. This service is generally free, though we may charge £10 for manifestly unfounded or excessive requests.
Your right to rectification allows for correction of inaccurate Personal Data and completion of incomplete Personal Data, though we may verify accuracy before making changes. The right to erasure or "Right to be Forgotten" is available where data is no longer necessary for original purposes, consent has been withdrawn where consent was the legal basis, there has been successful objection to processing, processing is unlawful, or there is a legal obligation to erase. This right may be refused for legal claims, legal obligations, public health, or archiving in the public interest.
The right to restrict processing is available where accuracy is contested during verification, processing is unlawful, we no longer need data but you need it for legal claims, or an objection is pending during assessment. Data portability rights apply to data provided by you where processing is based on consent or contract and involves automated processing, with data provided in structured, commonly used, machine-readable formats such as CSV or JSON.
You have the right to object to direct marketing absolutely, to processing based on legitimate interests where you must provide compelling grounds, and to research or statistics unless there is a public interest. Regarding automated decision-making, you have the right not to be subject to solely automated decisions with legal or significant effects, though we do not currently use fully automated decision-making.
Consent may be withdrawn at any time without affecting the lawfulness of prior processing, though this may impact service delivery. To exercise your rights, identity verification is required through government-issued ID, proof of address, and additional information if needed. We acknowledge requests within 3 business days and respond within 30 days, which may be extended. Exemptions may apply for legal professional privilege, management forecasting, negotiations, and regulatory functions.
We implement comprehensive technical measures including AES-256 encryption at rest, TLS 1.3 for data in transit, multi-factor authentication, role-based access controls, network segmentation, intrusion detection systems, regular penetration testing, and ISO 27001 aligned practices. Organisational measures encompass data protection by design and default, staff background checks, confidentiality agreements, regular training and awareness, access on a need-to-know basis, clear desk/screen policies, incident response procedures, and business continuity planning.
Physical security includes secured premises with access control, CCTV monitoring, locked filing cabinets, secure disposal procedures, and visitor management. For breach notification, we notify the ICO within 72 hours where required with documented decision-making for all incidents. Where there is high risk to rights and freedoms, we provide individual notification without undue delay in clear plain language, explaining the nature of breach, likely consequences, and mitigation measures.
While we implement industry-leading security measures, no system is impenetrable. We cannot guarantee absolute security and expressly disclaim liability for breaches caused by sophisticated nation-state actors, zero-day exploits, force majeure events, or your failure to maintain credential security.
We use various types of cookies for different purposes. Essential cookies facilitate session management, security tokens, load balancing, and preference storage. Analytics cookies include Google Analytics, Hotjar, Mixpanel, and custom analytics solutions. Marketing cookies encompass retargeting pixels, conversion tracking, social media integration, and affiliate tracking.
Cookie management features include granular consent management, a cookie preference centre, browser controls information, and explanation of the impact of rejection. Other tracking technologies we employ include web beacons, pixel tags, device fingerprinting, local storage, and ETags.
Our Services are not directed to children under 16. Parental consent is required for users under 16, with verification procedures in place. Parents and guardians may access their child's data, request correction or deletion, withdraw consent, and object to processing. We maintain strict procedures for age verification, safeguarding concerns, mandatory reporting, and staff training.
Our Services may contain links to third-party websites. We are not responsible for the privacy practices of external sites, content on external sites, or security of external sites. Where we integrate third-party services, separate terms may apply, joint controller arrangements are documented, and clear attribution is provided. For social media integration, platform policies apply, public visibility warnings are provided, and we have no control over platform practices.
Marketing preferences include granular consent options, channel preferences for email, SMS, and post, frequency preferences, and easy unsubscribe mechanisms. Legitimate interest marketing to existing clients only covers similar services, applies soft opt-in, and provides clear unsubscribe options. Suppression lists are maintained indefinitely, shared with processors, and regularly updated.
Clinical governance encompasses clinical audit privileges, quality assurance processes, outcome monitoring, and professional supervision. Medical confidentiality is maintained through application of Caldicott principles, maintenance of common law duty, and respect for professional obligations. Access by healthcare professionals requires role-based access, a legitimate relationship, and maintained audit trails. Research uses require ethics approval, specific consent protocols, preference for anonymisation, and publication restrictions.
We conduct assessments for new processing operations, high-risk processing, large scale Special Category Data processing, and implementation of new technologies. Consultation involves DPO involvement, stakeholder input, and ICO consultation where required.
Records of processing are maintained in compliance with Article 30 UK GDPR, documenting categories of processing, purposes, recipients, retention periods, and security measures. Privacy by design principles include data minimisation, purpose limitation, pseudonymisation, transparency, and user control. Training and awareness programs include annual mandatory training, role-specific training, regular updates, and competency testing.
Internal complaints follow a two-stage process. Stage 1 involves the Customer Service Team with response within 5 working days and resolution within 20 working days. Stage 2 provides escalation if unsatisfied through independent review with final response within 40 working days.
You have the right to lodge regulatory complaints with the Information Commissioner's Office at Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, telephone 0303 123 1113, website ico.org.uk. You also have the right to effective judicial remedy against the Company or the ICO.
Personal Data processing is provided "as is" without warranties of any kind, either express or implied. Our healthcare services do not replace professional medical advice, we provide no guarantee of treatment outcomes, individual results vary, and emergency services are not provided. We provide no guarantee of uninterrupted access, compatibility is not guaranteed, and we are dependent on third-party platforms.
To the maximum extent permitted by law, we exclude liability for indirect or consequential losses, loss of profits or revenue, loss of business opportunity, loss of data subject to statutory obligations, and reputational damage. Where liability cannot be excluded, liability for death or personal injury is unlimited, liability for fraud or fraudulent misrepresentation is unlimited, and other claims are limited to fees paid in the preceding 12 months.
We accept no liability for failures due to Acts of God, war, terrorism, civil unrest, pandemic or epidemic, government actions, cyber attacks by state actors, or infrastructure failures beyond our control. You agree to indemnify and hold harmless The Wellness, its officers, directors, employees, and agents from any claims arising from your breach of this Policy, your violation of any law, your violation of third-party rights, inaccurate information you provide, or your negligent or wrongful acts.
This Policy is governed by the laws of England and Wales. The exclusive jurisdiction of English courts applies, subject to mandatory consumer protections. We support Alternative Dispute Resolution mechanisms where appropriate.
We reserve the absolute right to modify this Policy at any time. Notification will be provided through email to registered addresses, website notices, and in-app notifications. Continued use after notification constitutes acceptance. Material adverse changes receive 30 days notice with option to terminate services and data export available.
For all privacy enquiries, contact our Data Protection Team at The Wellness Limited, Unit 4, 10 Portman Square, London W1H 6AZ, United Kingdom. Email privacy@thewellnesslondon.com or telephone +44 (0) 7399 323620 during hours Monday-Friday 9:00-17:00 GMT. We acknowledge enquiries within 3 business days, provide substantive responses within 30 days, and may take up to 90 days with notice for complex matters. Our preferred contact method is email with "PRIVACY ENQUIRY" in the subject line.
If any provision of this Policy is held invalid or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be replaced with a valid provision that comes closest to the intention of the original.
This Policy constitutes the entire agreement between you and The Wellness regarding the processing of your Personal Data and supersedes all prior or contemporaneous communications and proposals.
No failure or delay in exercising any right under this Policy shall constitute a waiver of that right. Any waiver must be in writing and signed by an authorised representative of The Wellness.
We may assign our rights and obligations under this Policy to any successor entity. You may not assign your rights without our prior written consent.
In case of conflict between this Policy and other policies, the interpretation most protective to the Company prevails. Where this Policy conflicts with legal requirements, legal requirements prevail. Where English and translated versions conflict, the English version prevails.
BY USING OUR SERVICES, YOU ACKNOWLEDGE THAT YOU HAVE READ, UNDERSTOOD, AND AGREE TO BE BOUND BY THIS PRIVACY POLICY IN ITS ENTIRETY.