Our Privacy Policy:
This policy was last updated: September 2025
This policy explains how we collect, use and protect your personal data when you interact with Lemala Health Ltd.
By personal data we mean information that relates to a living individual and which can identify, or be identified, with that individual.
Please read this policy carefully, as it contains important information on who we are and how and why we collect, use, store and share any information relating to you.
Introduction:
Lemala Health (which we will refer to as Lemala in this policy) is a limited company registered with the UK company registry (Companies House) with registration number 16461156.
Lemala is the controller of the personal data to which this privacy policy relates. This means that we are responsible for making sure that we process your personal data in a safe and lawful way.
Contact Details:
If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us on contact@lemalahealth.co.uk or via our registered address: Upper Barford Farmhouse, Bramshaw, Lyndhurst SO43 7JN.
How do we collect data from you?
We obtain your data when you:
Sign up for our newsletter or mailing list
book an appointment
complete patient information forms and/or questionnaires
have a consultation
sign a terms and conditions policy
When we take payment from you
What personal data do we collect from you?
Your name, date of birth, email address, residential address, phone number, and any other information you provide via forms or correspondence.
Your gender
The name and address of your GP (ie. Your main doctor)
Your medical history information. This may include information on past and current medical conditions, prescribed medication, weight and height, lifestyle related information such as smoking status, and alcohol consumption. Presence of any disabilities.
Your race, ethnicity and sexual orientation.
Payment details
Referral letters/other specialist/ health professional information
How do we collect your personal data?
We collect most of the personal data from you directly. This may be in person, during a consultation, or via email, a questionnaire or our website.
We may also collect information from:
third party, such as your GP or another health professional (with your consent)
From cookies on our website. For details about this, please see our separate Cookie Policy. These help us to make improvements to the website and the services we offer.
How and why do we use your personal data?
We will use your email address and/or registered address to communicate with you. This may include newsletters from the clinic, as well as copies of your clinic letters. We will use your address if we send medications to you.
We will use your personal information to register you as a patient to administer the provision of services to you. We require this information to provide you with accurate and safe medical advice, and to keep your clinical record up to date.
We will also use your data so that we can review the quality of the care we provide on a regular basis, using clinical audit and education. This improves the services we are able to offer to you.
·We also use for data for marketing purposes, such as newsletters, but we will ask for your express consent for this, and you can opt out at any time by unsubscribing (through the options provided in the marketing material). Please email contact@lemalahealth.co.uk if you encounter any difficulties unsubscribing.
We may collect non-personal technical data about how you use the website, IT, communication and other systems (e.g. device type, browser, general usage trends), via analytics tools. For details about this, please see our separate Cookie Policy.
Under data protection law, we can only use your personal data if we have a proper reason. For example:
You have given consent
To comply with our legal and regulatory obligations
For the performance of a contract with you, or to take steps at your request before entering into a contract with you.
For our legitimate interests or those of a third party: a legitimate interest is when we have a business reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests to balance our interests against your own.
What we use your personal data for and why:
Providing our services to you
To perform our contract with you, or to take steps at your request before entering into a contract.
To provide you with health care, advice and/or treatment.
Operational reasons
For our legitimate reasons or those of a third party (ie. to be as efficient as possible so we can deliver the best service to you, at the best price)
Updating and enhancing customer records
To perform our contract with you, or to take steps at your request before entering into a contract.
Retaining evidence of the treatment/advice we have given you.
To comply with our legal and regulatory obligations.
Providing marketing information to you on other services we offer.
By consent, to keep in touch with you, about the services we offer.
Gathering or providing information required by or relating to audits, enquires or investigations by regulatory bodies.
To comply with our legal and regulatory obligations.
Providing information required by external medical practitioners and healthcare personnel involved in your care and treatment.
To perform our contract with you, or to take steps at your request before entering into a contract.
To provide you with healthcare, advice and/or treatment.
Generating anonymous statistics that may then be used by us and shared with third party for research purposes.
For our legitimate interests or those of a third party (ie. to develop new practices and improve the services we offer to you).
How and why we collect special category data:
In providing our services to you, we will be required to collect more sensitive personal data from you, to which additional protections apply under data protection law.
These may include:
Information relating to your health, including details of medical conditions, medication, weight and lifestyle information.
Information revealing your racial or ethnic origin
Information on your sex life, or sexual orientation, or religious or philosophical belief, that may be relevant to your health.
The legal basis for us processing this data, is for the purpose of offering you healthcare, treatment and the management of our healthcare systems and services. This includes for the purposes of preventative medicine and giving you medical diagnoses.
When you first register for our services, and at various points after that, we will ask you to provide health data and possibly complete questionnaires about your health.
This may include questions about your symptoms, medication and health background.
Our legal basis for processing this data is your consent, which you can withdraw at any time by notifying us at contact@lemalahealth.co.uk.
As the data involved relates to your health, we shall ensure that any such consent obtained is explicit consent. Please note that without your consent to do this, we will be unable to offer you access to our clinic and services. This is because your health data is necessary for us to provide you with support and information.
Who do we share personal data with?
Access to your personal data within our organisation is only given to people that need access to that data to carry out their role.
Externally, we may from time to time share personal data (including more sensitive personal data) with the following categories of recipients, subject to due respect for your privacy:
Your GP and other medical practitioners or health professionals involved in your care or treatment. We will request your permission to do so unless we have cause to believe that you are a danger to yourself or others, and that the information needs to be shared in the interests of protecting you or others.
Our regulators, law enforcements, intelligence services, and other government authorities where they require us to do so. This may include the Care Quality Commission staff upon inspection, to enable them to assess the safety and quality of our services.
Our service providers, such as companies that manage our IT infrastructure and companies that provide us with cloud-based IT systems.
The pharmacies we use to dispense your prescribed medication.
External advisors (eg. IT consultants, accountants and lawyers)
External companies providing services to us such as blood testing and imaging.
Potential buyers of, or investors in, our business where necessary in connection with a due diligence exercise.
Where we use personal data (including sensitive personal data) with any external party we will always ensure that the recipient is committed contractually to only use that personal data in compliance with our instructions and with applicable data protection laws.
Where we store and process your data:
We keep medical records on a secure healthcare management platform operated by a company called ‘Semble’.
The platform has robust security measures, including two-factor authentication. It is also ISO 27001 certified, certified by Cyber Essentials Plus (a government backed scheme that helps organisations protect themselves against common cyber attacks) and is registered to use the NHS Data Security & Protection Toolkit.
All transfers of data to or from the Semble platform are fully encrypted to protect sensitive health information.
More information on our clinical platform is available here:
Data Breaches:
We have procedures in place to deal with any suspected data security breach and we will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Data Retention Period:
Our data retention period is the length of time we hold your personal data, and this is informed by NHS England and professional bodies, as well as our own retention schedule.
Different retention periods apply for different types of personal data.
Under the applicable guidance, we are obliged to keep health data for a period of eight years, after the date on which we stop providing services to you (which we will treat as the last formal communication we had with or from you, if services were not stopped or terminated as such).
We will keep your personal data for as long as necessary to:
Respond to any questions, claims, or complaints made by you or on your behalf
To show that we treated you fairly
To keep the records required by law
When it is no longer necessary to keep your personal data, we will delete or anonymise it.
If your only interaction with Lemala has been as a subscriber to our Newsletter, then we will remove your data when you unsubscribe.
Transfers of personal data outside of the UK:
We are subject to the provisions of the UK data protection laws that protect your personal data.
However, the UK has different data protection laws to other countries and it might be necessary for us to share your personal data with countries outside of the UK. For example, where the third parties who assist us in providing the services (suppliers) operate from outside of the UK.
Where we transfer your data to third parties outside of the UK, we will ensure that certain safeguards are in place so as to provide the appropriate degree of security for your personal data.
One such third party is Squarespace, who are based in the United States and who act as our email marketing provider. We share your contact information with squarespace so they can so they can send out marketing emails on our behalf. You can unsubscribe from these marketing emails at any time by following the unsubscribe options set out in any of the emails.
More information on Squarespace and their security measures is available here: https://www.squarespace.com/measures
Your rights and how to exercise them:
In accordance with the UK’s data protection laws:
You can withdraw your consent to the processing of your information at any time.
You can request information about the person who is processing your information.
You can access the personal data when you need to.
You can prevent the use of your personal data being used for direct marketing purposes.
You can request that your data is deleted when it is no longer required for the purposes it was collected for.
You can restrict the processing of your data in specific circumstances.
Accessing your data and applications to delete your data:
Under the UK’s data protection laws, you have the right to request a record of the data held about you. You can request this by sending an email, with your name and date of birth (so that we can correctly identify your records to contact@lemalahealth.co.uk
For legal purposes, we maintain a record of your information for 8 years from the date on which we stop providing services to you (which we will treat as the last formal communication we had with or from you, if services were not stopped or terminated as such). For patients who have completed their treatment and no longer wish to have their data accessed we will store their data securely away from our main patient database, and contact details will not be used until the above timeframe is concluded – unless we are obliged by law for some other reason to retain it. During the retention period, the data will not be accessed for any purpose other than defending a legal claim if needed.
Changes to this policy:
It is likely that we will change this privacy policy from time to time, to reflect changes in law or in our operations, or to provide further detail or clarity. Where significant changes are made, which affect how your personal data is used, we will take all reasonable steps to notify all persons who might be affected through the contact details that we have on our systems – this might be through our Newsletter or via a specific email alert.