privacy policy

This privacy policy sets out how we, Synapse Medical Group Limited, collect, store, use and protect your personal data and information about you when you use or interact with our website synapseheadache.com (our website), including any data you may provide when you register with us, and where we otherwise obtain or collect information about you. This Privacy Policy is effective from 7 October 2025.

You can view and download the full version of the privacy policy here.

CONTENTS

IMPORTANT INFORMATION AND WHO WE ARE

This Privacy Policy

This privacy policy gives you information about how Synapse Medical Group Limited collects and uses your personal data through your use of this website, including any data you may provide when you register with us.

Controller

The Data Controller in respect of this website is Synapse Medical Group Limited company registration number 16275997.

You can contact the data controller by writing to Synapse Medical Group Limited by sending an email to secretary@synapseheadache.com

INFORMATION WE COLLECT WHEN YOU CONTACT US

We collect and use personal information from individuals who contact us in accordance with this section and the section entitled Disclosure and additional uses of your information.

Email

When you send an email to the email address displayed on our website, we collect your email address and any other information you provide in that email (such as your name, telephone number and the information contained in any signature block in your email).

Post, Telephone and Messaging platforms

If you contact us in any of these ways, we will collect any information you provide to us in any postal communications you send us.

PERSONAL DATA WE COLLECT ABOUT YOU AND WHY

Personal data means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you that we have grouped together as follows:

When You Make an Enquiry or access our website:

  • Name, email address, phone number

  • Details of your enquiry submitted through our website or by email

  • IP address or MAC address (automatically collected when you use our website)

If You Become a Patient:

  • Full name, date of birth, and contact information

  • Next of kin contact details

  • Identification data, including copies of your passport, driving licence or other identification documentation

  • Medical history and records, GP details, letters and clinical notes

  • Communication records, including emails and appointment notes

  • Financial Data, including bank account, payment card details or insurance information (collected and processed by Carebit on our behalf).

  • Transaction Data, including details about payments to and from you and other details of products and services you have purchased from us.

We collect this information to:

  • Respond to your enquiries

  • Arrange and provide safe and effective medical care

  • Maintain accurate and legally required medical records

  • Manage and collect payments and billing

  • Communicate with your GP or insurer (where appropriate and with your authority)

Information we collect when you interact with our website

We collect and use information from individuals who interact with particular features of our website in accordance with this section and the section entitled Disclosure and additional uses of your information.

Web server log information

We use a third-party server to host our website. Our website server automatically logs:

  • Technical Data, including internet protocol (IP) address, your login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, device ID and other technology on the devices you use to access this website.

  • Usage Data, including information about how you interact with and use our website, products and services, the pages accessed, information requested, the date and time of the request, the source of your access to our website (e.g. the website or URL [link] which referred you to our website), and your browser version and operating system.

  • Marketing and Communications Data, including your preferences in receiving marketing from us and our third parties and your communication preferences.

Our server is located in the UK.

Use of website server log information for IT security purposes

We collect and store server logs to ensure network and IT security and so that the server and website remain uncompromised. This includes analysing log files to help identify and prevent unauthorised access to our network, the distribution of malicious code, denial of services attacks and other cyber-attacks, by detecting unusual or suspicious activity.

Unless we are investigating suspicious or potential criminal activity, we do not make, nor do we allow, any attempt to identify you from the information collected via server logs.

Use of website server log information to analyse website use and improve our website

We use the information collected by our website server logs to analyse how our website users interact with our website and its features. For example, we analyse the number of visits and unique visitors we receive, the time and date of the visit, the location of the visit and the operating system and browser used.

We analyse the information gathered to improve our website function and content for the benefit of users.

COOKIES

Cookies are data files that are sent from a website to a browser to record information about users for various purposes. Such information will not identify you personally, it is statistical data about our visitors and their use of our Website. This statistical data does not identify any personal details whatsoever. It is used by us to analyse how visitors interact with the Website so that we can continue to develop and improve this Website.

We use cookies on our website, including:

  • Essential

  • Functional, and

  • Analytical

We may gather information about your general Internet use by using a cookie file that is downloaded to your computer. Where used, these cookies are downloaded to your computer automatically. This cookie file is stored on the hard drive of your computer as cookies contain information that is transferred to your computer’s hard drive. They help us to improve our Website and the service that we provide to you.

All computers have the ability to decline cookies. This can be done by activating the setting on your browser which enables you to decline the cookies. Please note that should you choose to decline cookies, you may be unable to access particular areas of our Website.

You can reject some or all of the cookies we use on or via our website by changing your browser settings by using our cookie control tool but doing so can impair your ability to use our website or some or all of its features. For further information about cookies, including how to change your browser settings, please visit All About Cookies.

DISCLOSURE AND ADDITIONAL USES OF YOUR INFORMATION

This section sets out the circumstances in which we disclose information about you to third parties and any additional purposes for which we use your information.

Disclosure of your information to service providers

We use a number of third parties to provide us with services that are necessary to run our business or to assist us with running our business and who process your information for us on our behalf. These include the following:

  • Email provider (UK)

  • IT service provider (UK)

  • Web developer (UK)

  • Hosting provider (UK)

Your information will be shared with these service providers where necessary to provide you with the service you have requested, whether that is accessing our website or ordering goods and services from us.

We do not display the identities of all of our service providers publicly by name for security and competitive reasons. However, if you would like further information about the identities of our service providers, please contact us directly by email and we will provide you with such information where you have a legitimate reason for requesting it (where we have shared your information with such service providers, for example).

Disclosure of your information to other third parties

We disclose your information to other third parties in specific circumstances, as set out below.

GOOGLE ANALYTICS

We use Google Analytics to help us understand how visitors interact with our website. Google Analytics collects information such as your IP address, browser type, pages visited, time spent on pages, and other usage data. This information is used to analyse website traffic patterns and improve our website's functionality and content.

Google

Providing information to third parties such as Google Inc. 

Google collects information through our use of Google Analytics on our website. Google uses this information, including IP addresses and information from cookies, for a number of purposes, such as improving its Google Analytics service. Information is shared with Google on an aggregated and anonymised basis.

Transfer and Storage of your Information

Information collected by Google Analytics is stored outside the European Economic Area on Google’s servers in the United States of America. 

Data Transfers Outside the EEA

Information collected by Google Analytics is transferred to and stored on Google's servers, which may be located outside the European Economic Area (EEA), including in the United States of America.

Legal Basis for International Transfers

For transfers of personal data to countries outside the EEA that do not have an adequacy decision from the European Commission, we rely on appropriate safeguards including:

  • The EU-US Data Privacy Framework for transfers to certified US organisations (where applicable)

  • Standard Contractual Clauses approved by the European Commission under Article 46 GDPR

  • Google's compliance with applicable data protection requirements

Your Rights and Choices

  • To find out more about what information Google collects, how it uses this information and how to control the information sent to Google, you can view Google's privacy policy at: Google | Privacy & Terms

  • You can opt out of Google Analytics tracking by installing the Google Analytics opt-out browser add-on available at: Google Analytics | Opt Out

  • You can also control cookies through your browser settings, though this may affect website functionality

Data Retention

Google Analytics data is retained for a period of 26 months from the date of collection, after which it is automatically deleted. We may configure shorter retention periods based on our business needs and data protection requirements.

Microsoft

We use Microsoft 365 platforms and apps to manage emails and storage of your information. Please review Microsoft’s Privacy Policy and information here: Microsoft | Privacy Statement.

CareBit

We use Carebit (carebit.co) as our data processor for patient registration, booking, record keeping and payment processing. Carebit processes this information on our behalf in accordance with our data processing agreement. You can access Carebit's privacy policy at: Carebit | Privacy Policy.

HCA – Princess Grace or The Wellington

When you attend appointments at HCA, we share your registration details (name, date of birth, appointment time, and relevant clinical information) with the hospital for facility access and safe delivery of clinical services. Princess Grace Hospital and The Wellington are separate data controllers for this information. You can view their privacy policy at: HCA | Our Privacy Policy.

University College London Hospital (UCLH)

When you attend appointments at UCLH facilities, we share your registration details and relevant clinical information with UCLH for facility access and safe delivery of clinical services. UCLH acts as a separate data controller for this information. You can view their privacy policy at: UCLH | Cookies & Privacy.

NHS Secure One Drive

We use the NHS Microsoft OneDrive and email systems for storing and sharing documents with NHS teams, as required. In particular, you permit us to maintain and share your payment and financial information with the NHS for reconciliation purposes. Otherwise, please refer to Microsoft’s privacy policy above.

AI Platforms

We use AI to assist with our administration, patient information and documentation, transcription, health analyses and treatment plans and anything related to patient care and health. This may mean your information is shared with AI models in order to streamline and improve care provision.

Any responses sent to you directly from an AI system should be carefully considered as AI models can make errors. Any advice given to you directly by your care provider will have been checked in advance, whether it came from an AI system or not.

Please review the following privacy policies, which relate to the platforms we employ:

NABLA: Nabla General Privacy and Cookies Policy

HEIDI: Heidi UKGDPR Privacy Policy

GRAMMARLY: Grammarly Privacy Policy

Disclosure and use of your information for legal reasons

Indicating possible criminal acts or threats to public security to a competent authority

If we suspect that criminal or potential criminal conduct has occurred, we will in certain circumstances need to contact an appropriate authority, such as the police. This could be the case, for instance, if we suspect that a fraud or a cyber crime has been committed or if we receive threats or malicious communications towards us or third parties.

We will generally only need to process your information for this purpose if you were involved or affected by such an incident in some way.

In connection with the enforcement or potential enforcement our legal rights

We will use your information in connection with the enforcement or potential enforcement of our legal rights, including, for example, sharing information with debt collection agencies if you do not pay amounts owed to us when you are contractually obliged to do so. Our legal rights may be contractual (where we have entered into a contract with you) or non-contractual (such as legal rights that we have under copyright law or tort law).

In connection with a legal or potential legal dispute or proceedings

We may need to use your information if we are involved in a dispute with you or a third party for example, either to resolve the dispute or as part of any mediation, arbitration or court resolution or similar process. 

For ongoing compliance with laws, regulations and other legal requirements

We will use and process your information in order to comply with legal obligations to which we are subject. For example, we may need to disclose your information pursuant to a court order or subpoena if we receive one.

HOW LONG WE RETAIN YOUR INFORMATION

This section sets out how long we retain your information. We have set out specific retention periods where possible. Where that has not been possible, we have set out the criteria we use to determine the retention period.

Retention periods

We only keep your data as long as it is required either by English Law, health regulatory best practice, codes of practice, or our own legitimate business needs in line with our corporate policies. The full range of retentions varies per record, some are only kept short-term, and some kept more long- term if they relate to legal matters or long-term medical conditions. Below are the considerations we use to determine the appropriate retention period:

  • The purposes for which we process your personal data and whether we can achieve those purposes through other means;

  • The applicable legal, regulatory, tax, accounting or other requirements;

  • The amount, nature, and sensitivity of the personal data; and

  • The potential risk of harm from unauthorised use or disclosure of your personal data.

Typical retention periods are as follows:

  1. Medical and clinical records - Minimum 8 years from date of last consultation (or until age 25 for patients treated as children, whichever is longer), in accordance with NHS Records Management Code of Practice

  2. Mental health records - May be retained for longer periods where there is ongoing clinical need or legal requirement

  3. Financial and billing records – Minimum 6 years from end of financial year for tax and accounting purposes

  4. Correspondence and general enquiries – Up to 2 years from date of last contact, unless part of clinical record

  5. Marketing consent records – Until consent is withdrawn, then archived for evidence purposes

Specific records may be retained for longer periods where:

  1. There is ongoing clinical need

  2. Legal proceedings are ongoing or anticipated

  3. Regulatory or professional body requirements mandate longer retention

  4. The patient requests their records be maintained

  5. We are asked to retain them by a government institution for legal purposes

You may request information about retention of your specific records by contacting us

HOW WE SECURE YOUR INFORMATION

We take appropriate technical and organisational measures to secure your information and to protect it against unauthorised or unlawful use and accidental loss or destruction, including:

  • only sharing and providing access to your information to the minimum extent necessary, subject to confidentiality restrictions where appropriate, and on an anonymised basis wherever possible;

  • using secure servers to store your information

  • verifying the identity of any individual who requests access to information prior to granting them access to information;

  • using Secure Sockets Layer (SSL) software

Transmission of information to us by email

Transmission of information over the internet is not entirely secure, and if you submit any information to us over the internet (whether by email, via our website or any other means), you do so entirely at your own risk.

We cannot be responsible for any costs, expenses, loss of profits, harm to reputation, damages, liabilities or any other form of loss or damage suffered by you as a result of your decision to transmit information to us by such means.

Transfers of your information outside the European Economic Area

All of your information is stored in the UK. 

Other than to comply with any legal obligations to which we are subject (compliance with a court order, for example), we do not intend to transfer your information outside the EEA or to an international organisation. In the unlikely event that we are required to transfer your information outside the EEA (or to an international organisation) for such a purpose, we will ensure appropriate safeguards and protections are in place.

Information we collect when you become a patient

We collect and use information from individuals who make an appointment in accordance with this section and the section entitled Disclosure and additional uses of your information.
 

Information collected when you book an appointment

Information you submit when you book an appointment is stored within the United Kingdom. Your booking and payment information is processed by Carebit on our behalf, with servers located in accordance with their privacy policy.

Where you attend appointments at UCLH or Princess Grace Hospital, those facilities will also store registration and clinical data in accordance with their own privacy policies.

Processing your payment

When you register as a patient, your details and payments will be collected and processed through a third party provider, Carebit

Carebit collects, uses and processes your information, including payment information, in accordance with their privacy policies. Their privacy policy is set out above.

Information collected or obtained from third parties

This section sets out how we obtain or collect information about you from third parties.

Information received from third parties

Generally, we do not receive information about you from third parties. The third parties from which we receive information about you will generally include other businesses and clients we work with from time to time who may recommend our services to you. These could be businesses in any industry, sector, sub-sector or location. We also receive information about patients from private and NHS referring doctors, all based within the European Union.

It is also possible that third parties with whom we have had no prior contact may provide us with information about you.

Information we obtain from third parties will generally be your name and contact details, but will include any additional information about you that they provide to us.

YOUR RIGHTS IN RELATION TO YOUR INFORMATION

Subject to certain limitations on certain rights, you have the following rights in relation to your information, which you can exercise by writing to:

  • request access to your information and information related to our use and processing of your information;

  • request the correction or deletion of your information;

  • request that we restrict our use of your information;

  • receive information which you have provided to us in a structured, commonly used and machine-readable format (e.g. a CSV file) and the right to have that information transferred to another data controller (including a third party data controller); 

  • object to the processing of your information for certain purposes (for further information, see the section below entitled Your right to object to the processing of your information for certain purposes); and

  • withdraw your consent to our use of your information at any time where we rely on your consent to use or process that information. Please note that if you withdraw your consent, this will not affect the lawfulness of our use and processing of your information on the basis of your consent before the point in time when you withdraw your consent.

In accordance with Article 77 of the General Data Protection Regulation, you also have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or of an alleged infringement of the General Data Protection Regulation. 

Verifying your identity where you request access to your information

Where you request access to your information, we are required by law to use all reasonable measures to verify your identity before doing so. 

These measures are designed to protect your information and to reduce the risk of identity fraud, identity theft or general unauthorised access to your information.

SENSITIVE PERSONAL INFORMATION

As a medical practice providing healthcare services, we necessarily process special category personal data (also known as sensitive personal information) as defined under Article 9 of the UK General Data Protection Regulation.

What Health Data We Process

Special category data we process includes:

  1. Medical and mental health records, diagnoses, and treatment notes

  2. Information about your physical or mental health conditions

  3. Clinical assessment results and correspondence

  4. Treatment plans, prescriptions, and medication records

  5. GP referral letters and clinical reports

  6. Information about your healthcare needs and requirements

We process your health data under the following lawful bases:

  1. Under Article 9 UK GDPR:

    1. Article 9(2)(h) - provision of health or social care, and management of health or social care systems and services

    2. Article 9(2)(a) - your explicit consent where appropriate and where we rely on consent for specific processing activities

  2. Under Data Protection Act 2018:

    1. Schedule 1, Part 1, Paragraph 2

    2. health or social care purposes

  3. Under Article 6 UK GDPR (general lawful basis):

    1. Article 6(1)(b) - processing necessary for performance of contract with you

    2. Article 6(1)(c) - processing necessary for compliance with legal obligations

    3. Article 6(1)(f) - legitimate interests in providing safe and effective healthcare

You have rights regarding your health data, though some rights may be limited where processing is necessary for healthcare purposes or where we have legal obligations to retain medical records.

These rights include:

  1. The right to access your health records (subject to certain legal exemptions)

  2. The right to request correction of inaccurate health information

  3. The right to request restriction of processing in certain circumstances

  4. The right to object to processing based on legitimate interests
     

Please note that we may be unable to delete medical records where we have legal obligations to retain them for specified periods. If you have questions about how we process your health data, please contact us at the email set out above.

CHILDREN’S PRIVACY

Individuals Aged 16-17

In accordance with UK law regarding medical consent, individuals aged 16 and 17 can book appointments and consent to medical treatment directly. These young people can provide personal data and consent to our processing of their health information without parental involvement.

Children Under 16

We do not provide any service to clients under the age of 16 years.

For individuals under 16, we require parental or guardian consent before collecting or processing any personal data. A parent or legal guardian must:

  • Be present during the booking process

  • Provide consent for the collection and processing of the child's data

  • Provide consent for medical treatment and services

Data Protection for Children

We do not knowingly collect data from children under 16 without appropriate parental or guardian consent. If we become aware that we have collected data from a child under 16 without proper consent, we will take steps to delete that information, subject to any legal requirements.

Parents and guardians have the right to:

  • Access their child's personal data

  • Request correction or deletion of their child's data

  • Withdraw consent for processing

If you would like to notify us of any concerns regarding data collected from individuals under 16, please contact us at secretary@synapseheadache.com

CHANGES TO OUR PRIVACY POLICY

We update and amend our Privacy Policy from time to time.

Minor changes to our Privacy Policy

Where we make minor changes to our Privacy Policy, we will update our Privacy Policy with a new effective date stated at the beginning of it. Our processing of your information will be governed by the practices set out in that new version of the Privacy Policy from its effective date onwards.

Major changes to our Privacy Policy or the purposes for which we process your information

Where we make major changes to our Privacy Policy or intend to use your information for a new purpose or a different purpose than the purposes for which we originally collected it, we will notify you by email (where possible) or by posting a notice on our website. 

We will provide you with the information about the change in question and the purpose and any other relevant information before we use your information for that new purpose.

Wherever required, we will obtain your prior consent before using your information for a purpose that is different from the purposes for which we originally collected it.

COPYRIGHT

The copyright in this Privacy Policy is either owned by, or licensed to, us and is protected by copyright laws around the world and copyright protection software.

All intellectual property rights in this document are reserved.