Privacy Policy

Note: This is a working draft. Final policy is under solicitor review and will replace this document at launch.

1. Who we are

Surgical Recovery Ltd ("Surgical Recovery", "we", "us") is a private healthcare service registered with the Care Quality Commission (CRT1-12340848918) and incorporated in England and Wales (company number 11626202). Our registered office is in London, UK.

For data protection enquiries, contact our Data Protection Officer at dpo@surgicalrecovery.com.

2. The data we collect

We collect two categories of personal data.

Contact data

Name, email address, phone number, hospital, surgery date, and any contextual information you choose to share when enquiring through our website or speaking with our team.

Health data (special-category, GDPR Article 9)

If you become a patient of Surgical Recovery, we collect the clinical information necessary to deliver your pathway: medical history, current medication, surgical procedure, outcomes data (PROMs, NPS), and clinical observations made by our team during pre-op and post-op consultations and check-ins.

3. Why we hold this data

We process your data on the following lawful bases:

• Performance of contract — to deliver the clinical pathway you have purchased.
• Legitimate interests — to respond to enquiries and operate our service.
• Vital interests / public interest in healthcare — for processing of health data under GDPR Article 9(2)(h).
• Consent — for marketing communications, which we will only send if you opt in explicitly.

4. Who we share data with

We share your data only with:

• Your operating surgeon and their secretary, where you have authorised this and clinical safety requires it.
• The hospital where your surgery takes place, for continuity of care.
• Sub-processors who help us run the service (secure messaging platform, scheduling software, secure cloud hosting). All sub-processors are bound by appropriate data-processing agreements.
• Regulatory bodies (CQC, GMC, HCPC) where legally required.

We do not sell your data to anyone, ever.

5. How long we keep it

Clinical records are retained for the period required by NHS Records Management Code of Practice for healthcare providers (typically a minimum of 8 years post-discharge for adult patients; longer for specific record categories). Contact and enquiry data is retained for 24 months unless you become a patient or opt in to ongoing communication.

6. Your rights

Under UK GDPR you have the right to:

• Access the data we hold about you
• Correct inaccurate or incomplete data
• Request deletion (subject to clinical-record retention requirements)
• Restrict or object to processing
• Data portability
• Withdraw consent for processing that relies on it
• Complain to the Information Commissioner's Office (ico.org.uk) if you are unhappy with how we have handled your data

To exercise any of these rights, contact dpo@surgicalrecovery.com. We will respond within one calendar month.

7. Cookies

This site uses cookie-free, privacy-respecting analytics (Plausible) to understand which pages visitors find useful. No cookies are set on first load; no tracking pixels are deployed. If we add anything more invasive in future, we will ask for your consent before doing so.

8. Security

We hold your data on secure infrastructure provided by reputable cloud vendors, encrypted in transit and at rest. Access to clinical data is restricted to staff who need it to deliver your care. All staff complete annual information-governance training.

9. Changes to this policy

We will update this policy as our service evolves. Material changes will be communicated to active patients by email at least 14 days before they take effect.

10. Contact

For any privacy or data-protection question, please email dpo@surgicalrecovery.com or write to our registered office.