Clare Connolly Weight Loss Clinic

Clare Connolly Weight Loss Clinic ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller is Clare Connolly Weight Loss Clinic, operated by LSJ Rejuvenate LTD, registered in England and Wales. For data protection enquiries, contact: [email protected]

ICO Registration Number: ZA165050. You can verify our registration at ico.org.uk. Companies House Registration Number: 09987395.

2. Data We Collect

Personal Data

Name, date of birth, gender, contact details (email, phone, address)
Account credentials and authentication data
Payment information (processed securely via Stripe — we do not store card details)

Special Category Health Data

Medical history, current medications, allergies
Body measurements (weight, height, BMI, waist circumference)
Lifestyle data (sleep, exercise, habits)
Clinical notes and prescribing decisions

Technical Data

IP address, browser type, device information
Cookie data (see our Cookie Policy)
Portal usage analytics

3. Legal Basis for Processing

We process your data under the following legal bases:

Contract performance — to deliver the weight management programme you have enrolled in
Legitimate interests — to improve our services and ensure clinical safety
Legal obligation — to comply with healthcare regulations and GDPR requirements
Explicit consent — for processing special category health data and optional marketing communications
Vital interests — in emergency situations where processing is necessary to protect life

4. How We Use Your Data

Assessing your eligibility for the weight management programme
Providing clinical consultations and prescribing services
Managing your patient portal and progress tracking
Processing payments and managing subscriptions
Communicating with you about appointments and programme updates
Complying with our regulatory and legal obligations
Improving our services through anonymised analytics

5. Data Sharing

We do not sell your personal data. We may share data with:

Stripe — for secure payment processing
Microsoft Teams — for video consultation delivery
Regulatory bodies — where required by law (e.g., CQC, MHRA)
Emergency services — where necessary to protect life
Your GP — with your consent, to ensure continuity of care

6. Data Retention

We retain clinical records for a minimum of 8 years from the date of last contact, in accordance with private practice clinical governance standards and regulatory guidance. Financial records are retained for 7 years. You may request deletion of non-clinical data at any time.

7. Your Rights

Under UK GDPR, you have the right to:

Access — request a copy of your personal data (Subject Access Request)
Rectification — correct inaccurate or incomplete data
Erasure — request deletion of your data (subject to legal retention requirements)
Restriction — restrict processing of your data in certain circumstances
Portability — receive your data in a machine-readable format
Object — object to processing based on legitimate interests
Withdraw consent — at any time, where processing is based on consent

To exercise your rights, use the "My Data" section in your patient portal, or contact us at [email protected]. We will respond within 30 days.

8. Cookies

We use essential cookies for site functionality and, with your consent, analytics cookies to improve our service. You can manage your cookie preferences via the cookie banner or your browser settings.

9. Security

We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, encrypted storage of health data, access controls, and regular security assessments.

10. Data Breach Notification

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where it is likely to result in a risk to individuals' rights and freedoms, in accordance with UK GDPR Article 33. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay under UK GDPR Article 34. We maintain an internal breach log and will take immediate steps to contain and remediate any breach. If you suspect a breach involving your data, please contact us immediately at [email protected].

11. Complaints

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.