1. Introduction
CES Healthcare ("we", "us", or "our") is committed to protecting your privacy and personal data. This Privacy Policy explains how we collect, use, store, and protect your personal and medical information when you use our website, book appointments, or receive medical services from us.
By using our services, you consent to the practices described in this Privacy Policy. If you have any questions, please contact us using the details provided at the end of this policy.
2. Data Controller
CES Healthcare is the data controller responsible for your personal data. Our registered practice operates in North Manchester, North West England, UK.
Practice Name: CES Healthcare
Email: info@ces-healthcare.com
WhatsApp: +44 7557 337716
Location: North Manchester, North West England
3. What Data We Collect
We collect and process the following categories of personal data:
3.1 Personal Information
- Full name
- Date of birth
- Contact details (email address, phone number, address)
- Emergency contact information
- NHS number (if provided)
3.2 Medical Information
- Medical history and current symptoms
- Diagnoses and treatment records
- Prescription information
- Test results and diagnostic imaging
- Referral letters and clinical correspondence
- Notes from consultations
3.3 Appointment and Payment Data
- Appointment dates, times, and types
- Consultation method (video or in-person)
- Payment details processed via Stripe
- Booking references and transaction history
3.4 Website Usage Data
- IP address and browser information
- Pages visited and time spent on our website
- Device information
- Cookies and similar tracking technologies
4. How We Use Your Data
We use your personal data for the following purposes:
- Providing medical care: To diagnose, treat, and manage your health conditions
- Appointment management: To schedule, confirm, and remind you of appointments
- Communication: To send you appointment confirmations, test results, and follow-up information
- Payment processing: To process payments for our services via Stripe
- Medical records: To maintain accurate and complete medical records as required by law
- Quality assurance: To review and improve our clinical services
- Legal compliance: To comply with GMC, NHS, and legal requirements
- Website improvement: To analyse website usage and improve user experience
We will never use your personal data for marketing purposes without your explicit consent.
5. Legal Basis for Processing
Under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, we process your personal data on the following legal bases:
- Medical care contract: Processing is necessary for the provision of medical services you have requested
- Legal obligation: We are required by law to maintain medical records and report certain conditions
- Vital interests: Processing may be necessary to protect your life or health in emergencies
- Consent: Where you have given explicit consent for specific purposes
- Legitimate interests: For website analytics and security, provided your rights are not overridden
6. Medical Records and Confidentiality
Your medical records are treated with the strictest confidentiality. All our practitioners are bound by professional confidentiality obligations under General Medical Council (GMC) guidelines.
6.1 Access to Medical Records
Only authorised healthcare professionals involved in your care may access your medical records. Access is logged and monitored for security purposes.
6.2 Sharing with Other Healthcare Providers
We may share your medical information with:
- Your NHS GP (with your consent or where clinically necessary)
- Specialists or hospitals to whom you are referred
- Pharmacies for prescription fulfilment
- Laboratories for diagnostic testing
- NHS organisations as required by law
We will always inform you when sharing your data with other healthcare providers unless there is an overriding legal or clinical reason not to do so.
7. Data Sharing and Third Parties
We do not sell your personal data to third parties. We only share your data with:
- Stripe: For secure payment processing. Stripe processes your payment details in accordance with their own privacy policy
- Supabase: For secure cloud data storage and hosting of our appointment system
- Email service providers: For sending appointment confirmations and notifications
- Video consultation platforms: For delivering video appointments securely
- Regulatory bodies: When required by law (GMC, CQC, NHS England)
All third-party providers are required to comply with UK data protection laws and maintain appropriate security measures. We have data processing agreements in place with all service providers.
8. Data Retention
We retain your personal data only for as long as necessary:
- Medical records: Retained for a minimum of 10 years after your last appointment (or until age 25 for children), in accordance with NHS guidelines
- Appointment records: Retained for 8 years for administrative and legal purposes
- Payment records: Retained for 6 years for tax and accounting purposes
- Website usage data: Retained for up to 12 months for analytics purposes
- Contact form submissions: Retained for 12 months or until the enquiry is resolved
After these periods, your data is securely deleted or anonymised in accordance with our data retention policy.
9. Your Data Protection Rights
Under UK data protection law, you have the following rights:
- Right to access: You can request a copy of the personal data we hold about you
- Right to rectification: You can request correction of inaccurate or incomplete data
- Right to erasure: You can request deletion of your data in certain circumstances
- Right to restrict processing: You can request limitation of how we use your data
- Right to data portability: You can request transfer of your data to another provider
- Right to object: You can object to certain types of processing
- Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time
Please note that medical records may be exempt from erasure requests where retention is required for legal or clinical reasons. To exercise any of these rights, please contact us using the details below.
10. Data Security
We take data security seriously and implement appropriate technical and organisational measures to protect your data:
- All data is encrypted in transit using SSL/TLS technology
- Medical records are stored in secure, UK-based cloud infrastructure
- Access controls and authentication requirements for all staff
- Regular security audits and vulnerability assessments
- Staff training on data protection and confidentiality
- Incident response procedures for data breaches
- Payment processing is handled entirely by Stripe — we do not store your card details
In the unlikely event of a data breach that poses a risk to your rights and freedoms, we will notify you and the Information Commissioner's Office (ICO) within 72 hours.
11. Cookies and Website Tracking
Our website uses cookies and similar technologies to:
- Maintain your session during the booking process
- Remember your preferences
- Analyse website traffic and usage patterns
- Improve website functionality and user experience
You can manage cookie preferences through your browser settings. Please note that disabling certain cookies may affect the functionality of our booking system.
12. Video Consultations
When you use our video consultation service:
- Video calls are conducted over encrypted connections
- We do not record video consultations unless explicitly agreed and consented to
- Clinical notes are recorded in your medical record as with any consultation
- You are responsible for ensuring your consultation environment is private and secure
- We recommend using a private internet connection rather than public Wi-Fi
13. Children's Data
For patients under 16 years of age, we process personal data with the consent of a parent or legal guardian. Medical records for children are retained until the patient reaches 25 years of age in accordance with NHS guidelines.
If you believe we have inadvertently collected data from a child without appropriate consent, please contact us immediately and we will delete the information.
14. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or service improvements. Any changes will be posted on this page with an updated "Last updated" date. We encourage you to review this policy periodically. For significant changes, we will notify you directly where possible.
15. Contact Us
If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:
Email: info@ces-healthcare.com
WhatsApp: +44 7557 337716
Address: North Manchester, North West England
You also have the right to complain to the Information Commissioner's Office (ICO) if you believe we have not handled your data properly. The ICO can be contacted at ico.org.uk or by calling 0303 123 1113.