This Privacy Policy explains how Harley Street Wellness ("HSW", "we", "our", "us") collects, uses, and protects information you provide when using hsw.london (the "site"), our online assessment, and any related services.
We are committed to handling your data lawfully, transparently, and only for the purposes set out below. This policy is governed by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003 (PECR).
1. Who we are
Data controller: Harley Street Wellness Ltd, London Medical Rooms, Ground Floor, 1–5 Portpool Lane, Chancery Lane, London EC1N 7UU, United Kingdom. We will register with the Information Commissioner's Office prior to public launch; our registration number will appear here once issued.
Contact: hello@harleystreetmedicalwellness.co.uk for any data-related enquiry, including requests to exercise the rights set out below.
2. What we collect
2.1 Information you give us
- Identifiers: your first name and email address when you complete the assessment.
- Quiz answers: your responses to the questions about lifestyle, symptoms, age, primary health goal, and safety screen.
- Booking information: if you book a consultation, the calendar provider (GoHighLevel) collects your name, email, phone number, and chosen appointment slot.
2.2 Information collected automatically
- Anonymous analytics: aggregated page views, referrer, and country-level location. We use a cookieless analytics provider (Plausible) — no personal identifier, IP address, or device fingerprint is stored.
- Technical logs: our hosting provider (Vercel) retains short server logs for security and abuse prevention — typically deleted within 30 days.
3. Health data — special category
Some questions in our assessment relate to your health (symptoms, pregnancy status, G6PD deficiency, anticoagulant medication). Under UK GDPR Article 9, this constitutes "special category" data and is given enhanced protection.
Our lawful basis for processing health data is your explicit consent (UK GDPR Article 9(2)(a)). You give this consent by completing the assessment and submitting your details. You can withdraw consent at any time by contacting hello@harleystreetmedicalwellness.co.uk — we will delete your record without affecting the lawfulness of processing before that point.
4. Why we use your data
| Purpose | Lawful basis |
|---|---|
| Generate your personalised Toxic Load Score and protocol | Explicit consent (Article 9(2)(a)) |
| Email you your report and follow-up information | Consent (Article 6(1)(a)) |
| Contact you to schedule a consultation (if you book one) | Performance of pre-contract steps (Article 6(1)(b)) |
| Improve the assessment and detect site abuse | Legitimate interests (Article 6(1)(f)) |
| Comply with our legal obligations (e.g. record-keeping) | Legal obligation (Article 6(1)(c)) |
5. Who we share data with
We never sell your data. We share limited information only with the third-party services we use to deliver the service:
- Resend (email delivery) — processes your email address and the contents of the report email. EU/US data transfers under Standard Contractual Clauses.
- GoHighLevel (booking / CRM) — receives your booking details if you book a consultation.
- Vercel (hosting) — processes anonymous request data and short server logs.
- Plausible Analytics (analytics) — receives only aggregated, non-identifying page-view data.
Each processor is bound by a data processing agreement and operates under appropriate technical and organisational safeguards.
6. How long we keep your data
- Quiz submissions and health data: retained for 24 months from the date of submission, after which they are deleted unless you become an HSW patient (in which case standard NHS / private clinic medical record retention applies).
- Marketing email subscription: until you unsubscribe (one-click link in every email).
- Server logs: 30 days.
- Analytics: aggregated counts kept indefinitely; no individual-level data retained.
7. Your rights
Under UK GDPR you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate data.
- Erasure — ask us to delete your data ("right to be forgotten").
- Restriction — ask us to pause processing while a query is resolved.
- Portability — receive your data in a structured, machine-readable format.
- Object — object to processing based on legitimate interests.
- Withdraw consent — at any time, without affecting prior lawful processing.
- Complain to the ICO — at ico.org.uk if you believe your rights have been infringed.
To exercise any of these rights, email hello@harleystreetmedicalwellness.co.uk. We respond to all valid requests within one month.
8. Security
We use TLS encryption in transit, strict access controls, and the principle of least privilege for all systems handling personal data. No system is perfectly secure, but we maintain the technical and organisational measures appropriate to the sensitivity of the data we hold.
9. International transfers
Some of our processors (Resend, Vercel) are based in or transfer data to the United States. These transfers rely on the UK addendum to the EU Standard Contractual Clauses, supplemented by technical safeguards (encryption, pseudonymisation) where appropriate.
10. Changes
We may update this policy from time to time. Material changes will be communicated by email (if we have your address) or by a prominent notice on the site at least 30 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
11. Contact
Email: hello@harleystreetmedicalwellness.co.uk
London: Harley Street Wellness Ltd, London Medical Rooms, Ground Floor, 1–5 Portpool Lane, Chancery Lane, London EC1N 7UU · 020 4628 3137
Glasgow: 5th Floor, Ingram House, 227 Ingram Street, Glasgow G1 1DA · 0141 488 8985