This privacy policy explains how EyeSurgeryClinic.co.uk, the data controller, collects and uses your personal information. We collect only what we need to respond to enquiries and arrange care, treat health information as special category data, and give you UK GDPR rights including access, correction, deletion and objection. We aim to respond to rights requests within 30 days.
Who we are (Data Controller)
This website is operated by EyeSurgeryClinic.co.uk ("we", "us", "our"). For the purposes of UK data protection law, we act as the data controller for personal information collected via our website, including appointment enquiries for private eye surgery such as cataract surgery and oculoplastics procedures.
This privacy policy applies to information collected when you:
- Visit EyeSurgeryClinic.co.uk and browse pages
- Complete an online form to request an appointment or call back
- Contact us by phone, email, or other channels linked from the site
Important: If you are already a patient, additional privacy information may be provided at the clinic (for example, about clinical records). This page focuses primarily on data processed through this website and initial enquiries.
To ask a privacy question or request your data, use the privacy request form. If your query relates to an appointment, use the appointment enquiry form. We aim to respond within 30 days to rights requests; we may ask for ID to verify your identity; and for urgent medical concerns, contact your clinician or NHS 111/999 as appropriate.
What personal data we collect
We collect only the information we need to run our website, respond to enquiries, and help you arrange care. The categories below are examples; what we collect depends on how you interact with us.
Identity & contact details
- Name (first name and surname)
- Email address
- Telephone number
- Postcode (to support logistics and service planning)
Enquiry information
- Your message and preferred callback times
- Procedure interest (e.g., cataract surgery, oculoplastics)
- Any information you choose to share about symptoms or history
Technical & usage data
- IP address and device/browser details
- Pages viewed and referral sources
- Cookie and analytics identifiers (where enabled)
Health data: Information about your eyesight, symptoms, diagnoses, medications, or treatment is treated as special category data under UK GDPR. Please only share what is necessary for us to triage your enquiry and arrange the right next step.
How we use your information
We use personal data to provide safe, responsive service and to run our clinic operations effectively. Typical purposes include:
Responding to enquiries
- Confirming your request and contacting you back
- Answering questions about cataract surgery, oculoplastics, and related procedures
- Arranging consultations and discussing availability
Operating and improving the website
- Maintaining security and preventing fraud
- Understanding which pages are useful (analytics where enabled)
- Fixing issues and improving usability and accessibility
Marketing communications
We do not send unsolicited marketing. If we ever send clinic updates, reminders, or information about services, we will do so in line with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR. You can opt out at any time.
Please do not use this website for emergencies. If you have sudden vision loss, severe eye pain, or other urgent symptoms, seek immediate medical help.
Our lawful bases (UK GDPR)
UK GDPR requires us to have a lawful basis for processing personal data. Depending on the context, we rely on one or more of the following:
| Activity | Personal data lawful basis | Special category (health) condition |
|---|---|---|
| Responding to your appointment enquiry | Legitimate interests / steps prior to entering a contract | Provision of health or social care (as applicable) and/or explicit consent where required |
| Managing bookings and communications | Contract / legitimate interests | Health care management purposes (as applicable) |
| Website security, fraud prevention, logging | Legitimate interests / legal obligations (where applicable) | Not usually required |
| Analytics and performance measurement (where enabled) | Consent and/or legitimate interests depending on the tool and configuration | Not applicable |
Where we rely on consent, you can withdraw it at any time. Withdrawing consent does not affect processing already carried out.
Who we share data with
We do not sell your personal information. We may share it with trusted third parties only where necessary to operate the website, manage enquiries, and deliver services. These parties act as our data processors or as independent controllers depending on the situation.
Typical recipients
- Website hosting and infrastructure providers
- Email/communication and customer support systems
- Analytics providers (if enabled, subject to cookie settings)
- IT security and maintenance partners
When sharing may be required
- To comply with a legal obligation or court order
- To protect patient safety, rights, or property
- To investigate or prevent security incidents
- In connection with a business transfer (with appropriate safeguards)
Where we use processors, we put contracts in place to ensure they handle data securely and only on our instructions.
Cookies and similar technologies
Cookies are small text files stored on your device. We may use cookies to make the site work reliably, to protect security, and to understand how visitors use the site (where enabled). In the UK, non-essential cookies typically require your consent.
| Cookie type | Purpose | Typical legal basis |
|---|---|---|
| Strictly necessary | Core site functions, security, load balancing | Legitimate interests / necessary for service |
| Analytics | Measure usage to improve content and journeys | Consent (in most cases) |
| Preference/functionality | Remember settings (where available) | Consent or legitimate interests depending on impact |
You can usually manage cookies through your browser settings. If we operate a cookie banner on this site, you can change preferences there as well. For more detail, see our cookie policy.
How we keep your data secure
We take appropriate technical and organisational measures to protect personal information, including health-related information you share in an enquiry. Security controls may include access controls, encryption in transit, monitoring, and staff confidentiality obligations.
- Minimisation: we only request information relevant to your enquiry.
- Access control: access is limited to authorised team members and suppliers.
- Secure transmission: we use HTTPS where supported to protect data in transit.
- Supplier assurance: processors must meet security and confidentiality standards.
- Incident response: we investigate potential breaches and notify the ICO and affected individuals where required by law.
Your role: avoid sharing highly sensitive details in free-text fields unless necessary. If you believe your information has been compromised, contact us via the privacy request form.
How long we keep your data
We keep personal information only for as long as necessary for the purpose it was collected, including for legal, regulatory, and clinical governance needs (where applicable). Retention periods can vary based on whether you become a patient and the nature of our relationship.
Typical approach:
- Enquiry data: kept long enough to manage your request and follow-up, then securely deleted or anonymised unless we have a legitimate reason to retain it.
- Patient records: if you proceed to consultation/treatment, clinical records may be retained in line with UK healthcare record retention guidance and legal obligations.
- Technical logs: retained for security and operational reasons, typically for limited periods.
Your rights under UK GDPR
You have rights over your personal data. These rights are not absolute and may depend on why we process your information. We will always respond in line with UK law.
- Access & portability: request a copy of your data, and request certain data in a portable format.
- Correction & deletion: ask us to correct inaccurate information, and request deletion where applicable.
- Objection & restriction: object to processing based on legitimate interests, and request restriction in certain circumstances.
How to exercise your rights: use the privacy request form. We may ask for information to verify your identity before we disclose or amend any data.
If you are unhappy with how we handle your data, you can also complain to the UK Information Commissioner’s Office (ICO). Visit ico.org.uk.
International transfers
Some suppliers (for example, hosting, communications, or analytics providers) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, such as UK adequacy regulations or approved contractual protections.
What this means for you: we assess supplier risk and security controls; we limit access to what is necessary for the service; and we put contractual measures in place where required.
Schedule an appointment (private eye surgery)
If you’d like to arrange a consultation for cataract surgery, oculoplastics, or another procedure, you can send an enquiry here. If your message includes health information, we will treat it with additional care as special category data. Before you submit: only include details you’re comfortable sharing online; for urgent symptoms, seek urgent care rather than waiting for a callback; and we may contact you to clarify your enquiry before booking.
Privacy request form (UK GDPR)
Use this form to ask a question about this privacy policy, request a copy of your data, or exercise your UK GDPR rights. If your request relates to booking a consultation, you may prefer the appointment enquiry section. To help us respond accurately and securely: tell us what you need (e.g., access request, correction, deletion, objection); provide contact details so we can confirm identity and respond; share relevant context (approximate dates of contact, the email/phone used); we verify identity where needed, especially for sensitive or health-related data; and we respond usually within one month (may be extended for complex requests, with explanation).
Need help with your information or an appointment? We’ll respond as quickly as possible and handle your information in line with UK data protection requirements.
Request an appointmentFrequently asked questions
Who is the data controller for this website?
EyeSurgeryClinic.co.uk ("we", "us", "our") is the data controller for personal information collected via the website, including appointment enquiries for private eye surgery such as cataract surgery and oculoplastics. This covers information collected when you browse the site, complete an online form, or contact us by phone, email or other linked channels.
What personal data do you collect about me?
We collect only what we need: identity and contact details (name, email, telephone, postcode); enquiry information (your message, preferred callback times, procedure interest and anything you choose to share about symptoms or history); and technical and usage data (IP address, device/browser details, pages viewed and cookie or analytics identifiers where enabled). Health information is treated as special category data.
What lawful basis do you rely on under UK GDPR?
Depending on the activity we rely on legitimate interests, steps prior to entering a contract, contract, and legal obligations. For special category (health) data we rely on conditions such as the provision of health or social care, health care management, and/or explicit consent where required. Where we rely on consent you can withdraw it at any time.
How can I withdraw my consent?
Where we rely on consent, you can withdraw it at any time. Withdrawing consent does not affect processing already carried out before you withdrew it. For cookie consent you can change your choices in your browser settings or any cookie banner. To withdraw consent for other processing, contact us using the privacy request form on this page.
How do I request a copy of my data or ask you to delete it?
Use the privacy request form on this page and tell us what you need—for example an access request, correction, deletion, objection or restriction. We may ask for information to verify your identity before we disclose or amend any data. You can request deletion in certain circumstances, though we may need to retain some information to meet legal obligations or for clinical governance.
How quickly will you respond to a UK GDPR request?
We aim to respond within one month of receiving your request. If it is complex, we may extend the timeframe (up to a further two months) and will explain why. Including the approximate dates of contact and the email or phone number you used helps us locate your information and respond more quickly.
How long do you keep my information?
We keep personal information only for as long as necessary for the purpose it was collected, including legal, regulatory and clinical governance needs. Enquiry data is kept long enough to manage your request and follow-up, then securely deleted or anonymised; clinical records (if you become a patient) are retained per UK healthcare record retention guidance; and technical logs are kept for limited periods.
Is my enquiry about cataract surgery treated as confidential?
Yes. We treat all enquiries as confidential. If you share information about your eyesight or medical history, it may be classed as special category data and handled with additional safeguards, limited access and appropriate security. Please only share what is necessary for us to triage your enquiry and arrange the right next step.
Do you share my details with insurers or other clinics, or sell my data?
We do not sell your personal information and do not share it with third parties for their own marketing. We may share data with processors who help us operate the website or manage communications—such as hosting, email and security providers—only where necessary and protected by contracts, or where required to comply with a legal obligation or protect patient safety.
How do you keep my data secure?
We use appropriate technical and organisational measures including data minimisation, access control limited to authorised team members and suppliers, secure transmission over HTTPS where supported, supplier security assurance, and incident response. If a breach occurs we investigate and notify the ICO and affected individuals where required by law.
Do you transfer my data outside the UK?
Some suppliers, such as hosting, communications or analytics providers, may process data outside the UK. Where this happens we ensure appropriate safeguards, such as UK adequacy regulations or approved contractual protections. We assess supplier risk and security controls, limit access to what is necessary, and put contractual measures in place where required.
How do I complain if I am unhappy with how you handle my data?
Please contact us first using the privacy request form so we can try to resolve your concern. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk. The ICO regulates data protection in the UK and can consider complaints about how organisations handle personal information.