Our Privacy Policy: Version 2.0
This policy was last updated: June 2026
Please read this policy carefully, as it contains important information on who we are and how and why we collect, use, store and share any information relating to you.
This policy explains how we collect, use and protect your personal data when you interact with Lemala Health Ltd. By personal data we mean information that relates to a living individual and which can identify, or be identified, with that individual.
Introduction:
Lemala Health is a limited company registered with the UK company registry (Companies House) with registration number 16461156.
Lemala is the controller of the personal data to which this privacy policy relates. This means that we are responsible for making sure that we process your personal data in a safe and lawful way.
Contact Details:
If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us on hello@lemalahealth.co.uk or via our registered address: Upper Barford Farmhouse, Bramshaw, Lyndhurst SO43 7JN.
How do we collect data from you?
We obtain your data when you:
Sign up for our newsletter or mailing list
book an appointment
complete patient information forms and/or questionnaires
have a consultation
sign a terms and conditions policy
When we take payment from you
What personal data do we collect from you?
Your name, date of birth, email address, residential address, phone number, and any other information you provide via forms or correspondence.
Your gender
The name and contact details of your GP
Your medical history information. This may include information on past and current medical conditions, prescribed medication, weight and height, lifestyle related information such as smoking status, and alcohol consumption. Presence of any disabilities.
Your race, ethnicity and sexual orientation.
Payment details
Referral letters/other specialist/ health professional information
How do we collect your personal data?
We collect most of the personal data from you directly. This may be in person, during a consultation, or via email, a questionnaire or our website.
We may also collect information from:
A third party, such as your GP or another health professional (with your consent)
From cookies on our website. For details about this, please see our separate Cookie Policy. These help us to make improvements to the website and the services we offer.
How and why do we use your personal data?
We will use your email address and/or registered address to communicate with you. This may include newsletters from the clinic, as well as copies of your clinic letters. We will use your registered address to send medications to you.
We will use your personal information to register you as a patient to administer the provision of services to you. We require this information to provide you with accurate and safe medical advice, and to keep your clinical record up to date.
We will also use your data so that we can review the quality of the care we provide on a regular basis, using clinical audit and education. This improves the services we can offer to you.
We also use data for marketing purposes, such as newsletters, but we will ask for your express consent for this, and you can opt out at any time by unsubscribing (through the options provided in the marketing material). Please email hello@lemalahealth.co.uk if you encounter any difficulties subscribing.
We may collect non-personal technical data about how you use the website, IT, communication and other systems (e.g. device type, browser, general usage trends), via analytics tools. For details about this, please see our separate Cookie Policy.
Under data protection law, we can only use your personal data if we have a proper reason. For example:
You have given consent
To comply with our legal and regulatory obligations
For the performance of a contract with you, or to take steps at your request before entering into a contract with you.
For our legitimate interests or those of a third party: a legitimate interest is when we have a business reason to use your information, so long as this is not overridden by your own rights and interests. We will carry out an assessment when relying on legitimate interests to balance our interests against your own.
What we use your personal data for and why:
Providing our services to you
To perform our contract with you, or to take steps at your request before entering into a contract.
To provide you with health care, advice and/or treatment.
Operational reasons
For our legitimate reasons or those of a third party (ie. to be as efficient as possible so we can deliver the best service to you, at the best price)
Updating and enhancing customer records
To perform our contract with you, or to take steps at your request before entering into a contract.
Retaining evidence of the treatment/advice we have given you.
To comply with our legal and regulatory obligations.
Providing marketing information to you on other services we offer.
By consent, to keep in touch with you, about the services we offer.
Gathering or providing information required by or relating to audits, enquires or investigations by regulatory bodies.
To comply with our legal and regulatory obligations.
Providing information required by external medical practitioners and healthcare personnel involved in your care and treatment.
To perform our contract with you, or to take steps at your request before entering into a contract.
To provide you with healthcare, advice and/or treatment.
Generating anonymous statistics that may then be used by us and shared with third party for research purposes.
For our legitimate interests or those of a third party (ie. to develop new practices and improve the services we offer to you).
How and why we collect special category data:
In providing our services to you, we will be required to collect more sensitive personal data from you, to which additional protections apply under data protection law.
These may include:
Information relating to your health, including details of medical conditions, medication, weight and lifestyle information.
Information revealing your racial or ethnic origin
Information on your sex life, or sexual orientation, or religious or philosophical belief, that may be relevant to your health.
The legal basis for us processing this data, is for the purpose of offering you healthcare, treatment and the management of our healthcare systems and services. This includes for the purposes of preventative medicine and giving you medical diagnoses.
When you first register for our services, and at various points after that, we will ask you to provide health data and possibly complete questionnaires about your health.
This may include questions about your symptoms, medication and health background.
We process health information because it is necessary for the provision of healthcare, medical diagnosis, treatment and the management of healthcare services. In some circumstances we may also ask for your explicit consent where required by law, or where we wish to use your information for a purpose that is not directly related to your care.
Who do we share personal data with?
Access to your personal data within our organisation is only given to people that need access to that data to carry out their role.
Externally, we may from time to time share personal data (including more sensitive personal data) with the following categories of recipients, subject to due respect for your privacy:
Your GP and other medical practitioners or health professionals involved in your care or treatment. We will request your permission to do so unless we have cause to believe that you are a danger to yourself or others, and that the information needs to be shared in the interests of protecting you or others.
Our regulators, law enforcement agencies, intelligence services, and other government authorities where they require us to do so. This may include the Care Quality Commission staff upon inspection, to enable them to assess the safety and quality of our services.
Our service providers, such as companies that manage our IT infrastructure and companies that provide us with cloud-based IT systems.
The pharmacies we use to dispense your prescribed medication.
External advisors (eg. IT consultants, accountants and lawyers)
External companies providing services to us such as blood testing and imaging.
Potential buyers of, or investors in, our business where necessary in connection with a due diligence exercise.
Where we use personal data (including sensitive personal data) with any external party we will always ensure that the recipient is committed contractually to only use that personal data in compliance with our instructions and with applicable data protection laws.
Where we store and process your data:
We take appropriate technical and organisational measures to protect personal data against unauthorised access, loss, misuse, alteration or disclosure.
We keep medical records on a secure healthcare management platform operated by a company called ‘Semble’.
Semble acts as a data processor on our behalf and processes personal data only in accordance with our instructions and applicable data protection law.
The platform has robust security measures, including two-factor authentication. It is also ISO 27001 certified, certified by Cyber Essentials Plus (a government backed scheme that helps organisations protect themselves against common cyber-attacks) and is registered to use the NHS Data Security & Protection Toolkit.
All transfers of data to or from the Semble platform are fully encrypted to protect sensitive health information.
More information on our clinical platform is available here:
Data Breaches:
We have procedures in place to deal with any suspected data security breach and we will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.
Data Retention Period:
Our data retention period is the length of time we hold your personal data, and this is informed by NHS England and professional bodies, as well as our own retention schedule.
Different retention periods apply for different types of personal data.
Adult health records are generally retained for a minimum period of eight years following the last contact or treatment episode, in accordance with current NHS Records Management guidance and professional obligations.
We will keep your personal data for as long as necessary to:
Respond to any questions, claims, or complaints made by you or on your behalf
To show that we treated you fairly
To keep the records required by law
When it is no longer necessary to keep your personal data, we will delete or anonymise it.
If your only interaction with Lemala has been as a subscriber to our Newsletter, then we will remove your data when you unsubscribe.
Transfers of personal data outside of the UK:
We are subject to the provisions of the UK data protection laws that protect your personal data.
However, the UK has different data protection laws to other countries and it might be necessary for us to share your personal data with countries outside of the UK. For example, where the third parties who assist us in providing the services (suppliers) operate from outside of the UK.
Where we transfer your data to third parties outside of the UK, we will ensure that certain safeguards are in place so as to provide the appropriate degree of security for your personal data.
One such third party is Squarespace, who are based in the United States and who act as our email marketing provider. We share your contact information with squarespace so they can so they can send out marketing emails on our behalf. You can unsubscribe from these marketing emails at any time by following the unsubscribe options set out in any of the emails.
More information on Squarespace and their security measures is available here: https://www.squarespace.com/measures
Your rights and how to exercise them:
In accordance with UK data protection law, you have the right to:
Request access to the personal data we hold about you.
Request that inaccurate or incomplete personal data is corrected.
Request the deletion of your personal data in certain circumstances.
Request that we restrict the processing of your personal data in certain circumstances.
Object to the processing of your personal data in certain circumstances.
Request a copy of your personal data in a portable format where applicable.
Withdraw your consent at any time where we rely on consent as the legal basis for processing.
Opt out of receiving direct marketing communications at any time.
Lodge a complaint with the Information Commissioner's Office (ICO) if you believe your personal data has been handled unlawfully.
If you have concerns about how we handle your personal data, we encourage you to contact us first so that we can try to resolve the issue. Details of how to raise a complaint, including a data protection complaint, can be found in our Complaints Policy.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO), the UK's independent authority for data protection. Further information can be found at www.ico.org.uk
Accessing your data and applications to delete your data:
Under the UK’s data protection laws, you have the right to request a record of the data held about you. You can request this by sending an email with your name and date of birth (so that we can correctly identify your records to hello@lemalahealth.co.uk
For legal purposes, we maintain a record of your information for 8 years from the date on which we stop providing services to you (which we will treat as the last formal communication we had with or from you, if services were not stopped or terminated as such).
For patients who have completed their treatment and no longer wish to have their data accessed we will store their data securely away from our main patient database, and contact details will not be used until the above timeframe is concluded – unless we are obliged by law for some other reason to retain it. During the retention period, the data will not be accessed for any purpose other than defending a legal claim if needed.
Changes to this policy:
It is likely that we will change this privacy policy from time to time, to reflect changes in law or in our operations, or to provide further detail or clarity.
Where significant changes are made, which affect how your personal data is used, we will take all reasonable steps to notify all persons who might be affected through the contact details that we have on our systems – this might be through our Newsletter or via a specific email alert.