1. Purpose of This Privacy Policy

This Privacy Policy explains how the entities listed below (“we”, “us”, or “our”) collects, uses, stores, and protect personal data when you use our services.

The companies below are collectively referred to as the Hair Growth Centre Group.

• Hairgrowthcentresurgery Limited (Company No. 12476527) — 158-160 Kenton Road, Harrow, Middlesex, United Kingdom, HA3 8AZ

We are committed to:

• Protecting confidentiality, dignity, and patient trust
• Processing personal data lawfully, fairly, and transparently
• Meeting our obligations under UK GDPR, the Data Protection Act 2018, and Care Quality Commission (CQC) expectations for safe and well-led care

This policy supports our duty to provide safe, effective, and accountable healthcare services.

2. Data Controller and Accountability

Where required, we have appointed a Data Protection Officer (DPO) or Information Governance Lead responsible for overseeing compliance and advising on data protection matters.

Contact: support@hairgrowthcentre.com

We maintain appropriate records of processing activities and data protection impact assessments (DPIAs), in line with regulatory expectations.

3. Personal Data We Process

3.1 Personal and Contact Information

• Name
• Date of birth
• Address
• Email address
• Telephone number

3.2 Health and Care Information (Special Category Data)

• Medical records and clinical notes
• Test results and diagnostic reports
• Treatment plans and outcomes
• Appointment and referral information

3.3 Technical and Usage Data

• IP address
• Login records and access logs
• Device and browser information

3.4 Communications

• Secure messages exchanged through the Portal
• Requests, feedback, and complaints

We collect only data that is necessary, relevant, and proportionate to the delivery of safe healthcare services.

4. How We Collect Personal Data

Personal data is collected:

• Directly from you when you register or use the Portal
• From healthcare professionals involved in your care
• Automatically through secure system logs and monitoring tools

We ensure data collection is lawful, transparent, and clearly explained to service users.

5. How and Why We Use Personal Data

We use personal data to:

• Deliver safe, effective, and continuous healthcare
• Maintain accurate and up-to-date medical records
• Enable secure communication between patients and clinicians
• Support clinical decision-making and continuity of care
• Meet legal, regulatory, and professional obligations
• Monitor quality, safety, and service performance

We do not use personal data for advertising or unrelated commercial purposes.

6. Lawful Bases for Processing

6.1 General Personal Data

Processing is carried out under:

• Article 6(1)(b) – performance of a contract
• Article 6(1)(c) – compliance with a legal obligation
• Article 6(1)(f) – legitimate interests, where appropriate

6.2 Health and Special Category Data

Processing is necessary for:

• Article 9(2)(h) – provision and management of health or social care
• Schedule 1, Part 1 of the Data Protection Act 2018

These bases support our duty of care and compliance with professional and regulatory standards.

7. Confidentiality and Information Sharing

We respect patient confidentiality and share personal data only where:

• It is necessary for your direct care
• You have provided consent where required
• There is a legal or regulatory obligation
• There is a safeguarding or public safety concern

Data may be shared with:

• Members of the Hair Growth Centre Group
• Healthcare professionals involved in your care
• Diagnostic and referral partners
• IT service providers acting under strict contractual controls
• Regulators such as the CQC where lawfully required

All sharing is proportionate, justified, and documented.

8. Safeguarding and Public Interest

We may disclose personal data without consent where necessary to:

• Protect you or others from harm
• Safeguard children or vulnerable adults
• Comply with court orders or statutory duties

Such disclosures are made in accordance with safeguarding laws and professional guidance.

9. Data Security and Information Governance

We maintain robust information governance arrangements, including:

• Role-based access controls
• Encryption of data in transit and at rest
• Secure hosting environments
• Staff training on confidentiality and data protection
• Incident and data breach management procedures

All staff are subject to confidentiality obligations and appropriate checks.

10. Data Retention

We retain personal data in line with:

• NHS Records Management Code of Practice (where applicable)
• Professional regulatory guidance
• Legal and contractual requirements

Data is securely disposed of when no longer required.

11. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data
• Request correction of inaccurate information
• Request restriction or objection to processing
• Request erasure, where legally permitted
• Receive your data in a portable format (where applicable)

You also have the right to raise concerns or complaints without fear of detriment to your care.

12. Complaints and the ICO

If you are unhappy with how we handle your data, you may contact us using the details above.

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK regulator for data protection.

13. Cookies and System Monitoring

The Portal uses cookies and monitoring tools necessary for:

• Security
• Authentication
• System performance

Further details are provided in our Cookie Policy, where applicable.

14. Review and Updates

This Privacy Policy is reviewed regularly as part of our governance and quality assurance processes.

Any material changes will be communicated through the Portal and take effect from the revised date.

Last updated: (February 2026)