Legal
Privacy Policy
Last updated: March 2026
AtWell Clinic (“we”, “us”, “our”) is operated by MRL Health Ltd, a company registered in England and Wales (company number 16582187), trading as AtWell. We are committed to protecting and respecting your privacy.
This privacy notice explains how we collect, use, store, and share your personal data when you use our website, book appointments, receive clinical care, or otherwise interact with our clinic. It applies to all patients, website visitors, and enquirers.
We are registered with the Information Commissioner’s Office (ICO) as a data controller. Our ICO registration number is ZC111341.
1. Data controller
The data controller responsible for your personal data is:
MRL Health Ltd (trading as AtWell)
164 Station Road, Balsall Common, CV7 7FD
Email: hello@wellclinics.co.uk
Telephone: 01676 545111
2. What personal data we collect
We may collect and process the following categories of personal data:
Identity and contact data
Your name, date of birth, gender, postal address, email address, telephone number, and emergency contact details.
Health and clinical data (special category data)
Your medical history, symptoms, diagnoses, treatment plans, prescriptions, test results, referral letters, clinical notes, and any other information recorded during consultations. Under the UK General Data Protection Regulation (UK GDPR), health data is classified as “special category” data and receives additional protections.
Financial and payment data
Payment card details (processed securely by our payment provider — we do not store full card numbers), billing address, invoices, and insurance membership details.
Technical and usage data
IP address, browser type, device information, pages visited, time spent on the site, and referring URLs. This is collected automatically when you visit our website.
Communication data
Records of correspondence with us by email, telephone, or through website forms, including intake questionnaire responses.
3. How we collect your data
We collect personal data in the following ways:
- Directly from you — when you register as a patient, book an appointment, complete an intake form, attend a consultation, telephone or email us, subscribe to our newsletter, or submit an enquiry through our website.
- From healthcare professionals — through referral letters from your NHS GP, hospital consultants, or other healthcare providers with your consent.
- From diagnostic providers — laboratory and imaging results returned to us following tests we have requested on your behalf.
- Automatically — through cookies and similar technologies when you use our website (see our Cookie Policy).
4. Why we process your data and our lawful bases
We only process your personal data where we have a lawful basis to do so under the UK GDPR. Because we process health data, we also rely on a condition under Article 9(2) for each activity involving special category data. The table below sets out each processing activity, the Article 6 basis, and — where health data is involved — the corresponding Article 9 condition.
Article 6 bases we rely on
- Article 6(1)(a) — Consent: where you have given us clear, informed, and freely given consent (e.g. marketing emails, optional cookies, sharing records with your GP).
- Article 6(1)(b) — Contract: where processing is necessary to perform our contract with you or to take steps at your request before entering into a contract (e.g. booking and delivering appointments, billing).
- Article 6(1)(c) — Legal obligation: where processing is required by law (e.g. CQC regulatory reporting, safeguarding duties, HMRC record-keeping, RIDDOR notifications).
- Article 6(1)(d) — Vital interests: where processing is necessary to protect someone’s life (e.g. sharing information with emergency services in a medical emergency).
- Article 6(1)(f) — Legitimate interests: where processing is necessary for our legitimate business interests (or those of a third party), provided those interests are not overridden by your rights and interests (e.g. responding to general enquiries, operating website analytics to improve our services, fraud prevention).
Article 9 conditions we rely on (special category health data)
- Article 9(2)(a) — Explicit consent: where you have given explicit consent to the processing of your health data for a specific purpose (e.g. sharing your records with a third-party clinician you have nominated).
- Article 9(2)(c) — Vital interests: where processing is necessary to protect your vital interests or those of another person (e.g. medical emergency disclosure).
- Article 9(2)(h) — Provision of health or social care: the primary condition under which we process health data for clinical purposes. This applies to preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, and the management of health or social care systems and services. Processing must be carried out by (or under the responsibility of) a health professional subject to the obligation of professional secrecy.
- Article 9(2)(i) — Public interest in public health: where relevant for legitimate public health purposes (e.g. notifiable disease reporting).
Processing activities and lawful bases
| Purpose | Article 6 basis | Article 9 condition (if health data) |
|---|---|---|
| Providing clinical care, diagnosis, and treatment | 6(1)(b) — Contract | 9(2)(h) — Provision of health care |
| Managing your appointments and patient record | 6(1)(b) — Contract | 9(2)(h) — Provision of health care |
| Processing payments and issuing invoices | 6(1)(b) — Contract | N/A |
| Submitting insurance claims on your behalf | 6(1)(b) — Contract | 9(2)(h) — Insurance and health care purposes |
| Sharing clinical information with your NHS GP or referring clinician | 6(1)(a) — Consent | 9(2)(a) — Explicit consent |
| Responding to general enquiries and complaints | 6(1)(f) — Legitimate interests | N/A |
| Sending appointment reminders | 6(1)(b) — Contract | N/A |
| Sending our newsletter or health information (where you have opted in) | 6(1)(a) — Consent | N/A |
| Meeting regulatory and legal obligations (e.g. CQC, safeguarding, RIDDOR, notifiable disease reporting) | 6(1)(c) — Legal obligation | 9(2)(h) or 9(2)(i) as applicable |
| HMRC financial record-keeping | 6(1)(c) — Legal obligation | N/A |
| Operating website analytics (Vercel Analytics / Google Analytics where enabled) | 6(1)(a) — Consent (analytics only run after you accept analytics cookies via our cookie banner) | N/A |
| Processing consent preference records (marketing opt-ins) | 6(1)(c) — Legal obligation (PECR compliance) | N/A |
| Sharing information with emergency services in a medical emergency | 6(1)(d) — Vital interests | 9(2)(c) — Vital interests |
| Operating clinical AI scribing technology (see section 5) | 6(1)(b) — Contract | 9(2)(h) — Provision of health care |
Where we rely on legitimate interests, we have carried out a legitimate interests assessment (LIA) to ensure our interests are not overridden by your rights or interests. You may request a copy of our LIA by contacting us at hello@wellclinics.co.uk.
5. Clinical AI tools
To support the quality and accuracy of our clinical documentation, we may use AI-assisted clinical scribing technology during consultations. This tool listens to the consultation (with your knowledge) and generates a draft of the clinical notes for your clinician to review, edit, and approve. The AI does not make clinical decisions — all notes are checked and finalised by your treating clinician.
The data processed by the clinical AI tool is treated as health data, subject to the same protections and retention policies as all other clinical records. If you would prefer that AI-assisted scribing is not used during your consultation, please let your clinician know at the start of your appointment.
6. Who we share your data with
We will never sell your personal data. We only share it where there is a lawful reason to do so. Recipients may include:
- Your NHS GP or referring clinician — with your explicit consent, to ensure continuity of care.
- Diagnostic laboratories — to process blood tests, pathology, or other investigations we have requested.
- Private medical insurers — where you have asked us to submit a claim on your behalf.
- Our electronic health record provider — who hosts your clinical records securely on our behalf (as a data processor).
- Payment processors — to process card payments securely. They do not have access to your health data.
- Regulatory bodies — including the Care Quality Commission (CQC), the General Medical Council (GMC), and safeguarding authorities, where required by law.
- Professional advisors — solicitors, accountants, and insurers, where necessary for the operation of the business.
All third-party data processors acting on our behalf are bound by data processing agreements and are required to implement appropriate technical and organisational security measures.
7. International transfers
Your clinical records are stored on servers located within the United Kingdom or the European Economic Area. Where any data processor transfers data outside the UK (for example, for website analytics), we ensure that appropriate safeguards are in place, such as the International Data Transfer Agreement (IDTA) or equivalent adequacy decisions.
8. How long we keep your data
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Our retention periods follow the NHS Records Management Code of Practice (2021) where applicable to private healthcare providers. The schedule below sets out our key retention periods.
| Data type | Retention period | Authority / reason |
|---|---|---|
| Adult medical / clinical records | 10 years after the date of last treatment (or, for mental health records, 20 years) | NHS Records Management Code of Practice 2021 |
| Children’s medical / clinical records | Until the patient’s 25th birthday, or 10 years after the last entry, whichever is longer | NHS Records Management Code of Practice 2021 |
| Appointment records | 10 years after the date of last treatment | NHS Records Management Code of Practice 2021 |
| Financial / billing records | 7 years from the end of the relevant financial year | HMRC requirement (Taxes Management Act 1970) |
| Marketing consent records (opt-in evidence) | Duration of consent + 1 year after withdrawal or lapse | ICO guidance on PECR compliance |
| Website analytics data (Google Analytics / Vercel Analytics) | 26 months from the date of collection | ICO guidance on analytics and cookies |
| CCTV footage (if applicable) | 30 days, then automatically overwritten | ICO CCTV Code of Practice |
| Website enquiry form submissions | 2 years from the date of submission | Legitimate interests assessment |
| Marketing subscriber data | Until you unsubscribe, then deleted within 30 days | Consent-based processing |
| Staff / employment records | 6 years after employment ends | Employment law and HMRC requirements |
After the applicable retention period, data is securely deleted or irreversibly anonymised. Where we are required to retain data for longer periods (for example, where legal proceedings are anticipated), we will retain it only for as long as necessary and will inform you where practicable.
9. Your data subject rights
Under the UK GDPR and the Data Protection Act 2018, you have the following rights in relation to your personal data. These rights are not absolute and are subject to certain exemptions — we will always explain if we are unable to comply with a request and why.
9.1 Right of access (Subject Access Request)
You have the right to obtain a copy of the personal data we hold about you, together with information about how and why we process it. This is known as a Subject Access Request (SAR). We will provide the information free of charge, in a commonly used electronic format, within one calendar month of receiving a valid request. We may extend this by a further two months for complex or numerous requests, in which case we will notify you within the first month.
9.2 Right to rectification
You have the right to have inaccurate personal data corrected and incomplete data completed. We will act on rectification requests without undue delay and within one month. Please note that for clinical records, corrections are typically made by adding an amendment note rather than altering the original entry, in order to preserve the integrity of the medical record.
9.3 Right to erasure (‘right to be forgotten’)
You have the right to request deletion of your personal data in certain circumstances — for example, where the data is no longer necessary for the purpose for which it was collected, or where you withdraw consent and there is no other lawful basis for processing.
Important exception for healthcare records: We are generally unable to erase clinical and medical records before the end of the applicable retention period (see section 8). This is because retention is required to comply with legal obligations (including the NHS Records Management Code of Practice), to protect your safety and the safety of others, and to establish, exercise, or defend legal claims. Where we cannot fulfil an erasure request, we will explain the reasons in writing.
9.4 Right to restrict processing
You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, while you contest the accuracy of the data, or where you have objected to processing based on legitimate interests while we consider your objection. Restriction means we can store the data but not actively use it.
9.5 Right to data portability
Where processing is based on your consent or on a contract, and is carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format (such as CSV or JSON), and to have that data transmitted to another controller where technically feasible. This right does not apply to processing carried out in the public interest or under legal obligation.
9.6 Right to object
You have the right to object to the processing of your personal data where we rely on legitimate interests (Article 6(1)(f)) as our lawful basis. On receipt of an objection, we must stop processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
You have an absolute right to object to processing for direct marketing purposes (including profiling for direct marketing). We will stop processing for this purpose immediately upon receipt of your objection.
9.7 Rights related to automated decision-making and profiling
You have the right not to be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects concerning you. AtWell Clinic does not currently use fully automated decision-making processes that produce legal or similarly significant effects on patients. Where we use AI-assisted tools (such as clinical scribing — see section 5), a qualified clinician always reviews and takes responsibility for the output. If our practices change, we will update this notice and inform you accordingly.
9.8 Right to withdraw consent
Where processing is based on your consent, you may withdraw that consent at any time by contacting us. Withdrawal does not affect the lawfulness of processing carried out before withdrawal. We will action your withdrawal request promptly and within 30 days at the latest.
How to exercise your rights
To exercise any of the rights described above, please contact our Data Protection Lead:
Email: privacy@wellclinics.co.uk
Post: Data Protection Lead, AtWell Clinic (MRL Health Ltd), 164 Station Road, Balsall Common, CV7 7FD
Telephone: 01676 545111
We will respond within one calendar month of receiving a valid request. There is no fee for exercising your rights in most circumstances. We may charge a reasonable fee if a request is manifestly unfounded or excessive. We may need to verify your identity before processing a request — this is to protect your data and prevent unauthorised access.
Right to complain to the ICO
If you are not satisfied with our response, or if you believe we are processing your personal data unlawfully, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s independent supervisory authority for data protection. You can do this at any time — you do not need to contact us first, although we would encourage you to give us the opportunity to address your concern.
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
Online reporting: ico.org.uk/make-a-complaint
9a. Sub-processors and third-party data processors
We use a limited number of carefully selected third-party companies (“sub-processors”) to help us deliver our services. Each sub-processor is bound by a data processing agreement (DPA) and is required to implement appropriate technical and organisational security measures. The table below lists our current sub-processors.
| Sub-processor | Service provided | Country | Transfer safeguards |
|---|---|---|---|
| Semble Semble is our primary data processor for clinical records and booking. As our Electronic Health Record (EHR) system, Semble processes special category health data on our behalf under Article 9(2)(h) UK GDPR (provision of health care). All clinical notes, patient records, appointment data, consultation histories, and booking information are stored and managed within Semble. Access is restricted to authorised clinical and administrative staff only. | Electronic Health Record (EHR) system, online appointment booking platform, and patient record management | United Kingdom | Data stored in the UK; UK-based processor; Data Processing Agreement (DPA) in place; processing of health data under Article 9(2)(h) UK GDPR |
| Vercel Inc. | Website hosting and content delivery network | United States | EU Standard Contractual Clauses (SCCs) / UK International Data Transfer Agreement (IDTA) in place |
| Google LLC (Google Analytics) | Website analytics and usage statistics (where analytics cookies are accepted) | United States | EU SCCs / UK IDTA in place; IP anonymisation enabled; data sharing with Google advertising products disabled |
| Email service provider | Transactional and marketing email delivery (provider to be confirmed — this notice will be updated upon appointment) | To be confirmed | Appropriate transfer safeguards will be confirmed upon appointment of provider |
We review our sub-processor list regularly. If we appoint a new sub-processor that will process your personal data, we will update this annex. Where required, we will provide advance notice of significant changes.
10. Data security
We take the security of your personal data seriously. We have implemented appropriate technical and organisational measures to protect your information against unauthorised access, alteration, disclosure, or destruction. These measures include encrypted data storage, role-based access controls, staff confidentiality agreements, regular security reviews, and secure disposal of records.
11. Children’s data
We provide healthcare services to children and young people. Where a child is under 13, we will ordinarily obtain consent from a parent or legal guardian for the processing of their data. For children aged 13 and above who have capacity to consent to treatment (assessed on a Gillick competence basis), we may process data with the child’s own consent where clinically appropriate.
12. Complaints
If you are unhappy with how we have handled your personal data, we would encourage you to contact us first at hello@wellclinics.co.uk so that we can try to resolve the matter. You may also raise a complaint about your data rights under section 9 above, including your right to complain directly to the ICO at any time. See section 9 (“How to exercise your rights”) for the ICO’s full contact details.
13. Changes to this policy
We may update this privacy policy from time to time. Any changes will be posted on this page with an updated revision date. We encourage you to review this policy periodically. Where changes are significant, we will make reasonable efforts to notify you directly.
14. Contact us
If you have any questions about this privacy policy or wish to exercise your data rights, please contact:
Data Protection Lead
AtWell Clinic (MRL Health Ltd)
164 Station Road, Balsall Common, CV7 7FD
Email: privacy@wellclinics.co.uk
Telephone: 01676 545111
15. Data Protection Officer assessment
AtWell has assessed its data protection obligations and, given the scale and nature of our processing activities, has determined that a formal Data Protection Officer (DPO) appointment is not currently required under UK GDPR Article 37. This assessment is reviewed annually. For all data protection queries, please contact our Data Protection Lead at privacy@wellclinics.co.uk.
16. Review schedule
This privacy notice is reviewed at least annually. Last reviewed: March 2026. Next scheduled review: March 2027.