Privacy Policy (UK)

1) Who we are

This website is operated by Sonoworld Diagnostic Services Limited (“Sonoworld”, “we”, “us”, “our”).
We provide diagnostic ultrasound and related clinical services.

Data Controller (UK GDPR): Sonoworld Diagnostic Services Limited

• Company number: 08246554
• Registered office: 266–268 High Street, Waltham Cross, England, EN8 7EA
• Clinic address: 29 Weymouth Street, Marylebone, London, W1G 7DB
• Telephone: 020 3633 4902
• Email (data protection queries): info@sonoworld.co.uk (use subject line: “Data Protection Request”)

2) Scope of this policy

This Privacy Policy explains how we collect, use, share and protect personal data when you:

• visit and browse our website;
• enquire with us (online form, email, phone);
• book and attend an appointment;
• receive results, reports and follow-up communications; and/or
• engage with us for feedback/reviews or marketing (where applicable).

Our Cookie Policy explains cookies and similar technologies used on this site.

3) Personal data we collect

We may collect the following categories of personal data:

A. Identity and contact data

• Name, date of birth, gender (where relevant)
• Address, email address, telephone number
• Emergency contact details (where clinically appropriate)

B. Appointment and administrative data

• Appointment date/time, service selected, booking notes
• Payment status and receipts (we do not intentionally publish or store full card details on our website; card payments are handled via payment providers/terminals where used)

C. Health data (special category data)

Because we provide medical diagnostics, we may collect and generate:

• Symptoms and presenting complaint
• Relevant medical history, medications, allergies
• Pregnancy-related details (where relevant)
• Ultrasound images and measurements
• Clinical findings and diagnostic reports
• Onward referral recommendations and correspondence

D. Communications data

• Emails/messages you send us and our responses
• Information you provide via web forms

E. Website technical data

• IP address, device/browser information, pages viewed, referrer URLs, and similar usage data (via cookies and similar technologies, subject to your choices)

F. Reviews and testimonials (if you provide them)

• Your review content, name/initials as displayed on the relevant platform, and any information you choose to include in your review

4) Where we get your data from

We collect personal data:

• directly from you (booking, enquiry, forms, in-clinic questionnaires);
• from people acting on your behalf (e.g., a family member booking for you, where appropriate);
• from referring clinicians or healthcare providers (if you provide a referral or ask us to liaise with them);
• from website technologies (cookies/analytics, subject to settings).

5) How we use your personal data, and our legal bases

Under the UK GDPR, we need (1) a lawful basis under Article 6 for all personal data and (2) for health data,
an additional condition under Article 9 (special category).

A. Providing clinical services (bookings, scans, reports, follow-up)

Purpose: Schedule and deliver your appointment, conduct the scan, interpret results, create and provide your report, and manage appropriate clinical follow-up.

Article 6 basis: Contract; legal obligation; and/or legitimate interests in operating a safe clinical service.

Article 9 condition: Health or social care (diagnosis/treatment/management) with applicable safeguards.

B. Clinical safety, complaints, incident management, and regulatory obligations

Purpose: Clinical governance, patient safety, audit, complaint handling, and meeting legal/regulatory duties.

Article 6 basis: Legal obligation; legitimate interests.

Article 9 condition: Health or social care; and where relevant, substantial public interest with safeguards.

C. Communication and service administration

Purpose: Reminders, operational messages, responding to enquiries, sending instructions for scan preparation, and delivering your report securely.

Article 6 basis: Contract; legitimate interests.

D. Payments and accounting

Purpose: Taking payment, refunds, preventing fraud, accounting and tax records.

Article 6 basis: Contract; legal obligation; legitimate interests.

E. Website operation, security and anti-spam

Purpose: Protect our website and forms from abuse, maintain availability and security, and manage cookie preferences.

Article 6 basis: Legitimate interests; and where cookies/trackers are non-essential, consent.

F. Marketing (only where permitted)

Purpose: Send service updates or offers (e.g., by email/SMS) where you have opted in or where lawful.

Article 6 basis: Consent, or legitimate interests where permitted by applicable marketing law (and you can opt out at any time).

We do not use health data to target marketing.

6) Who we share your personal data with

We share personal data only where necessary, and subject to confidentiality and appropriate safeguards.

A. Clinical and administrative staff

Authorised clinicians and clinic administrative staff involved in your care and booking.

B. Healthcare professionals (with your permission or where appropriate)

• Your GP, consultant, or other providers if you ask us to send them your report, or where necessary for continuity of care.

C. Service providers (processors)

Trusted suppliers who help us operate, such as:

• website hosting/IT support;
• appointment/booking systems;
• secure email/SMS providers;
• payment providers;
• security/anti-spam tools;
• analytics/cookie consent tools (subject to settings).

These suppliers must act on our instructions and maintain security and confidentiality.

D. Legal and regulatory disclosures

We may disclose data where required by law, court order, or to regulators, or to protect rights/safety.

7) International transfers

Some suppliers may store/process data outside the UK. Where this happens, we use appropriate safeguards such as
UK adequacy regulations, UK-approved transfer mechanisms, contractual protections, and risk assessments.

8) How long we keep your data (retention)

We keep personal data only as long as necessary for the purposes described above, including legal, clinical and regulatory requirements.

• Clinical records: retained in line with recognised health-record retention principles and clinical governance needs.
• Financial records: retained for statutory accounting/tax periods.

Where retention must be longer (e.g., ongoing care, legal claims, safeguarding, or clinical relevance), we retain securely and restrict access.

9) Your rights

You have rights under UK GDPR, including:

• Right of access (a copy of your data)
• Right to rectification (correct inaccuracies)
• Right to erasure (in limited circumstances)
• Right to restrict processing
• Right to object (in certain cases, including direct marketing)
• Right to data portability (where applicable)
• Right to withdraw consent (where processing is based on consent)

We aim to respond without undue delay and usually within one month; this can be extended in certain complex cases as permitted by law.

How to exercise your rights: email info@sonoworld.co.uk
with “Data Protection Request” in the subject line. We may ask for proof of identity to protect confidentiality.

10) Complaints

If you are unhappy with how we handle your data, please contact us first so we can investigate and respond.

You also have the right to complain to the Information Commissioner’s Office (ICO), the UK data protection regulator.

11) Security

We use appropriate technical and organisational measures designed to protect personal data, such as:

• access controls and least-privilege access;
• secure storage and transmission methods where appropriate;
• staff confidentiality obligations and training;
• vendor due diligence and contractual security requirements.

No system is completely secure; if we become aware of a security incident that creates a risk to your rights and freedoms,
we will act in line with legal requirements.

12) Cookies and similar technologies

We use cookies and similar technologies. You can manage preferences via our cookie controls and/or browser settings.
Please see our Cookie Policy for details.

13) Children

Our services and website may be used by young people in certain circumstances (for example, where clinically appropriate and with consent/authority).
If you believe a child has provided personal data without appropriate authorisation, please contact us.

14) Changes to this policy

We may update this Privacy Policy to reflect changes in law, guidance, or our services.
The “Last reviewed” date will be updated accordingly, and material changes will be highlighted where appropriate.