Privacy Policy

Last updated: 8 May 2026

1. Who we are

WMG Health is the customer-facing brand for our private diagnostics service. Two registered companies sit behind it:

  • Westminster Medical Group (Company No. 11237471) holds the Care Quality Commission (CQC) registration and is responsible for all clinical services, including blood draws, sample handling, clinical review of results, and any follow-up care. Westminster Medical Group is the data controller for your clinical and health information.
  • WMG Health Ltd (Company No. 17127236) provides the booking, payment, and customer-facing commercial services. WMG Health Ltd is the data controller for your booking and payment information.

Both companies are registered in England and Wales at 134 Harley Street, London W1G 7JY. An intercompany data sharing arrangement is in place to allow your booking information to flow to the clinical team and your results to flow back to you securely.

We are committed to protecting your personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. For any privacy matters, you can contact us at: health@wmglondon.com or by post to our clinic address.

2. What data we collect

We may collect and process the following categories of personal data:

  • Identity data: your name, date of birth, NHS number (if provided)
  • Contact data: email address, telephone number, postal address
  • Health data: blood test results, diagnostic reports, clinical notes, medical history you share with us (this is special category data under UK GDPR)
  • Payment data: billing address and payment confirmation (card details are processed by our payment provider and never stored by us)
  • Technical data: IP address, browser type and version, pages visited, time and date of visits (collected via server logs)
  • Communications: enquiry form submissions, emails, call records

3. How we collect your data

  • When you complete our online booking or enquiry form
  • When you call or email us directly
  • When you attend our clinic and a blood draw is performed
  • When you access our website (technical data via server logs)
  • From our laboratory partners, who process your samples and return results to us

4. Legal basis for processing

We rely on the following lawful bases under UK GDPR:

  • Contract performance, to fulfil your booking and deliver your test results
  • Legal obligation, to comply with CQC, GMC, and HMRC requirements
  • Vital interests, in an emergency, to protect your life or that of another person
  • Legitimate interests, to improve our services, prevent fraud, and maintain clinic security
  • Explicit consent, for health (special category) data, we obtain your explicit consent at the point of booking and on our patient registration form. You may withdraw consent at any time.

5. How we use your data

  • To book and confirm your appointment
  • To perform your requested blood tests and deliver results to your secure patient portal
  • To have a GMC-registered clinician review and annotate your results
  • To contact you if your results require urgent clinical follow-up
  • To send appointment reminders and results notifications
  • To respond to your enquiries
  • To maintain clinical records in accordance with our CQC registration obligations
  • To process your payment
  • To send marketing communications only with your explicit opt-in consent

6. Sharing your data

We do not sell your personal data. We share it only where necessary:

  • Accredited UK laboratories, to process your blood samples. These partners are bound by data processing agreements and operate under UKAS accreditation
  • Westminster Medical Group clinicians, GMC-registered doctors who review your results
  • Payment processors, to process your payment securely (PCI-DSS compliant)
  • IT infrastructure providers, hosting and security services operating under strict data processing agreements
  • Legal or regulatory authorities, where required by law (e.g., CQC inspection, court order)
  • Your GP or other clinicians, only with your explicit written consent

All third parties are required to process your data securely and only for the specified purpose.

7. International transfers

We do not routinely transfer your personal data outside the UK. If any transfer is required, we ensure it is protected by UK GDPR-compliant safeguards (e.g., standard contractual clauses or adequacy decisions).

8. Data retention

We retain your health records for a minimum of 8 years from your last appointment in accordance with NHS and CQC guidance for private healthcare providers.

Enquiry data (where no appointment was booked) is retained for 12 months.

Payment records are retained for 7 years for HMRC compliance.

9. Your rights

Under UK GDPR, you have the right to:

  • Access, request a copy of the personal data we hold about you (Subject Access Request)
  • Rectification, ask us to correct inaccurate data
  • Erasure, ask us to delete your data, subject to our retention obligations
  • Restriction, ask us to limit how we use your data
  • Portability, receive your data in a machine-readable format
  • Object, object to processing based on legitimate interests or for direct marketing
  • Withdraw consent, at any time, where processing is based on consent

To exercise any of these rights, contact us at health@wmglondon.com. We will respond within one calendar month.

10. Cookies and website analytics

Essential storage. Our site stores a small piece of data in your browser (using local storage) to remember your cookie preference, so we don't show you the consent banner on every page load. This is operationally necessary, contains no personal information, and is not used for tracking. Our server also keeps standard logs (IP address, page requests, timestamps) for security and uptime monitoring.

Optional analytics cookies. If you accept via our cookie banner, we use Google Analytics to understand which pages and panels are most useful to visitors and to improve the site. Analytics cookies are set in your browser and process anonymised usage data on our behalf. IP addresses are anonymised before storage. We do not link analytics data to your identity or your clinical record.

If you decline, no analytics cookies are set and no usage data is collected. You can change your choice at any time by clearing your browser's site data for this domain, which will re-show the banner.

We do not use advertising cookies, retargeting pixels, or social media tracking pixels (no Meta Pixel, no LinkedIn Insight Tag, no advertising trackers of any kind).

11. Security

We implement appropriate technical and organisational measures to protect your data, including:

  • TLS encryption for all data in transit
  • Encrypted storage for health records
  • Access controls and staff training
  • Regular security reviews

In the event of a data breach that is likely to affect your rights, we will notify you and the Information Commissioner's Office (ICO) within 72 hours as required by law.

12. Complaints

If you believe we have not handled your data correctly, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

  • Website: ico.org.uk
  • Helpline: 0303 123 1113

We would, however, appreciate the opportunity to address your concerns directly first, please contact us at health@wmglondon.com.

13. Changes to this policy

We may update this Privacy Policy from time to time. The date at the top of this page reflects the most recent revision. Significant changes will be communicated to active patients by email.

Questions about your data?

Contact our Data Controller directly.

health@wmglondon.com