Clare Connolly Weight Loss Clinic

Clare Connolly Weight Loss Clinic ("we", "us", "our") is committed to protecting your personal data. This Privacy Policy explains how we collect, use, and protect your information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Data Controller

The data controller is Clare Connolly Weight Loss Clinic, operated by LSJ Rejuvenate LTD, registered in England and Wales. For data protection enquiries, contact: [email protected]

ICO Registration Number: ZA165050. You can verify our registration at ico.org.uk. Companies House Registration Number: 09987395.

2. Data We Collect

Personal Data

Name, date of birth, gender, contact details (email, phone, address)
Account credentials and authentication data
Payment information (processed securely via Stripe — we do not store card details)

Special Category Health Data

Medical history, current medications, allergies
Body measurements (weight, height, BMI, waist circumference)
Lifestyle data (sleep, exercise, habits)
Clinical notes and prescribing decisions

Technical Data

IP address, browser type, device information
Cookie data (see our Cookie Policy)
Portal usage analytics

3. Legal Basis for Processing

We process your data under the following legal bases:

Contract performance — to deliver the weight management programme you have enrolled in
Legitimate interests — to improve our services and ensure clinical safety
Legal obligation — to comply with healthcare regulations and GDPR requirements
Explicit consent — for processing special category health data and optional marketing communications
Vital interests — in emergency situations where processing is necessary to protect life

4. How We Use Your Data

Assessing your eligibility for the weight management programme
Providing clinical consultations and prescribing services
Managing your patient portal and progress tracking
Processing payments and managing subscriptions
Communicating with you about appointments and programme updates
Complying with our regulatory and legal obligations
Improving our services through anonymised analytics

5. Third-Party Data Processors

We do not sell your personal data. We engage the following third-party data processors under written Data Processing Agreements (DPAs) in accordance with UK GDPR Article 28. Each processor acts only on our documented instructions and implements appropriate technical and organisational measures to protect your data.

Processor	Purpose	Data Transferred	DPA / Privacy Terms
Stripe, Inc.	Secure payment processing and subscription management	Name, email, payment card details (tokenised — we never see raw card numbers)	Stripe Privacy Policy & DPA
Manus AI (hosting provider)	Web application hosting, database storage, file storage (S3), and platform infrastructure	All data stored on the platform, including health data, clinical records, and uploaded files	Manus Terms of Service
Resend	Transactional email delivery (appointment confirmations, portal invitations, approval/decline notifications)	Name, email address, and the content of transactional emails	Resend Privacy Policy
Microsoft Corporation (Teams)	Video consultation delivery for remote clinical appointments	Name, email address, and video/audio data during consultations	Microsoft DPA & Privacy Statement

We may also share data with regulatory bodies (CQC, MHRA, NMC) where required by law, with emergency services where necessary to protect life, and with your GP with your explicit consent to ensure continuity of care.

6. Data Retention and Secure Deletion

Retention periods: Clinical records are retained for a minimum of 8 years from the date of last contact, in accordance with private practice clinical governance standards and the NHS Records Management Code of Practice. Financial records are retained for 7 years in accordance with HMRC requirements. Screening questionnaire data and uploaded photographs are retained for the same 8-year clinical period.

Secure deletion procedure: Upon expiry of the applicable retention period, personal data is permanently deleted from our database and all associated files are permanently removed from our S3 storage using a cryptographic deletion process. Deletion is recorded in our internal data governance log with the date, data category, and confirmation of deletion. Backups containing expired data are overwritten within 30 days of the scheduled deletion date. You may request deletion of non-clinical data at any time via the patient portal or by contacting our DPO.

7. Your Rights Under UK GDPR

Under the UK General Data Protection Regulation and the Data Protection Act 2018, you have the following rights. You can exercise any of these rights using the "My Data & Privacy" section in your patient portal, or by contacting us at [email protected]. We will respond within one calendar month (extendable by a further two months for complex requests).

Right of Access (Article 15) — request a copy of all personal data we hold about you (Subject Access Request). We will provide this in a structured, commonly used format within one month.
Right to Rectification (Article 16) — request correction of inaccurate or incomplete personal data without undue delay.
Right to Erasure (Article 17) — request deletion of your data where it is no longer necessary for the purpose it was collected, subject to our legal retention obligations for clinical and financial records.
Right to Restriction (Article 18) — request that we limit how we process your data — for example, while a dispute about accuracy is being resolved.
Right to Data Portability (Article 20) — receive your personal data in a machine-readable format (JSON or CSV) to transfer to another controller, where processing is based on consent or contract.
Right to Object (Article 21) — object to processing of your personal data where we rely on legitimate interests as our lawful basis. Upon receiving an objection, we will cease processing unless we can demonstrate compelling legitimate grounds that override your interests, or where processing is necessary for the establishment, exercise, or defence of legal claims. To submit a formal objection, use the "Object to Processing" option in the "My Data & Privacy" section of your patient portal, or contact our DPO directly. We will acknowledge your objection within 72 hours and provide a full response within one month.
Right to Withdraw Consent (Article 7) — withdraw consent at any time where processing is based on consent (e.g., optional marketing communications). Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Rights related to automated decision-making (Article 22) — we do not make solely automated decisions that produce legal or similarly significant effects about you.

8. Cookies

We use essential cookies for site functionality and, with your consent, analytics cookies to improve our service. You can manage your cookie preferences via the cookie banner or your browser settings.

9. Security and Penetration Testing

We implement appropriate technical and organisational measures to protect your data, including TLS encryption in transit, AES-256-GCM field-level encryption for all special category health data, role-based access controls, session timeout enforcement, and audit logging of all sensitive data access. We commission an independent penetration test and vulnerability assessment before go-live and annually thereafter. Test findings and remediation actions are documented in our internal security governance log. If you have identified a security vulnerability, please report it responsibly to [email protected].

10. Data Breach Notification

In the event of a personal data breach, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach, where it is likely to result in a risk to individuals' rights and freedoms, in accordance with UK GDPR Article 33. Where a breach is likely to result in a high risk to your rights and freedoms, we will notify you directly without undue delay under UK GDPR Article 34. We maintain an internal breach log and will take immediate steps to contain and remediate any breach. If you suspect a breach involving your data, please contact us immediately at [email protected].

11. Complaints

If you have concerns about how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or by calling 0303 123 1113.