Privacy Policy

​​Last Updated: 22 June 2026

​1. Introduction

​Welcome to the Privacy Policy for Apex Medical Ultrasound. We are committed to protecting and respecting your privacy, especially regarding your Personally Identifiable Information (PII) and Special Category Personal Data (such as medical ultrasound images, clinical notes, and health histories).

​This policy outlines how we collect, utilise, store, and safeguard your data, as well as your legal rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

​2. Who We Are (Data Controller)

​Apex Medical Ultrasound operates as the Data Controller for the personal data collected through our clinical services and website. This means we are legally responsible for deciding how and why your personal information is processed.

​

​Data Protection Contact: IT Security Officer / Data Protection Lead

​3. The Types of Data We Collect

​We collect and process various categories of data to provide safe, effective, and professional healthcare services:

• ​Personal Identifiable Information (PII): Names, home addresses, phone numbers, personal email addresses, dates of birth, and billing/financial details.
• ​Special Category Data (Protected Health Information): Ultrasound scan images, clinical diagnostic notes, NHS numbers, referral letters, medical histories, and next-of-kin contact metrics.

​4. How We Securely Store Your Data

​To ensure the absolute security of your medical and personal metrics, Apex Medical Ultrasound operates under a Zero-Paper and Strict Digital Storage Policy.  We do not log or store patient details on physical paper.

• ​All clinical records, booking data, and communication details are stored exclusively within our secure, cloud-based practice management platform.
• ​Data Encryption: All data handled by the platform is encrypted in transit using industry-standard Transport Layer Security (TLS 1.2/1.3) and encrypted at rest using bank-grade 256-bit AES encryption.
• ​Data Residency: All personal and clinical data inputted by Apex Medical Ultrasound is strictly localised and stored within secure cloud infrastructure physically located inside the European Union, satisfying all UK GDPR international transfer criteria.

​5. Data Sharing and Our Healthcare Partnerships

​We only share your data when there is a legitimate legal basis, primarily for providing direct clinical care, processing referrals, or as required by healthcare regulations.

​The Private GP Group Partnership

​Apex Medical Ultrasound works in close clinical partnership with The Private GP Group. To deliver seamless, integrated healthcare pathways, we will share patient-specific data, clinical notes, and ultrasound diagnostic reports with them. This sharing is conducted securely via encrypted digital channels to ensure continuity of care and accurate medical evaluation.

​NHS Guidelines Alignment

​As an organisation that delivers services alongside the NHS, all data-sharing protocols with external healthcare providers strictly follow the Caldicott Principles. This ensures that data sharing is:

• ​Justified by a clear medical or administrative purpose.
• ​Kept to the minimum necessary information required.
• ​Restrained strictly to authorised personnel on a "need-to-know" basis.
• ​We will never sell, rent, or trade your personal data with third-party marketing companies.

​6. Legal Bases for Processing Your Data

​Under the UK GDPR, we rely on the following lawful bases to process your information:

​Consent: Where you have given explicit permission for a specific processing activity.

• ​Contractual Obligation: To process bookings, manage clinical appointments, and handle transactions.
• ​Legal Obligation: Where we are required by UK law or healthcare regulatory frameworks to retain medical records.
• ​Direct Provision of Healthcare (Special Category Data): Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, and the provision of health or social care.

​7. Your Data Protection Rights

​Under UK data protection law, you have specific rights regarding your personal information:

• ​The Right of Access: You have the right to request copies of your personal data and clinical ultrasound records (Subject Access Request).
• ​The Right to Rectification: You can request that we correct any information you believe is inaccurate or incomplete.
• ​The Right to Erasure: Under certain strict conditions, you can request that we delete your personal data (noting that medical retention laws may supersede this request for clinical history records).
• ​The Right to Restrict Processing: You have the right to request that we restrict how we use your data under specific circumstances.
• ​The Right to Data Portability: You can request that we transfer the data we have collected to another organisation, or directly to you.

​8. How to Contact Us or Lodge a Complaint

​If you have any questions about this Privacy Policy, wish to exercise any of your data rights, or have concerns about how your data is handled, please contact our IT Security Team directly via our website contact channels.

​If you remain unsatisfied with our response, you have the right to lodge a formal complaint with the UK's data protection authority:

​Information Commissioner's Office (ICO)