NCL Private Healthcare

Legal & Compliance

Legal Information

Last reviewed: July 2026 · Version 1.0

Privacy Policy

1. Who we are

NCL Private Healthcare (“NCL”, “we”, “us”, “our”) is a private healthcare provider registered in England and Wales, operating from West Road, Ponteland, Newcastle upon Tyne, NE20 9SU. We are registered as a data controller with the Information Commissioner’s Office (ICO) under UK GDPR and the Data Protection Act 2018.

You may contact our data protection lead at: info@nclprivatehealthcare.com

2. What data we collect

We may collect the following categories of personal data:

  • Identity data: name, date of birth, age range.
  • Contact data: email address, telephone number, postal address.
  • Health data (special-category): hair loss history, previous treatments, scalp photographs, clinical assessment results, prescription records. This data is processed only with your explicit consent or where necessary to provide medical treatment.
  • Transaction data: order details, payment method (payment card details are processed by Stripe and not stored by us), subscription records.
  • Technical data: IP address, browser type, device identifiers, pages visited, session duration — collected via cookies and analytics (see our Cookie Policy).
  • Communications data: messages sent to us via enquiry forms, chat, email or telephone.
  • Profile data: account username, order history, treatment preferences.

3. How we use your data

We process your data on the following legal bases:

  • Contract performance: to process orders, manage subscriptions, and provide purchased services.
  • Legitimate interests: to operate our website, improve our services, prevent fraud, and respond to enquiries.
  • Explicit consent: to process health data, send optional marketing communications, and set non-essential cookies.
  • Legal obligation: to meet regulatory requirements including CQC registration obligations, MHRA compliance, and financial record-keeping.
  • Vital interests: in an emergency where it is necessary to protect life.

4. Health data — special-category processing

Health information is sensitive personal data under UK GDPR Article 9. We process your health data only where you have given explicit consent, or where processing is necessary for the provision of health or social care treatment. You may withdraw consent at any time; however, withdrawal may mean we are unable to provide certain clinical services.

Every assessment and enquiry form that collects health information contains a specific consent statement. You must tick this before submitting health data to us.

5. Who we share your data with

We do not sell your personal data. We may share it with:

  • Clinical staff: GMC-registered doctors and GPhC-registered pharmacists involved in your care.
  • Payment processor: Stripe Inc, for secure payment processing (PCI-DSS compliant).
  • Email service: our email provider for sending order and appointment confirmations.
  • Analytics: anonymised / aggregated data with analytics providers (no identifiable health data).
  • Regulators: CQC, GMC, GPhC, ICO, or law enforcement where required by law.

6. International data transfers

Where data is transferred outside the UK, we ensure appropriate safeguards are in place — including UK adequacy decisions, standard contractual clauses (SCCs) approved by the ICO, or binding corporate rules. For international patients, see our International Patient Terms for additional information on cross-border data transfers.

7. Retention

We retain data for the following periods:

  • Clinical records: minimum 8 years from last treatment (or until the patient is 25, whichever is longer), in line with NHS and professional guidance.
  • Order and transaction records: 7 years for financial compliance.
  • Marketing preferences: until you withdraw consent.
  • Website analytics: up to 14 months (anonymised).
  • Chatbot transcripts: retained for 90 days then deleted, unless forming part of a clinical record.

8. Your rights

Under UK GDPR you have the right to:

  • Access: request a copy of your personal data (Subject Access Request).
  • Rectification: correct inaccurate data.
  • Erasure: request deletion where there is no lawful reason to retain it.
  • Restriction: limit how we use your data while a dispute is resolved.
  • Portability: receive your data in a machine-readable format.
  • Object: to processing based on legitimate interests or for direct marketing.
  • Withdraw consent: at any time, without affecting the lawfulness of prior processing.

To exercise any right, email us at info@nclprivatehealthcare.com. We will respond within one calendar month.

If you are dissatisfied with our response, you may complain to the ICO at ico.org.ukor by post to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

9. Security

We implement appropriate technical and organisational measures to protect your data — including TLS encryption in transit, access controls, and regular security reviews. Payment data is processed by Stripe and not stored on our servers. No system is completely secure; please report any suspected data incident to us promptly.

10. Cookies

See our Cookie Policy for full information on cookies and your choices.

11. Changes to this policy

We may update this policy from time to time. Material changes will be notified to registered users by email. The current version is always available at this URL, with the review date at the top.