Privacy Policy
This Privacy Policy explains how we collect, use, and protect your
personal information when you interact with our services.
Last updated: 11-25-2025
1. Who we are
This Privacy Policy explains how we collect, use and protect your personal data when you use:
our website at myscanhub.com (the “Website”);
the MyScanHub account and membership portal; and
any private diagnostic imaging and related health services we provide.
In this notice:
“MyScanHub”, “we”, “us”, “our” means MYSCANHUB LTD, a company registered in England and Wales with: (Companies House)
company number: 16705880
registered office address: 277–279 Chiswick High Road, London, United Kingdom, W4 4PU (Companies House)
“you” or “your” means the individual whose personal data we process (for example, a patient, member, website visitor or someone contacting us on behalf of a patient).
For the purposes of the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018, MYSCANHUB LTD is the data controller of your personal data in connection with our Website, membership services and any diagnostic or health-related services that we provide. (ICO)
Contact details
If you have any questions about this Privacy Policy or how we use your data, you can contact us at:
Email: [insert main data protection contact email – e.g. privacy@myscanhub.com]
Postal address: Data Protection Lead, MYSCANHUB LTD, 277–279 Chiswick High Road, London, W4 4PU, United Kingdom
Please mark your email or letter “Data protection query”.
2. Scope of this Privacy Policy
This Privacy Policy applies to personal data we process when:
you visit or use our Website;
you create and use a MyScanHub account or membership;
you book or receive scans or related services from us;
you communicate with us by phone, email, live chat, post or social media; and
you take part in our surveys, feedback requests or marketing campaigns.
It does not cover the processing of your personal data by other healthcare providers (for example your GP, NHS Trust or private consultant) who may receive your results or referrals from us. Those organisations are separate data controllers and must provide their own privacy information.
3. The personal data we collect
Because we provide health-related services, we may process “special category” personal data, including information about your health, which is subject to enhanced protection under the UK GDPR. (ICO)
Depending on your interactions with us, we may collect and process the following categories of personal data:
3.1 Identity and contact data
Full name, title and date of birth
Contact details (address, email, telephone number)
Gender or preferred form of address
Emergency contact details and next of kin
3.2 Health and clinical data (special category data)
Information about your symptoms and medical history relevant to your interaction with us
Details in referrals from your GP or other healthcare professionals
Responses to clinical questionnaires
Results of scans and examinations (including images and clinical reports)
Notes or correspondence relating to your care
3.3 Account, membership and booking data
MyScanHub account details (email/username and password – stored in encrypted form)
Membership plans and benefits selected
Appointment bookings, rescheduling and cancellations
Communications preferences (e.g. SMS or email reminders)
Feedback, complaints and survey responses
3.4 Payment and transaction data
Payment details (e.g. method of payment, date, amount and status)
Limited card information processed via our payment provider (we do not store full card numbers on our own systems)
Information required for issuing refunds or dealing with disputed transactions
3.5 Technical and usage data
IP address, browser type and device identifiers
Log-in data and account activity
Pages viewed and interactions with our Website and portal
Information about how you interact with our emails and marketing
3.6 Marketing and communications data
Your choices about receiving marketing and newsletters from us
Records of consent and opt-out preferences
Information about how you respond to campaigns or promotions
4. How we collect personal data
We collect personal data from you:
when you complete forms on our Website or portal;
when you create or use your MyScanHub account and membership;
when you book or attend appointments with us;
when you communicate with us by phone, email, live chat, post or social media;
when you respond to our surveys or feedback requests; and
automatically, via cookies and similar technologies when you interact with our Website (see section 8).
We may also receive personal data about you from:
your GP, consultant or other healthcare professionals who refer you to us or share information for your care;
private medical insurers, employers, or other third parties who arrange or pay for services on your behalf;
our payment processors, banks and fraud prevention services; and
public authorities or regulators where this is legally required.
5. Our purposes and lawful bases for using your data
Under UK data protection law we must have a lawful basis to use your personal data, and – for health information – an additional legal condition for processing special category data. (ICO)
5.1 Providing health-related and diagnostic services
Purposes
Registering you as a patient or customer
Booking and managing appointments
Conducting scans and related examinations
Preparing scan reports and maintaining clinical records
Sharing results with you and (where requested or appropriate) with your GP, consultant or other healthcare professionals
Arranging follow-up care, further imaging or referrals
Lawful bases
Contract (Art. 6(1)(b) UK GDPR) – processing is necessary to provide the services you request or to take steps before entering into a contract with you.
Legal obligation (Art. 6(1)(c)) – we must keep appropriate records and comply with health, tax and other legal requirements.
Legitimate interests (Art. 6(1)(f)) – managing our services efficiently, ensuring quality of care and keeping accurate records.
For health and other special category data, we additionally rely on:
Art. 9(2)(h) UK GDPR and relevant provisions of the Data Protection Act 2018 – processing is necessary for the purposes of medical diagnosis and the provision of health or social care;
Art. 9(2)(c) – processing is necessary to protect your vital interests in an emergency if you are unable to give consent. (ICO)
5.2 Operating the MyScanHub Website, portal and membership
Purposes
Creating and managing user accounts
Providing secure access to your information and services
Managing membership plans, renewals and payments
Detecting and preventing abuse or misuse of our systems
Lawful bases
Contract – to provide and manage your account and membership services
Legitimate interests – to provide secure, efficient online services, maintain IT security and improve user experience
Special category data accessed via the portal is processed under the same health and care conditions as set out in 5.1 above.
5.3 Communications and customer support
Purposes
Responding to enquiries, feedback and complaints
Sending appointment confirmations, reminders and practical information
Contacting you about important changes to our services or this Privacy Policy
Lawful bases
Contract – where the communication is needed to deliver our services to you
Legitimate interests – to provide good customer service and keep you informed about important non-marketing information
5.4 Marketing
Purposes
Sending you information about our services, offers or events that may be of interest
Running referral or loyalty schemes
Measuring the effectiveness of our marketing
Lawful bases
Consent (Art. 6(1)(a)) – for certain types of electronic marketing, we will only send you communications if you have given us your consent, in line with the UK rules on privacy and electronic communications. (GOV.UK)
Legitimate interests (Art. 6(1)(f)) – where permitted under those rules, we may send marketing to existing customers about similar services, subject to your right to opt out at any time.
You can withdraw your consent or opt out of marketing at any time by using the unsubscribe links in our emails or by contacting us.
We do not sell your personal data to third-party marketers.
5.5 Website analytics, cookies and security
Purposes
Running and improving our Website and portal
Measuring and understanding how visitors use our online services
Keeping our IT systems secure and preventing fraud or misuse
Lawful bases
Legitimate interests – to operate a secure, user-friendly Website and understand how it is used
Consent – for non-essential cookies or similar technologies used for analytics or advertising (see section 8), in line with UK privacy and electronic communications rules and the data reforms introduced by the Data (Use and Access) Act 2025. (Legislation.gov.uk)
5.6 Legal, regulatory and business requirements
Purposes
Complying with our legal and regulatory obligations
Dealing with legal claims, audits and inspections
Obtaining professional advice (for example from lawyers, auditors or insurers)
Supporting business restructuring or corporate transactions
Lawful bases
Legal obligation – where we must process data to comply with the law
Legitimate interests – to protect our business, people, patients and partners, and to manage corporate transactions
Special category data may be processed where necessary for establishing, exercising or defending legal claims, or under other relevant conditions permitted by law.
6. Cookies and similar technologies
Our Website uses cookies and similar technologies to:
enable basic site functionality (such as page navigation and access to secure areas);
remember your preferences; and
help us understand and improve how our Website is used.
Certain cookies are strictly necessary and are used without consent. For all non-essential cookies (such as analytics or advertising cookies), we will ask for your consent via our cookie banner when you first visit our Website, in line with the UK rules on cookies and electronic communications and the updated framework under the Data (Use and Access) Act 2025. (GOV.UK)
You can adjust your cookie settings at any time through:
the cookie controls on our Website; and/or
your browser settings.
For more detailed information about the specific cookies we use, their purposes and how long they last, please see our Cookie Policy.
7. Who we share your personal data with
We only share your personal data when necessary and in accordance with data protection law. Recipients may include:
7.1 Healthcare professionals and organisations
Your GP, consultant or other healthcare professionals involved in your care, where you ask us to share information or where we reasonably consider it to be in your vital interests (for example where serious findings require urgent follow-up);
Hospitals, clinics or other providers where you are referred for further assessment or treatment.
7.2 Our suppliers and service providers
We use third-party suppliers to help deliver our services, for example:
IT and cloud hosting providers;
clinical systems and imaging platforms (e.g. RIS, PACS, patient portals); (rcr.ac.uk)
payment processors and banks;
customer support and communication platforms;
analytics and security service providers; and
professional advisers such as lawyers, auditors and insurers.
Where these third parties act as our data processors, they must follow our instructions, keep your data secure and are subject to appropriate contractual protections.
7.3 Public authorities, regulators and others
We may share personal data where required by law, for example with:
health regulators and public bodies;
HM Revenue & Customs and other government authorities;
the Information Commissioner’s Office (ICO) if we are required to cooperate with an investigation. (GOV.UK)
7.4 Business transfers
If we undergo a reorganisation, merger or sale, we may need to transfer relevant personal data to prospective or actual purchasers, under appropriate confidentiality obligations.
We do not sell your personal data for unrelated marketing purposes.
8. International transfers
Some of our suppliers may be located outside the UK or may use servers based overseas. Where we transfer your personal data outside the UK we will ensure that:
the destination country has been recognised by the UK government as providing an adequate level of protection; or
we have put in place appropriate safeguards, such as the UK International Data Transfer Agreement or approved standard contractual clauses, together with any additional measures required by law.
You can contact us if you would like further details of the safeguards in place for international transfers.
9. How long we keep your personal data
We keep your personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy and to comply with our legal and regulatory obligations.
Because we provide health-related services, we must keep clinical records for certain minimum periods, following national guidance such as the NHS Records Management Code of Practice and specialist radiology record-retention guidance. These generally recommend that many adult health records, including imaging records and reports, are retained for at least 8 years after the end of care, and sometimes longer (for example for children or particular clinical contexts). (rcr.ac.uk)
As a guide (actual periods may vary):
Clinical and imaging records – normally at least 8 years after your last episode of care with us, and longer where required by professional or legal guidance;
Financial records and payment information – typically 6–7 years to comply with tax and accounting rules;
Marketing data – until you withdraw consent or object, after which we retain only a minimal record to respect your preference;
Website logs and analytics data – kept only for a limited period needed for security and analysis.
Once we no longer need your data, we will securely delete it or anonymise it so that you can no longer be identified.
10. How we protect your personal data
We take appropriate technical and organisational measures to protect your personal data, including:
encryption, firewalls and access controls;
secure clinical and imaging systems with role-based access and audit logs;
regular staff training on data protection and confidentiality; and
back-up, incident response and business continuity arrangements.
If we become aware of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and, where required, the ICO.
11. Your rights
Under the UK GDPR, you have the following rights in relation to your personal data, subject to certain conditions: (ICO)
Right of access – to obtain a copy of your personal data and certain related information.
Right to rectification – to have inaccurate or incomplete data corrected.
Right to erasure – to ask us to delete your personal data in certain circumstances.
Right to restrict processing – to ask us to suspend certain processing while we consider a request or concern.
Right to data portability – where applicable, to receive certain data in a structured, commonly used and machine-readable format, and/or have it transmitted to another controller.
Right to object –
to processing carried out on the basis of our legitimate interests; and
to direct marketing at any time (including any profiling for direct marketing).
Rights in relation to automated decision-making – you have rights where we carry out automated decisions producing legal or similarly significant effects; at present, we do not make such decisions about you without human involvement.
Where we rely on consent, you have the right to withdraw your consent at any time. This will not affect the lawfulness of processing carried out before withdrawal, but we will stop the relevant processing unless another lawful basis applies.
To exercise any of your rights, please contact us using the details in section 1. We may ask you for information to confirm your identity.
12. Children and vulnerable individuals
Our services may be accessed on behalf of children and vulnerable individuals. Where we process their personal data:
we may need consent or authorisation from a person with parental responsibility or an appropriate representative, in line with applicable law;
we take particular care to protect their privacy; and
we use clear, age-appropriate explanations where possible.
If you are a parent, guardian or carer and you have concerns about our use of a child’s information, please contact us.
13. Third-party links
Our Website may contain links to third-party websites, plug-ins or applications (for example, maps, booking services or social media). Clicking on such links may allow third parties to collect or share data about you.
We do not control these third-party sites and are not responsible for their privacy statements. We encourage you to read the privacy information of other sites you visit.
14. How to complain
If you are unhappy with how we use your personal data, please contact us first so we can try to resolve the issue.
You also have the right to complain to the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection:
Website: https://ico.org.uk
Telephone: 0303 123 1113
Post:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire, SK9 5AF (ICO)
15. Changes to this Privacy Policy
We may update this Privacy Policy from time to time, for example to reflect:
changes in our services;
updates to UK data protection law (including developments under the Data (Use and Access) Act 2025 and associated guidance); or (Legislation.gov.uk)
feedback or guidance from regulators such as the ICO.
When we make significant changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify you via the Website, portal or email.
We encourage you to review this Privacy Policy regularly to stay informed about how we use and protect your information.