PRIVACY POLICY

WHO IS RESPONSIBLE FOR MANAGING MY INFORMATION?

At The Key Clinic, maintaining your privacy and confidentiality is a top priority for us.  The Key Clinic (“The Company”) are committed to protecting your Personal Information. when you use our website, web portal, mobile apps. We recognise that when you choose to provide us with information about yourself, you trust us to treat it in a responsible manner.

The Company uses all Personal Information that you provide to us or that we collect from you in accordance with all applicable laws, including those concerning the protection of Personal Information such as the EU General Data Protection Regulation.

The purpose of this Data Privacy Policy is to inform you about how the Company may use your Personal Information. In order to optimise the provision of our services to you and to facilitate some of our marketing efforts, we collect certain specific information about you.

This Data Privacy Policy explains the following: 

  • what information we may collect about you;

  • how we will use information we collect about you;

  • whether the Company will disclose your details to anyone else;

  • where we might send your information;

  • the use of cookies on the Company’s websites; and

  • how you can reject cookies.

DEFINITIONS:

In this privacy policy, the following definitions are used:

GDPR: 

The General Data Protection Regulation (“GDPR”) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).

It also addresses the transfer of personal data outside the EU and EEA areas. The primary aim of the “GDPR” is to give control to individuals over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.

DATA PROTECTION LAW:

All legislation and regulations in force from time to time regulating the use of personal data and the privacy of electronic communications including, but not limited to, EU Regulation 2016/679 (the“GDPR”), the Data Protection Act 2018, and any successor legislation or other directly applicable EU regulation relating to data protection and privacy for as long as, and to the extent that, EU law has legal effect in the UK).

ENCRYPTION OR ENCRYPTED DATA:

The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text.

ICO:

Information Commissioner's Office. The supervisory authority for data protection in the UK.

PERSONAL DATA:

Any information relating to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data. The terms Personal Data and Personal Information are used interchangeably within this policy.

PERSONAL DATA BREACH:

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

SPECIAL CATEGORIES OF PERSONAL DATA:

This data needs more protection because it is sensitive. It includes data which relates to an individual’s health, sexual orientation, race, ethnic origin,  political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).

DATA STORAGE: 

All client information is digitally stored on The Key Clinic Portal. 

After a user is registered and authenticated we ensure the data supplied by The Key Clinic clients is highly secure and always remains anonymous to eyes within The Key Clinic and most certainly any potential threat from outside. 

The platform design and architecture employs a number of techniques and implementations to ensure data protection and anonymity. The following are a list of processes in practise

 

  • Client information is anonymised.

  • Database firewall—blocks SQL injection and other threats, while evaluating for known vulnerabilities.

  • User rights management—monitors data access and activities of privileged users to identify excessive, inappropriate, and unused privileges.

  • Data masking and encryption—obfuscate sensitive data so it would be useless to the bad actor, even if somehow extracted.

  • Data loss prevention (DLP)—inspects data in motion, at rest on servers, in cloud storage, or on endpoint devices.

  • User behaviour analytics—establishes baselines of data access behaviour, uses machine learning to detect and alert on abnormal and potentially risky activity.

  • Data discovery and classification—reveals the location, volume, and context of data on-premises and in the cloud.

  • Database activity monitoring—monitors relational databases, data warehouses, big data, and mainframes to generate real-time alerts on policy violations.

 The BeBright Portal  is hosted by Amazon Web Services (AWS) EU.  AWS operates to the highest security standards. For more information read their privacy policy here: AWS.Amazon.Privacy Notice

 

THIRD PARTY INTEGRATIONS: 

The Key Clinic uses a variety of third-party service providers to help us provide services related to the The Key Clinic website and platform. Examples include: taking bookings, sending communications, and processing payments. The Key Clinic does not own or control these Third Party Partners and when you interact with them, you may be providing information directly to the Third Party Partner, The Key Clinic, or both. These Third Party Partners will have their own rules about the collection, use, and disclosure of information. We encourage you to review the privacy policies of the other websites you may visit while using our services (see below):

BeBright website uses the following third party services:

  • Stripe- Stripe collects information related to your payment transactions through The BeBright platform, including the payment instrument used, date and time, payment amount, payment instrument expiration date and billing postcode and other related transaction details. This information is necessary for the adequate performance of the contract between you and Stripe and to allow the provision of the Payment Services.  Stripe.com Privacy Policy

  • Cliniko - We use an external booking management provider Cliniko for all appointment bookings managed through this site. Cliniko takes security seriously. Data is encrypted, stored in state-of-the-art facilities, access is restricted to those who have a need to know and Cliniko regularly review their technology to maintain security. Click this link Cliniko Security for more information about the data protection procedures Cliniko use.

 

WHAT INFORMATION DO WE COLLECT? 

When you use our services including the The Key Clinic Platform, we will ask for and collect the following personal information about you. This information is necessary to allow us to comply with our legal obligations. Without it, we may not be able to provide you with the requested service.

  • Account Information - When you sign up for a The Key Clinic Account, we require certain information such as your: name, email address, password (stored as irreversible "hash" in our database), PIN number (encrypted in our database), date of birth, gender, parent's names (if applicable), contact number, address information and your marketing preferences.

  • Payment Information - To use certain features of The Key Clinic Platform (such as booking an appointment or paying for a service), we may require you to provide certain financial information (card number, expiry date, CVC) in order to facilitate the processing of payments. These details are stored on both Stripe and our database to keep the information secure.

  • Personal Information - Due to the nature of our services provided by BeBright, we may need to collect certain personal information about you in order to provide you with the best possible service. The level of information stored is therapy dependent, but a medical history may be required. All Information you choose to give us will be processed based on our legitimate interest or when applicable, your consent.

  • Personal data held is as follows:

    • Name (and sometimes the name of a legal guardian)

    • Company name (where applicable)

    • Job title (where applicable)

    • Postal address

    • Contact telephone number(s)

    • Email address

    • Copies of correspondence (in some cases)

  • Additionally for patients we may also store:

    • Date of birth

    • Sex

    • Clinical details

    • Referring clinician’s details for laboratory test requests

    • Health screening information 

    • Test results (as generated by laboratories and as received from third-party referral)

 

  • Usage Information - We collect information about your interactions with The Key Clinic Platform such as the pages or content you view, bookings you have made, and other actions on The Key Clinic Platform.

  • Log Data and Device Information - We automatically collect log data and device information when you access and use The Key Clinic Platform. That information includes, among other things: details about how you’ve used The Key Clinic Platform, IP address, access dates and times, hardware and software information, device information, device event information, unique identifiers, crash data and cookie data.

 

HOW DO WE USE YOUR INFORMATION?

The information you provide may be used in a number of ways, for example:

  • Enable us to make informed decisions regarding the appropriate service for your needs and to manage your customer service queries. The legal basis on which we process an individual's personal data in these circumstances is our respective legitimate interests in dealing with client service requests, responding to communications and solving client issues;

  • Collate anonymised data for research purposes to ensure the benefits of our therapies can become more widely recognised; 

  • For statistical purposes when we evaluate our range of services;

  • For marketing purposes: Where individuals have expressly opted in to receive marketing communications from us, we will process their personal data to provide such individuals with marketing communications in line with the preferences they have provided. An individual is not under any obligation to provide us with their personal data for marketing purposes, and individuals can withdraw their consent to their personal data being processed in this way at any time by contacting us. If an individual does choose to withdraw their consent, this will not mean that our processing of such individual's personal data before they withdrew their consent was unlawful. 

  • To make our website better: We may process an individual's personal data in order to provide such an individual with a more tailored user experience, including using their personal data to make sure our website is displayed in the most effective way for the device such individual is using. 

  • For website security and internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes. The legal basis on which we process personal data in these circumstances is our legitimate interest to provide an individual with the best customer experience we can, keep our website updated and relevant, study how clients use our services to inform our marketing strategy and to ensure that our website is kept secure. 


WHO WILL WE SHARE YOUR INFORMATION WITH? 

In order to provide you with our services, we may share your information with the following:   

  • Your practitioner(s) in order that they can provide you with our service.

  • Carefully selected third party referral pathology laboratories to conduct requested biomedical tests on patient samples. These referral laboratories are all GDPR compliant and only use data information provided to identify samples and report results back to The Key Clinic. The Key Clinic currently uses laboratories based in the United Kingdom, mainland Europe and the United States of America to undertake The Key Clinic pathology testing.

  • Our administration staff, for example reception staff and book keepers will have access to basic information but do not have access to your medical history or sensitive personal information.

  • Occasionally we may want to make a referral to other professionals, for example specialist medical consultants. In which case, we will ask for written consent to share that data.

  • Protection of Us and Others: We release accounts and other personal information when we believe release is appropriate to comply with the law, enforce or apply our terms and other agreements, or protect the rights, property, or security of The Key Clinic, our clients, or others. 

  • Exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.


COMMUNICATIONS:

  • Appointment reminders will be sent to your chosen mobile telephone, 48 hours prior to your booked appointment. Please let us know if you wish to opt out from this system.

  • If you wish to unsubscribe or adjust your communication preferences at any time, this can be done by accessing the Client Portal.

 

WHEN CAN WE CONTACT YOU IN THE FUTURE?  

We will only contact you in the future for the following reasons:

  • Follow up on your progress.

  • To advise you of any updates to our privacy policy. 

  • Marketing communications - only for individuals who have expressly opted in to receive marketing communications from us. 

HOW LONG WILL WE HOLD YOUR DATA FOR?

We have a system of retention periods in place to ensure that your information is only stored whilst it is required for the relevant purposes or to meet legal requirements. Where your information is no longer required, we will ensure it is disposed of in a secure manner.

 

HOW LONG CAN YOU ACCESS AND UPDATE YOUR INFORMATION?

  • You will have indefinite access to The Key Clinic Platform.

  • You have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email or write to us. 

  • We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

SECURITY:

We are continuously implementing and updating administrative, technical, and physical security measures to help protect your information against unauthorised access, loss, destruction, or alteration. Some of the safeguards we use to protect your information are firewalls and data encryption, and information access controls. If you know or have reason to believe that your Account credentials have been lost, stolen, misappropriated, or otherwise compromised or in case of any actual or suspected unauthorised use of your BeBright Account, please contact us following the instructions in the Contact Us section below.

 

HOW DO WE UPDATE THIS PRIVACY POLICY?

The Company will review this privacy policy on a regular basis to ensure that it is up-to-date with our use of your Personal Information, and compliant with Data Protection Law.

The Company reserves the right, at our discretion, to revise this Website Privacy Policy at any time. The updated policy will be posted on our website and you are encouraged to review this from time to time. This privacy policy was last updated: 30 March 2022

By using the Company’s website you consent to the collection and use of Personal Data by us as described within this Policy. Continued access or use of the Company’s website will constitute your express acceptance of any modifications to this Policy.

 

WHO CAN YOU CONTACT IF YOU HAVE QUERIES ABOUT THIS PRIVACY POLICY?

Please contact us if you have any questions about our privacy policy or information we hold about you.

By email: admin@thekeyclinic.co.uk

Or write to us at:

The Key Clinic
36 Devonshire Place
Marylebone
London
W1G 6JR