Privacy Policy

Welcome to the privacy policy for Astron Health (“we”, “us”). Astron Health is a trading name of Astron Health Ltd, a company registered in England and Wales with company registration number 15587830. Astron Health is committed to ensuring that your privacy is protected. This privacy policy sets out how we will collect, store, use, share and protect any information that you provide to us. We also explain your rights and how to contact us. Your personal information will only be used in accordance with this privacy policy.

UNITED STATES
REST OF THE WORLD

About us

We have appointed a Data Protection Officer to oversee our handling of personal information. Our Data Protection Officer is Mr. Benjamin Whately, CEO and can be reached at ben@astron.health. We process your information in the ways outlined below.

For the purposes of the data protection law, Astron Health Ltd will be the data controller. Astron Health Ltd is registered with the Information Commissioners’ Office under registration number: C1532868.

Our processing of your personal information

We will collect and use different personal information about you for different reasons, depending on our relationship with you. This includes prospective or existing patients, users of the Astron Health website, healthcare professionals, and individuals like business partners, sub-contractors, and suppliers. Each category is discussed in more detail in this privacy policy.

Sometimes we will request or receive “special categories of personal information” (which is information relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership).

Where you provide personal information to us about other individuals (for example, members of your family or other dependents) we will also be data controller of their personal information and we are responsible for protecting their personal information and using it appropriately. This policy will therefore apply to those individuals, and you should refer them to this policy. If you provide us with information relating to other individuals, we are entitled to assume that you have the required authority from that person to provide us with the information and cannot be held responsible if that is not the case.

In order to make this policy as user friendly as possible, we have split it into different sections. Please click on the section below that best describes your relationship with us and the service you receive from us.

Prospective or existing patients

Where you are a prospective or existing patient enquiring about or receiving cancer treatments or participating in a cancer study

This section will apply if you currently participate in a cancer study or receive cancer treatment or if you are looking to participate in a cancer study or receive cancer treatment. Please note that we collect, use, and disclose additional personal information about you if you use our website as described in the section entitled “Users of the Astron Health website.”

What personal information may we collect?

We may collect the following categories of personal information:

  • General information such as your name, address, phone numbers and email addresses, date of birth and gender.
  • Employment information such as job title, employment history and professional accreditations.
  • Financial information such as your bank details and credit and debit card details.
  • Information about your family including information about your dependents.
  • Information obtained during telephone recordings.
  • Device data and information about your visits to and use of this website (including your IP address, unique device identifiers, browser type and version, operating system, referral source, length of visit, page views). For more information, please see our cookie policy.
  • Approximate geolocation information based on your IP address.

What sensitive personal information (also referred to as special categories of personal information) may we collect?

Please note that sensitive or special categories of personal information may differ from jurisdiction to jurisdiction.

  • Details about your physical, mental and emotional health including information on your medical history and treatments received, including but not limited to: blood test results, radiology (imaging reports), medical examinations, histology (biopsies), allergies, co-morbidities, current and historical medications, relevant psychological assessments (including quality of life assessments), bone assessments, performance status (i.e. appetite, pain levels, quality of life).
  • Your messages and communications with your healthcare professional team (where relevant to your care).
  • Details of your race and/or ethnicity.
  • Details of any genetic data or biometric data relating to you.
  • Details of your sexual orientation (where relevant to your care).
  • Identification information including passport, driving license, national identity card (for non-UK nationals) or government issued ID verification.
  • Your username and password if you create an account on our website.

How will we collect your personal information?

We will collect personal information about you from the following categories of sources in the below contexts:

  • You attend a medical appointment (either in person, or via telemedicine) at our clinic or by filling in forms on our website or creating an account with us.
  • You contact us by email, telephone, and through other written and verbal communications, including any messaging feature we make available on our website.
  • Dealing with any complaints you may have.
  • As well as obtaining information directly from you, we will also collect your personal information from:
    • Enquiries, discussions, and referrals with healthcare professionals including NHS doctors, GPs, oncologists, and related service providers that assist with healthcare operations.
    • Your GP, other hospitals or clinics where you are currently being treated who may share your medical information with us.
  • We and our third-party vendors automatically collect data from you when you interact with our website. For more information, please see our cookie policy.

What will we use your personal information for?

There are a number of reasons we use your personal information and for each use we need to have a “legal ground” to do so. Some jurisdictions may refer to these as “business” or “commercial” purposes.

We will rely on the following “legal grounds” when we process your “personal information”:

  • We need to use your personal information to enter into or perform the contract that we hold with you.
  • We have a legal or regulatory obligation to use such personal information.
  • We have a valid business reason (known as a legitimate interest) to use your personal information, and which is necessary for our everyday business operations and activities. This includes the following activities: to keep business and accounting records; to manage our business operations; to analyze, personalize, develop, and improve our products and services, including developing new products or services; to promote and conduct educational or promotional events; and to conduct research, in accordance with applicable law or guidelines from supervisory authorities. When using your personal information for these purposes, we will consider your rights and interests in accordance with applicable law.
  • In very rare circumstances we may need to use your personal information to protect your vital interests. This may happen where you are critically ill and we need to administer emergency treatment or pass on your information to others to enable them to administer emergency treatment to you.
  • In each case we assess our need to use this personal information for these purposes against your rights to privacy to ensure we are protecting your rights.

When we use your “special categories of personal information” we must have an additional “legal ground”

For certain processing purposes, we have outlined alternative legal grounds. We will rely on the following legal grounds when we process your special categories of personal information:

  • You have given us your explicit consent.
  • As necessary to establish, exercise, or defend legal rights, such as when we are facing legal proceedings or want to bring legal proceedings ourselves.
  • As necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of health care systems and services.
  • As necessary for the purposes of medical and scientific research, where that research is not to support measures or decisions with respect to particular individuals.

Summary table on the legal grounds for processing your information

Please read the above section on how we use your personal information for full details.

PURPOSE FOR PROCESSING LEGAL GROUNDS FOR USING YOUR PERSONAL INFORMATION LEGAL GROUNDS FOR USING YOUR SPECIAL CATEGORIES OF PERSONAL INFORMATION
To carry out our obligations arising from any contracts entered into between you and us. It is necessary to enter into or perform your contract. The processing is necessary for a legitimate interest in the form of a valid business reason (to ensure that we fulfil our contractual obligations to clients). We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
To provide you with the information, products and services that you request from us. The processing is necessary for a legitimate interest in the form of a valid business reason (to provide you with information about our treatments, products and services that we offer). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of health care systems and services. You have given us your explicit consent.
To contact you about a request/enquiry you have made with us, for example requesting an appointment with a consultant. The processing is necessary for a legitimate interest in the form of a valid business reason (to respond to requests received as part of running our business efficiently and effectively). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of health care systems and services. You have given us your explicit consent.
To communicate with your healthcare providers. It is necessary to enter into or perform your contract. The processing is necessary for a legitimate interest in the form of a valid business reason (to ensure that we fulfil our contractual obligations to clients). We are processing the information to protect your vital interests. The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of health care systems and services. You have given us your explicit consent. The processing is necessary for protecting your vital interests.
To provide you with information you may have requested, for example a letter for your doctor. It is necessary to enter into or perform your contract. It is necessary for compliance with a legal obligation to which we are subject (your data subject access rights). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of health care systems and services. You have given us your explicit consent.
To notify you about changes to our service. The processing is necessary for a legitimate interest in the form of a valid business reason (to notify you about changes to our service).
To conduct research and analysis in limited circumstances where we may undertake case studies involving specified individuals using pseudonymised data. The processing is necessary for legitimate interest in the form of a valid business reason (to conduct research and analysis to improve the treatments, products and services we offer). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of health care systems and services, where that research is to support measures or decisions with respect to particular individuals; or The processing is necessary for the purposes of scientific research where that research is not to support measures or decisions with respect to particular individuals.
To provide to third parties, who may undertake independent statistical analysis using statistical techniques for the purposes of conducting research and producing reports to verify our research. The processing is necessary for a legitimate interest in the form of a valid business reason (to use your information to improve the treatments, products and services we offer). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of health care systems and services, where that research is to support measures or decisions with respect to particular individuals; or The processing is necessary for the purposes of scientific or statistical research where that research is not to support measures or decisions with respect to particular individuals.
To evaluate and improve our business, including maintaining business records, file keeping, pricing our products appropriately, strategic business planning and internal audit, and management information. The processing is necessary for a legitimate interest in the form of a valid business reason (to run our business efficiently and effectively). You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
To comply with our legal or regulatory obligations. The use is necessary in order for us to comply with our legal obligations. The use is necessary in order for us to establish, exercise or defend our legal rights.
Communicating with you and resolving any complaints that you might have. It is necessary to enter into or perform your insurance contract. The processing is necessary for a legitimate interest in the form of a valid business reason (to send you communications, record and investigate complaints and ensure that future complaints are handled appropriately). You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
To review how our website is being used and to make improvements to our website. The processing is necessary for a legitimate interest in the form of a valid business reason (to run our business efficiently and effectively).

Who will we share your personal information with?

We will disclose your personal information as reasonably necessary for the purposes set out above with the following categories of parties:

  • Our business partners, suppliers, and sub-contractors for the performance of any contract we enter into with you or with them for your benefit. For example, medical details you send to us electronically for assessment of your condition, arrangement of appointment or any other purpose may be transmitted to consultants or laboratories employed by, or contracted to, Astron Health for their professional opinion or services.
  • Healthcare professionals including NHS doctors, GPs, oncologists, referring consultants or your other primary care provider(s).
  • We will share your personal information with a registered pharmacy to provide you with items we have prescribed for you.
  • Other third parties who we have entered into contractual arrangements with to provide services we need to carry out our everyday business activities such as document management providers, back-office system providers, storage warehouses, IT suppliers, actuaries, auditors, lawyers, pharmacy providers, your health insurance provider, outsourced business process management providers, our subcontractors, and tax advisers.
  • Our insurers (if appropriate) and with your health insurance company to facilitate reimbursement to you of costs incurred by you.
  • Third parties to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
  • Those who we are under a duty to disclose or share your personal information with in order to comply with any legal obligation or for the purposes of fraud protection and credit risk reduction. This includes law enforcement or government agencies to comply with the law or, where appropriate, assist law enforcement.
  • Third parties, using anonymised data, for the purposes of conducting marketing-related activities, including conducting market research and reports.

Additional Disclosures for California Residents

If you reside in California, please read this section for additional disclosures about how we collect, use, and disclose information about you under the California Consumer Privacy Act (or “CCPA”) (California Civil Code Section 1798.100 et seq.).

  • Categories of Personal Information Collected: In the previous 12 months, we have collected the personal information listed above. This information falls into the following categories under the CCPA: identifiers; categories of personal information described in Cal. Civ. Code 1798.80(e); geolocation information; audio, electronic, or visual information; internet or electronic network activity information; inferences drawn from the above categories. We have also collected certain “sensitive” personal information listed above.
  • Sensitive Personal Information Uses or Disclosures: We do not use or disclose “sensitive” personal information for purposes other than those specified by the CCPA.
  • We do not “sell” and/or “share” your personal information as those terms are defined by the CCPA.

Additional Disclosures for Nevada and Washington Residents

Please refer to our Health Data Policy for more information about how we process Consumer Health Data about you.

Users of the Astron Health website

Where you are a user of the Astron Health website

If you are a user of the Astron Health website, this section will be relevant to you and sets out our uses of your personal information.

What categories of personal information may we collect?

  • General information such as your name, phone number, email address, date of birth and gender.
  • Device data and information about your visits to and use of this website (including your IP address, unique identifiers, browser type and version, operating system, referral source, length of visit, page views). For more information, please see our cookie policy.
  • Approximate geolocation information based on your IP address.

What sensitive personal information (also referred to as special categories of personal information) may we collect?

Please note that sensitive or special categories of personal information may differ from jurisdiction to jurisdiction.

  • Details about your physical health, including information on your cancer type and medical diagnosis.
  • Details about your medical history and current and past treatments.
  • Your username and password if you create an account on our website.

How will we collect your personal information?

We will collect personal information about you from the following categories of sources in the below contexts:

  • When you use our website or create an account with us and submit a form to enquire about appointments or to request a new patient information pack.
  • If you provide us directly with your personal information and request to be kept informed of news from the clinic.
  • When you contact us by email, telephone, and through other written and verbal communications, including any messaging feature we make available on our website.
  • We and our third-party vendors automatically collect data from you when you interact with our website. Third-party vendors collect your name, email address, and approximate location (such as town/city/country) during and after you sign up for a consultation with us. For more information, including options you have to manage this data collection, please see our cookie policy.

As well as obtaining information directly from you, we will also collect your personal information from:

  • Your family or friends, who may, on your behalf, enquire about appointments or to request a patient information pack.

What will we use your personal information for?

We may use your personal information for a number of different purposes. In each case, we must have a “legal ground” to do so. Some jurisdictions may refer to these as “business” or “commercial” purposes. We will rely on the following “legal grounds”, when we process your “personal information”:

  • We need to use your personal information for a valid business reason (known as legitimate interest). This includes the following activities: to monitor the number of visitors and usage of our website; to manage our business operations; to follow up on enquiries; to analyze, personalize, develop, and improve our products and services, including developing new products or services; to promote and conduct educational or promotional events; to support marketing and advertising activities; and to provide and protect the security and integrity of our website. When using your personal information for these purposes, we will consider your rights and interests in accordance with applicable law.

If you have filled in contact information, we will contact you to discuss the treatment and our clinical services. This will be based on you having consented to us contacting you.

When the information that we process is classed as “sensitive personal information” or “special categories of personal information”, we may have an additional “legal ground”. We will rely on the following legal grounds when we process your sensitive or special categories of personal information:

  • You have provided your explicit consent (e.g., in relation to your marketing preferences).

Summary table on the legal grounds for processing your information

Please read the above section on how we use your personal information for full details.

PURPOSE FOR PROCESSING LEGAL GROUNDS FOR USING YOUR PERSONAL INFORMATION LEGAL GROUNDS FOR USING YOUR SPECIAL CATEGORIES OF PERSONAL INFORMATION
To follow up on enquiries you make, or enquiries submitted on your behalf by your family and friends. The processing is necessary for legitimate interest in the form of a business reason (to respond to all communications and enquiries we receive). You have given us your explicit consent.
To provide marketing information to you. The processing is necessary for legitimate interest in the form of a valid business reason (to send you selected communications about other products and services we offer). You have given us your explicit consent.
To review how our website is being used and to make improvements to our website. The processing is necessary for a legitimate interest in the form of a valid business reason (to run our business efficiently and effectively).

Who will we share your personal information with?

We will disclose your personal information as reasonably necessary for the purposes set out above with the following categories of parties:

  • Other group companies based in the EEA.
  • Third parties who we have entered into contractual arrangements with to provide services we need to carry out our everyday business activities such as IT suppliers and website providers.
  • Social media platforms where you choose to interact with us through social media. In some cases, the social media platform may recognize you through cookies or other digital tracking mechanisms they place on your device, even if you do not have an account with their platform. Please visit the social media platforms’ respective privacy policy to better understand their information practices and controls they make available to you.
  • Companies involved in advertising: We work with companies that assist us in advertising our products and services to you. These companies may use tracking technologies on our website to collect or receive information over time and across different websites or platforms, including this website and elsewhere on the internet, and use that information to provide measurement services and provide you with targeted ads. You may have options to limit or opt out of this practice, including through opt-out preference signals. For more information, please see our Cookie Policy and the “Your rights” section of this privacy policy.
  • Third parties to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
  • Those who we are under a duty to disclose or share your personal information with in order to comply with any legal obligation or for the purposes of fraud protection and credit risk reduction. This includes law enforcement or government agencies to comply with the law or, where appropriate, assist law enforcement.
  • Third parties, using anonymised data, for the purposes of conducting marketing-related activities, including conducting market research and reports.

Additional Disclosures for California Residents

If you reside in California, please read this section for additional disclosures about how we collect, use, and disclose information about you under the California Consumer Privacy Act (or “CCPA”) (California Civil Code Section 1798.100 et seq.).

  • Categories of Personal Information Collected: In the previous 12 months, we have collected the personal information listed above. This information falls into the following categories under the CCPA: identifiers; categories of personal information described in Cal. Civ. Code 1798.80(e); geolocation information; internet or electronic network activity information; inferences drawn from the above categories. We have also collected certain “sensitive” personal information listed above.
  • Sensitive Personal Information Uses or Disclosures: We do not use or disclose “sensitive” personal information for purposes other than those specified by the CCPA.
  • Because we may engage in the practice of cross-context behavioral advertising, also known as online targeted advertising, we may “sell” and/or “share” your personal information as those terms are defined by the CCPA. In the preceding 12 months, we may have “sold” or “shared” identifiers, commercial information, and internet or electronic network activity information with data analytics, advertising networks, and/or social media networks.

Additional Disclosures for Nevada and Washington Residents

Please refer to our Health Data Policy for more information about how we process Consumer Health Data about you.

Healthcare Professionals

Where you are a healthcare professional

If you are a healthcare professional, this section will be relevant to you and sets out our uses of your personal information. Please note that we collect, use, and disclose additional personal information about you if you use our website as described in the section entitled “Users of the Astron Health website.”

What categories of personal information may we collect?

  • We will collect your name and address, your contact information such as your email address and telephone numbers. This may include your personal and/or business contact information.
  • Professional or employment information, such as your place(s) of work, job title, research interests, certifications or licenses, and professional or industry affiliations.
  • Device data and information about your visits to and use of this website (including your IP address, unique device identifiers, browser type and version, operating system, referral source, length of visit, page views). For more information, please see our cookie policy.
  • Approximate geolocation information based on your IP address.

What sensitive personal information may we collect?

For UK and EEA residents, please note that we do not collect any “special categories of personal information”.

  • Your messages and communications with your patients that develop a relationship with us, where relevant to our provision of the services to the patient
  • Your username and password if you create an account on our website.

How will we collect your personal information?

We will collect personal information about you from the following categories of sources in the below contexts:

  • Where you contact us directly by email, phone or via the website and request and provide us with your personal information and request to be kept informed of news from the clinic.
  • When you use our website or create an account with us
  • Third-party service providers and data aggregators
  • We and our third-party vendors automatically collect data from you when you interact with our website. For more information, please see our cookie policy.

What will we use your personal information for?

We may use your personal information for a number of different purposes. In each case, we must have a “legal ground” to do so. Some jurisdictions may refer to these as “business” or “commercial” purposes. We will rely on the following “legal ground”, when we process your “personal information”:

  • We need to use your personal information for a legitimate interest in the form of a valid business reason. This includes the following activities: to monitor the number of visitors and usage of our website, to manage our business operations, to follow up on your enquiries, to analyze, personalize, develop, and improve our products and services, including developing new products or services; to promote and conduct educational or promotional events; to support marketing and advertising activities; and to send you research materials and updates about our activities). When using your personal information for these purposes, we will consider your rights and interests in accordance with applicable law.

Summary table on the legal grounds for processing your information

Please read the above section on how we use your personal information for full details.

PURPOSE FOR PROCESSING LEGAL GROUNDS FOR USING YOUR PERSONAL INFORMATION LEGAL GROUNDS FOR USING YOUR SPECIAL CATEGORIES OF PERSONAL INFORMATION
To follow up on enquiries you make where you have filled in contact information or where we communicate with you about a patient that you have referred to us. The processing is necessary for legitimate interest in the form of a valid business reason (to respond to your queries and to provide you with information about our treatment and clinical services, clinical research programmes and information related to a patient referral).
To send you research materials and updates about our activities. The processing is necessary for legitimate interest in the form of a valid business reason (to send you selected research materials and information about our activities).
To review how our website is being used and to make improvements to our website. The processing is necessary for a legitimate interest in the form of a valid business reason (to run our business efficiently and effectively).

Who will we share your personal information with?

We will disclose your personal information as necessary for the purposes set out above with the following categories of parties:

  • Other group companies based in the EEA.
  • Third parties who we have entered into contractual arrangements with to provide services we need to carry out everyday business activities such as IT suppliers, marketing services providers and website providers.
  • Third party healthcare providers who are involved in the care of a patient, who may need to contact you regarding the care of that patient.
  • Third parties to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
  • Those who we are under a duty to disclose or share your personal information with in order to comply with any legal obligation or for the purposes of fraud protection and credit risk reduction. This includes law enforcement or government agencies to comply with the law or, where appropriate, assist law enforcement.
  • Third parties, using anonymised data, for the purposes of conducting marketing-related activities, including conducting market research and reports.

Additional Disclosures for California Residents

If you reside in California, please read this section for additional disclosures about how we collect, use, and disclose information about you under the California Consumer Privacy Act (or “CCPA”) (California Civil Code Section 1798.100 et seq.).

  • Categories of Personal Information Collected: In the previous 12 months, we have collected the personal information listed above. This information falls into the following categories under the CCPA: identifiers; categories of personal information described in Cal. Civ. Code 1798.80(e); geolocation information; internet or electronic network activity information; professional or employment related information; audio, visual, or electronic information; inferences drawn from the above categories. We have also collected certain “sensitive” personal information listed above.
  • Sensitive Personal Information Uses or Disclosures: We do not use or disclose “sensitive” personal information for purposes other than those specified by the CCPA.
  • We do not “sell” and/or “share” your personal information as those terms are defined by the CCPA.

Business Partners, Sub-contractors and suppliers

Business partners, sub-contractors or other third-party suppliers

If you are a business partner, sub-contractor, or other third-party supplier, this section will be relevant to you and sets out our uses of your personal information. Please note that we collect, use, and disclose additional personal information about you if you use our website as described in the section entitled “Users of the Astron Health website.”

What categories of personal information may we collect?

  • Your name, address, date of birth, and gender.
  • Contact information, including previous contact information, such as your telephone numbers and email addresses. This may include your personal and/or business contact information.
  • Professional or employment information, such as place(s) of work, job title, professional or industry affiliations, and previous roles.
  • Information which we have gathered from publicly available sources such as internet search engines and social media sites as part of our general due diligence enquiries.
  • Device data and information about your visits to and use of this website (including your IP address, unique device identifiers, browser type and version, operating system, referral source, length of visit, page views). For more information, please see our cookie policy.
  • Approximate geolocation information based on your IP address.

What sensitive personal information or special categories of personal information may we collect?

We do not collect any of your special categories of personal information or sensitive personal information. In the event that this changes, we will let you know.

How will we collect your information?

We will collect personal information about you from the following categories of sources in the below contexts:

  • Other group companies based in the EEA.
  • Publicly available sources such as internet search engines and social media sites.
  • Where you interact with us or contact us directly by email, phone, or via the website.
  • Third-party service providers and data aggregators
  • We and our third-party vendors automatically collect data from you when you interact with our website. For more information, please see our cookie policy.

What will we use your personal information for?

We may use your personal information for a number of different purposes. In each case, we must have a “legal ground” to do so. Some jurisdictions may refer to these as “business” or “commercial” purposes. We will rely on the following “legal grounds”, when we process your “personal information”:

  • We need to use your personal information to enter into or perform the contract that we hold with you. For example, we may need certain information in order to operate our business arrangement.
  • We have a legal or regulatory obligation to use such personal information. For example, we may be required to carry out certain background checks.
  • We need to use your personal information for a valid business reason. This includes the following activities: to keep business and accounting records, to manage our business operations, to follow up on your enquiries, to analyze, personalize, develop, and improve our products and services, including developing new products or services; to support marketing and advertising activities; for quality assurance and training purposes; and to protect the integrity and security of our products and services). When using your personal information for these purposes, we will consider your rights and interests in accordance with applicable law.

Summary table on the legal grounds for processing your information

PURPOSE FOR PROCESSING LEGAL GROUNDS FOR USING YOUR PERSONAL INFORMATION LEGAL GROUNDS FOR USING YOUR SPECIAL CATEGORIES OF PERSONAL INFORMATION
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g., tax or legal advice). For business processes and activities including analysis, review, planning and business transaction. The processing is necessary for legitimate interest in the form of a valid business reason (to effectively manage our business operations).
Complying with our legal or regulatory obligations. We need to use your information in order to comply with our legal obligations.
Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers). The processing is necessary for legitimate interest in the form of a valid business reason (to develop and improve the products and services we offer).
Communicating with you to manage and handle your queries. The processing is necessary for legitimate interest in the form of a valid business reason (to send you communications to effectively manage our business and respond to your queries). It is necessary to enter into or perform our contract with you.
Investigating or detecting the unauthorised use of our systems, to secure our system and to ensure the effective operation of our systems). The processing is necessary for legitimate interest in the form of a valid business reason (to ensure the integrity and security of our systems).

Who will we share your personal information with?

We will disclose your personal information as reasonably necessary for the purposes set out above with the following categories of parties:

  • Other group companies based in the EEA.
  • Our third-party service providers such as IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers.
  • Third parties to evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by us is among the assets transferred.
  • Those who we are under a duty to disclose or share your personal information with in order to comply with any legal obligation or for the purposes of fraud protection and credit risk reduction. This includes law enforcement or government agencies to comply with the law or, where appropriate, assist law enforcement.
  • Third parties, using anonymised data, for the purposes of conducting marketing-related activities, including conducting market research and reports.

Additional Disclosures for California Residents

If you reside in California, please read this section for additional disclosures about how we collect, use, and disclose information about you under the California Consumer Privacy Act (or “CCPA”) (California Civil Code Section 1798.100 et seq.).

  • Categories of Personal Information Collected: In the previous 12 months, we have collected the personal information listed above. This information falls into the following categories under the CCPA: identifiers; categories of personal information described in Cal. Civ. Code 1798.80(e); geolocation information; internet or electronic network activity information; professional or employment related information; audio, visual, or electronic information; inferences drawn from the above categories.
  • We do not “sell” and/or “share” your personal information as those terms are defined by the CCPA.

What marketing activities do we carry out?

We may use your personal information to provide you with information about our products or services or which may be of interest to you where you are a website visitor or an existing patient, which are complementary to, or part of, the ongoing services we offer or where you have provided your consent for us to do so.

We may use your personal information to provide you with information about our products, our services or our research which may be of interest to you where you are a healthcare professional who has registered an interest in learning more about our work.

We and our third-party vendors may use a variety of digital technologies over time and across different websites, including this website, to facilitate, deliver, and measure these marketing messages and online targeted ads. For more information, including options you have to manage this data collection, please see our cookie policy. If you wish to opt out of marketing communications, you may do so by clicking on the “unsubscribe” link that appears in all emails or telling us when we call you. Otherwise, you can always contact us at support@astron.health to update your contact preferences.

Please note that, even if you opt out of receiving marketing messages, we may still send you communications which are relevant to the nature of the clinical services we offer you as a patient.

How long do we keep your personal information for?

We will retain your personal information for as long as your account is active or as reasonably necessary to provide you services, comply with our legal and regulatory obligations, resolve disputes and/or enforce our agreements.

The exact time period will depend on your relationship with us and the type of personal information we hold.

If you would like further information regarding the periods for which your personal information will be stored, please contact us at support@astron.health.

How do we protect your information?

We take reasonable precautions to help protect the security and privacy of your personal information.

We will store your personal information (including any sensitive or special categories of information) in a specialist I.T. system, hosted in the Microsoft Azure cloud platform. In order to help prevent unauthorised access, loss, misuse or disclosure, we take and maintain reasonable and appropriate technical, organisational and physical safeguards designed to protect your personal information. We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us including the use of pseudonymisation, encryption generally, a clean desk policy and access controls which we regularly review. Our overall data security policies are documented under our Systems Level Security Policy and reviewed regularly.

Do we collect children’s information?

We will never knowingly request personal information from anyone under the age of 18. Our website is not targeted to or intended for use by children. Accordingly, we do not have actual knowledge that we sell or share the personal information of consumers under the age of 16 years old. However, if we learn that we have received personal information from a child under the age of 18 without appropriate parental consent, we will delete that information from our database.

What is our approach to sending your personal information overseas?

There may be some instances where your personal information is transferred to countries outside of the EEA, such as when we transfer information to a patient’s primary healthcare provider based outside the EEA, when we are treating a patient via telemedicine or when a patient elects to travel to a country outside the EEA for their treatment.

Where such a transfer takes place, we will take the appropriate safeguarding measures in accordance with applicable law to ensure that your personal information is adequately protected. We will do so in a number of ways including:

  • entering into data transfer contracts and using specific contractual provisions that has been approved by the Information Commissioners’ Office otherwise known as the “International Data Transfer Agreement”.
  • we will only transfer personal information to companies in non-EEA countries who have been deemed by European data protection authorities to have adequate levels of data protection for the protection of personal information.

We are also entitled under European data protection laws to transfer your personal information to countries outside the EEA where it is necessary for the performance of the contract we have with you.

If you would like further information regarding our data transfers and the steps we take to safeguard your personal information, please contact us at support@astron.health.

Your rights

Depending on your place of residency, including certain states in the United States and the UK or EEA, you may have a number of rights in relation to the personal information that we hold about you, which we set out below. If you or your authorized agent would like to exercise your rights, please contact us at any time at support@astron.health. In order to process your request, we may ask you to verify your identity by confirming your name, email address, phone number, or other identifiable information that we have about you in our records, such as your most recent interaction with us, if applicable.

Please note that although we take your rights seriously, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn’t comply with our own legal or regulatory requirements. However, we will always respond to any request you make and if we can’t comply with your request, we will tell you why. Please note that we reserve the right to honor your request to the extent required by applicable law.

The right to access your personal information

You have the right to access the information that we hold about you. We will not usually charge you in relation to a request. We are happy to provide you with such details but in the interests of confidentiality, we follow strict disclosure procedures which may mean that we will require proof of identify from you prior to disclosing such information. We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g., by email), a copy of your personal information will be provided to you by secure electronic means where possible.

The right to rectification

We take reasonable efforts to ensure that the personal information we are holding on you is accurate and up to date. However, if you do not believe this is the case, please contact us and we will promptly correct any information found to be incorrect.

The right to restriction of processing

In certain circumstances, you have the right to ask us to stop using your personal information, for example where you think that we no longer need to use your personal information. This may also include requests in specific contexts, such as if we process personal information that is considered “sensitive” under certain U.S. states or engage in certain automated decision-making activities.

The right to withdraw your consent

Where we rely on your consent to process your personal information, you have the right to withdraw such consent to further use of your personal information.

The right to erasure

In certain circumstances, you have the right to request that your personal information is deleted such as where we no longer need your personal information for the purpose we originally collected it.

The right to object to direct marketing

You have a choice about whether or not you wish to receive marketing information from us and you have the right to request that we stop sending you marketing messages at any time. You can do this either by clicking on the “unsubscribe” button in any email that we send to you or by contacting us at support@astron.health. This also includes the right to opt out of targeted advertising, also referred to as “sharing” in some U.S. jurisdictions.

The right to opt out of sales

Because we may engage in the practice of online targeted advertising, we may “sell” your personal information as those terms are defined by certain jurisdictions. You may have the right to opt out of “sales” of your personal information.

The right to data portability and/or obtain a copy

In certain circumstances, you have the right to request that we transfer any personal information that you have provided to us to a third party of your choice.

Rights relating to automated decision-making

We do not carry out any automated decision-making but in the event that this changes in the future, we will notify you.

The right to appeal

If we deny your request to exercise the above rights, you may have the right to appeal the decision with us. If you would like to appeal a prior decision, please include information about your prior request to help us review your appeal request.

The right to lodge a complaint

You have a right to complain to the Information Commissioner’s Office (“ICO”) if you believe that any use of your personal information by us is in breach of applicable data protection laws and regulations. You can visit the ICO’s website at https://ico.org.uk for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have. If we deny your appeal to review a prior decision to exercise the above rights, you may also submit a complaint to the relevant supervisory authority, which may include the office of your state attorney general.

The right to nondiscrimination

We will not discriminate against you for exercising these rights.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. You should familiarise yourself with the privacy statement applicable to the website in question before use.

Contacting us

If you would like any further information about any of the matters in this policy or if you have any other questions about how we collect, store or use your personal information, you may contact our Data Protection Officer, Mr. Benjamin Whately, by email at support@astron.health or by writing us at Astron Health USA Corporation, 251 Little Falls Drive, Wilmington, Delaware, 19808.

GDPR in Europe

Astron Health, which processes the personal information of individuals in the European Union and European Economic Area, in either role of ‘data controller’ or ‘data processor’, has appointed DataRep as its Data Protection Representative for the purposes of GDPR.

Updates to this policy

We may need to change this policy from time to time, for example, as the result of changes to law, technologies, or other developments. We will provide you with the most up-to-date notice and you can check this document periodically to view it.

This policy was last updated on 17th December 2024.

About us

We have appointed a Data Protection Officer to oversee our handling of personal information. Our Data Protection Officer is Mr. Benjamin Whately, CEO and can be reached at ben@astron.health. We process your information in the ways outlined below.

For the purposes of the data protection law, Astron Health Ltd will be the data controller. Astron Health Ltd is registered with the Information Commissioners’ Office (ICO) under registration number: C1532868.

Our processing of your personal information

We will collect and use different personal information about you for different reasons, depending on our relationship with you.

Sometimes we will request or receive “special categories of personal information” (which is information relating to your health, genetic or biometric data, criminal convictions, sex life, sexual orientation, racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership).

Where you provide personal information to us about other individuals (for example, members of your family or other dependents) we will also be data controller of their personal information and we are responsible for protecting their personal information and using it appropriately. This policy will therefore apply to those individuals, and you should refer them to this policy. If you provide us with information relating to other individuals, we are entitled to assume that you have the required authority from that person to provide us with the information and cannot be held responsible if that is not the case.

In order to make this policy as user friendly as possible, we have split it into different sections. Please click on the section below that best describes your relationship with us and the service you receive from us.

We may share your personal data where necessary with the parties set out below in the relevant sections of this policy. We require all third parties to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.

Prospective or existing patients

Where you are a prospective or existing patient enquiring about or receiving cancer treatments or participating in a cancer study

This section will apply if you currently participate in a cancer study or receive cancer treatment or if you are looking to participate in a cancer study or receive cancer treatment.

What personal information may we collect?

We may collect the following personal information:

  • General information such as your name, address, phone numbers and email addresses, date of birth and gender.
  • Identification information including passport, driving license, national identity card (for non-UK nationals) or government issued ID verification.
  • Employment information such as job title, employment history and professional accreditations.
  • Financial information such as your bank details and credit and debit card details.
  • Information about your family including information about your dependents.
  • Information obtained during telephone recordings.
  • Information about your visits to and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views). For more information, please see our cookie policy.

What special categories of personal information may we collect?

  • Details about your physical, mental and emotional health including information on your medical history and treatments received, including but not limited to: blood test results, radiology (imaging reports), medical examinations, histology (biopsies), allergies, co-morbidities, current and historical medications, relevant psychological assessments (including quality of life assessments), bone assessments, performance status (i.e. appetite, pain levels, quality of life).
  • Details of your race and/or ethnicity.
  • Details of any genetic data or biometric data relating to you.
  • Details of your sexual orientation (where relevant to your care).

How will we collect your personal information?

We will collect information directly from you when:

  • You attend a medical appointment (either in person, or via telehealth) at our clinic or by filling in forms on our website.
  • You contact us by email, telephone and through other written and verbal communications.
  • Dealing with any complaints you may have.
  • As well as obtaining information directly from you, we will also collect your personal information from:
    • Enquiries and discussions with, and referrals from healthcare professionals including NHS doctors, GPs and oncologists.
    • Your GP, other hospitals or clinics where you are currently being treated who may share your medical information with us.

What will we use your personal information for?

There are a number of reasons we use your personal information and for each purpose we need to have a “legal ground” to do so.

We will rely on the following “legal grounds” when we process your “personal information”:

  • Performance of a contract: We need to use your personal information to enter into or perform the contract that we hold with you.
  • Legal obligation: We have a legal or regulatory obligation to use such personal information.
  • Legitimate interest: We have a valid business reason (known as a legitimate interest) to use your personal information, and which is necessary for our everyday business operations and activities (e.g., to keep business and accounting records, manage our business operations and to develop and improve our products and services). When using your personal information for these purposes, we will always consider your rights and interests.
  • Vital interest: In very rare circumstances we may need to use your personal information to protect your vital interests. This may happen where you are critically ill and we need to administer emergency treatment or pass on your information to others to enable them to administer emergency treatment to you.

In each case we assess our need to use this personal information for these purposes against your rights to privacy to ensure we are protecting your rights.

When we use your “special categories of personal information”, we must have an additional “condition”

For certain processing purposes, we have outlined alternative legal grounds. We will rely on the following conditions when we process your special categories of personal information:

  1. You have given your explicit consent to our use of your special categories of personal information.
  2. We need to use such special categories of personal information to establish, exercise or defend legal rights, such as when we are facing legal proceedings or want to bring legal proceedings ourselves.
  3. We need to use such special categories of personal information for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of health care systems and services.
  4. We need to use such special categories of personal information for the purposes of medical and scientific research, where that research is not to support measures or decisions with respect to particular individuals.

As per the Data Protection Act 2018, when we process data based on condition in (3) above, this will be processed by or under the responsibility of a professional who is subject to the obligation of professional secrecy under relevant EU or national law.

Summary table on the legal grounds for processing your information

PURPOSE FOR PROCESSING LEGAL GROUNDS FOR USING YOUR PERSONAL INFORMATION CONDITIONS FOR USING YOUR SPECIAL CATEGORIES OF PERSONAL INFORMATION
To carry out our obligations arising from any contracts entered into between you and us. It is necessary to enter into or perform your contract. The processing is necessary for a legitimate interest in the form of a valid business reason (to ensure that we fulfil our contractual obligations to clients). We need to use your information in order to establish, exercise or defend legal rights. You have given us your explicit consent.
To provide you with the information, products and services that you request from us. The processing is necessary for a legitimate interest in the form of a valid business reason (to provide you with information about our treatments, products and services that we offer). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of healthcare systems and services. You have given us your explicit consent.
To contact you about a request/enquiry you have made with us, for example requesting an appointment with a consultant. The processing is necessary for a legitimate interest in the form of a valid business reason (to respond to requests received as part of running our business efficiently and effectively). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of healthcare systems and services. You have given us your explicit consent.
To communicate with your healthcare providers. It is necessary to enter into or perform your contract. The processing is necessary for a legitimate interest in the form of a valid business reason (to ensure that we fulfil our contractual obligations to clients). We are processing the information to protect your vital interests. The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of healthcare systems and services. You have given us your explicit consent. The processing is necessary for protecting your vital interests.
To provide you with information you may have requested, for example, a letter for your doctor. It is necessary to enter into or perform your contract. It is necessary for compliance with a legal obligation to which we are subject (your data subject access rights). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of healthcare systems and services. You have given us your explicit consent.
To notify you about changes to our service. The processing is necessary for a legitimate interest in the form of a valid business reason (to notify you about changes to our service).
To conduct research and analysis in limited circumstances where we may undertake case studies involving specified individuals using pseudonymised data. The processing is necessary for legitimate interest in the form of a valid business reason (to conduct research and analysis to improve the treatments, products and services we offer). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of healthcare systems and services, where that research is to support measures or decisions with respect to particular individuals; or the processing is necessary for the purposes of scientific research where that research is not to support measures or decisions with respect to particular individuals.
To provide to third parties, who may undertake independent statistical analysis using statistical techniques for the purposes of conducting research and producing reports to verify our research. The processing is necessary for a legitimate interest in the form of a valid business reason (to use your information to improve the treatments, products and services we offer). The processing is necessary for the purposes of preventive medicine, medical diagnosis, provision of healthcare and treatment and the management of healthcare systems and services, where that research is to support measures or decisions with respect to particular individuals; or The processing is necessary for the purposes of scientific or statistical research where that research is not to support measures or decisions with respect to particular individuals.
To evaluate and improve our business, including maintaining business records, file keeping, pricing our products appropriately, strategic business planning and internal audit, and management information. The processing is necessary for a legitimate interest in the form of a valid business reason (to run our business efficiently and effectively). You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
To comply with our legal or regulatory obligations. The use is necessary in order for us to comply with our legal obligations. The use is necessary in order for us to establish, exercise or defend our legal rights.
Communicating with you and resolving any complaints that you might have. It is necessary to enter into or perform your insurance contract. The processing is necessary for a legitimate interest in the form of a valid business reason (to send you communications, record and investigate complaints and ensure that future complaints are handled appropriately). You have given us your explicit consent. We need to use your information in order to establish, exercise or defend legal rights.
To review how our website is being used and to make improvements to our website. The processing is necessary for a legitimate interest in the form of a valid business reason (to run our business efficiently and effectively).

Who will we share your personal information with?

We will keep your personal information confidential, and we will only share it where necessary for the purposes set out above with the following parties.

  • Our business partners, suppliers and sub-contractors for the performance of any contract we enter into with you or with them for your benefit. For example, medical details you send to us electronically for assessment of your condition, arrangement of appointment or any other purpose may be transmitted to consultants employed by, or contracted to, Astron Health for their professional opinion.
  • Healthcare professionals including NHS doctors, GPs, oncologists, referring consultants or your other primary care provider(s).
  • We will share your personal information with a registered pharmacy which is providing you with items we have prescribed for you.
  • Other third parties who we have entered into contractual arrangements with to provide services we need to carry out our everyday business activities such as document management providers, back-office system providers, storage warehouses, IT suppliers, actuaries, auditors, lawyers, pharmacy providers, your health insurance provider, outsourced business process management providers, our subcontractors and tax advisers.
  • Our insurers (if appropriate) and with your health insurance company to facilitate reimbursement to you of costs incurred by you.
  • Prospective purchasers of our business, so that you may continue receiving a seamless service from the Astron Health.
  • Those who we are under a duty to disclose or share your personal data with in order to comply with any legal obligation or for the purposes of fraud protection and credit risk reduction.
  • Third parties, using anonymised data, for the purposes of conducting marketing-related activities, including conducting market research and reports.

Users of the Astron Health website

Where you are a user of the Astron Health website

If you are a user of the Astron Health website, this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

  • General information such as your name, phone number, email address, date of birth and gender.
  • Information about your visits to and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views). For more information, please see our cookie policy.

What special categories of personal information will we collect?

  • Details about your physical health, including information on your cancer type and medical diagnosis.
  • Details about your medical history and current and past treatments.

How will we collect your personal information?

We will collect information directly from you when:

  • When you use our website and submit a form to enquire about appointments or to request a new patient information pack.
  • If you provide us directly with your personal information and request to be kept informed of news from the clinic.

As well as obtaining information directly from you, we will also collect your personal information from:

  • Your family or friends, who may, on your behalf, enquire about appointments or to request a patient information pack.
  • Our website may also collect your device’s unique identifier, such as your IP address.

What will we use your personal information for?

We may use your personal information for a number of different purposes. In each case, we must have a “legal ground” to do so. We will rely on the following “legal grounds”, when we process your “personal information”:

  • Legitimate interest: We need to use your personal information for a valid business reason (known as legitimate interest) (e.g., to monitor the number of visitors and usage of our website, to follow up on enquiries and to provide marketing information to you). When using your personal information for these purposes, we will always consider your rights and interests.

If you have filled in contact information, we will contact you to discuss the treatment and our clinical services. This will be based on you having consented to us contacting you.

When the information that we process is classed as “special categories of personal information”, we must have an additional “condition”. We will rely on the following conditions when we process your “special categories of personal information”:

  • You have provided your explicit consent to our use of your special categories of personal information (e.g., in relation to your marketing preferences).

Summary table on the legal grounds for processing your information

PURPOSE FOR PROCESSING LEGAL GROUNDS FOR USING YOUR PERSONAL INFORMATION CONDITIONS FOR USING YOUR SPECIAL CATEGORIES OF PERSONAL INFORMATION
To follow up on enquiries you make, or enquiries submitted on your behalf by your family and friends. The processing is necessary for legitimate interest in the form of a business reason (to respond to all communications and enquiries we receive). You have given us your explicit consent.
To provide marketing information to you. The processing is necessary for legitimate interest in the form of a valid business reason (to send you selected communications about other products and services we offer). You have given us your explicit consent.
To review how our website is being used and to make improvements to our website. The processing is necessary for a legitimate interest in the form of a valid business reason (to run our business efficiently and effectively).

Healthcare Professionals

Where you are a healthcare professional

If you are a healthcare professional, this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

  • We will collect your name and address, your contact information such as your email address and telephone numbers, and information about your professional work such as your employer, your job title and your research interests.
  • Information about your visits to and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views). For more information, please see our cookie policy.

What special categories of personal information will we collect?

We do not collect any of your special categories of personal information. In the event that this changes, we will let you know.

How will we collect your information?

  • Where you contact us directly by email, phone or via the website and request and provide us with your personal information and request to be kept informed of news from the clinic.
  • When you use our website, we will collect your browsing information.

What will we use your personal information for?

We may use your personal information for a number of different purposes. In each case, we must have a “legal ground” to do so. We will rely on the following “legal ground”, when we process your “personal information”:

  • Legitimate interest: We need to use your personal information for a legitimate interest in the form of a valid business reason (e.g., to monitor the number of visitors and usage of our website, to follow up on your enquiries and to send you research materials and updates about our activities). When using your personal information for these purposes, we will always consider your rights and interests.

Summary table on the legal grounds for processing your information

PURPOSE FOR PROCESSING LEGAL GROUNDS FOR USING YOUR PERSONAL INFORMATION CONDITIONS FOR USING YOUR SPECIAL CATEGORIES OF PERSONAL INFORMATION
To follow up on enquiries you make where you have filled in contact information or where we communicate with you about a patient that you have referred to us. The processing is necessary for legitimate interest in the form of a valid business reason (to respond to your queries and to provide you with information about our treatment and clinical services, clinical research programmes and information related to a patient referral).
To send you research materials and updates about our activities. The processing is necessary for legitimate interest in the form of a valid business reason (to send you selected research materials and information about our activities).
To review how our website is being used and to make improvements to our website. The processing is necessary for a legitimate interest in the form of a valid business reason (to run our business efficiently and effectively).

Who will we share your personal information with?

We will keep your personal information confidential, and we will only share it where necessary for the purposes set out above with the following parties:

  • Other group companies based in the EEA.
  • Third parties who we have entered into contractual arrangements with to provide services we need to carry out everyday business activities such as IT suppliers, marketing services providers and website providers.
  • Third party healthcare providers who are involved in the care of a patient, who may need to contact you regarding the care of that patient.

Business partners, Sub-contractors and suppliers

Business partners, sub-contractors or other third-party suppliers

If you are a business partner, sub-contractor or other third-party supplier, this section will be relevant to you and sets out our uses of your personal information.

What personal information will we collect?

  • Your name, address, date of birth and gender.
  • Contact information, including previous contact information, such as your telephone numbers and email addresses.
  • Information about your job such as job title and previous roles.
  • Information which we have gathered from publicly available sources such as internet search engines and social media sites as part of our general due diligence enquiries.
  • Information about your visits to and use of this website (including your IP address, geographical location, browser type and version, operating system, referral source, length of visit, page views). For more information, please see our cookie policy.

What special categories of personal information will we collect?

We do not collect any of your special categories of personal information. In the event that this changes, we will let you know.

How will we collect your information?

As well as obtaining information directly from you, we will collect information from:

  • Other group companies based in the EEA.
  • Publicly available sources such as internet search engines and social media sites.
  • Our website may also collect your device’s unique identifier, such as an IP address.

What will we use your personal information for?

We may use your personal information for a number of different purposes. In each case, we must have a “legal ground” to do so. We will rely on the following “legal grounds”, when we process your “personal information”:

  • Performance of a contract: We need to use your personal information to enter into or perform the contract that we hold with you. For example, we may need certain information in order to operate our business arrangement.
  • Legal obligation: We have a legal or regulatory obligation to use such personal information. For example, we may be required to carry out certain background checks.
  • Legitimate interest: We need to use your personal information for a valid business reason (e.g., to keep business and accounting records, manage our business operations and to improve quality, training and security). When using your personal information for these purposes, we will always consider your rights and interests.

Summary table on the legal grounds for processing your information

PURPOSE FOR PROCESSING LEGAL GROUNDS FOR USING YOUR PERSONAL INFORMATION CONDITIONS FOR USING YOUR SPECIAL CATEGORIES OF PERSONAL INFORMATION
Managing our business operations such as maintaining accounting records, analysis of financial results, internal audit requirements, receiving professional advice (e.g., tax or legal advice). For business processes and activities including analysis, review, planning and business transaction. The processing is necessary for legitimate interest in the form of a valid business reason (to effectively manage our business operations).
Complying with our legal or regulatory obligations. We need to use your information in order to comply with our legal obligations.
Providing improved quality, training and security (for example, with respect to recorded or monitored phone calls to our contact numbers). The processing is necessary for legitimate interest in the form of a valid business reason (to develop and improve the products and services we offer).
Communicating with you to manage and handle your queries. The processing is necessary for legitimate interest in the form of a valid business reason (to send you communications to effectively manage our business and respond to your queries). It is necessary to enter into or perform our contract with you.
Investigating or detecting the unauthorised use of our systems, to secure our system and to ensure the effective operation of our systems. The processing is necessary for legitimate interest in the form of a valid business reason (to ensure the integrity and security of our systems).

Who will we share your personal information with?

We will keep your personal information confidential, and we will only share it where necessary for the purposes set out above with the following parties:

  • Other group companies based in the EEA.
  • Our third-party service providers such as IT suppliers, actuaries, auditors, lawyers, document management providers, outsourced business process management providers, our subcontractors and tax advisers.
  • Selected third parties in connection with any sale, transfer or disposal of our business.

What marketing activities do we carry out?

We may use your personal information to provide you with information about our products or services or which may be of interest to you where you are an existing patient, which are complementary to, or part of, the ongoing services we offer or where you have provided your consent for us to do so.

We may use your personal information to provide you with information about our products, our services or our research which may be of interest to you where you are a healthcare professional who has registered an interest in learning more about our work.

We are committed to only sending you marketing communications that you have clearly expressed an interest in receiving. If you wish to opt out of marketing, you may do so by clicking on the “unsubscribe” link that appears in all emails or telling us when we call you. Otherwise, you can always contact us at support@astron.health to update your contact preferences.

Please note that, even if you opt out of receiving marketing messages, we may still send you communications which are relevant to the nature of the clinical services we offer you as a patient.

How long do we keep your personal information for?

We will retain your personal information for as long as your account is active or as reasonably necessary to provide you services, comply with our legal and regulatory obligations, resolve disputes and/or enforce our agreements.

The exact time period will depend on your relationship with us and the type of personal information we hold.

If you would like further information regarding the periods for which your personal information will be stored, please contact us at support@astron.health.

How do we protect your information?

We are committed to ensuring that your information is secure.

We will store your personal information (including the special category information) in a specialist I.T. system, hosted in the Microsoft Azure cloud platform. Azure data storage adheres to all data protection, privacy and security standards. More information can be found here. In order to prevent unauthorised access, loss, misuse or disclosure, we take and maintain appropriate technical, organisational and physical safeguards designed to protect your personal information. We have put in place physical, electronic, and managerial procedures to safeguard and secure the information you provide to us including the use of pseudonymisation, encryption generally, a clean desk policy and access controls which we regularly review. Our overall data security policies are documented under our Systems Level Security Policy and reviewed regularly.

What is our approach to sending your personal information overseas?

There may be some instances where your personal information is transferred to countries outside of the UK or EEA (as applicable), such as when we transfer information to a patient’s primary healthcare provider based outside the UK or EEA (as applicable), when we are treating a patient via telehealth or when a patient elects to travel to a country outside the UK or EEA (as applicable) for their treatment.

Where such a transfer takes place, we will take the appropriate safeguarding measures to ensure that your personal information is adequately protected. We will do so in a number of ways including where required:

  • entering into data transfer contracts and using specific contractual provisions that have been approved by the Information Commissioners’ Office otherwise known as the “International Data Transfer Agreement”; and
  • we will only transfer personal information to companies in non-UK or non-EEA countries (as applicable) who have been deemed by UK or European data protection authorities (as applicable) to have adequate levels of data protection for the protection of personal information.

We are also entitled under UK or European data protection laws to transfer your personal information to countries outside the UK or EEA where it is necessary for the performance of the contract we have with you.

If you would like further information regarding our data transfers and the steps we take to safeguard your personal information, please contact us at support@astron.health.

Your rights

Under data protection law you have a number of rights in relation to the personal information that we hold about you which we set out below. You can exercise your rights by contacting us at any time at support@astron.health.

Please note that although we take your rights seriously, there may be some circumstances where we cannot comply with your request such as where complying with it would mean that we couldn’t comply with our own legal or regulatory requirements. However, we will always respond to any request you make and if we can’t comply with your request, we will tell you why.

The right to access your personal information

You have the right to access the information that we hold about you. We will not usually charge you in relation to a request. We are happy to provide you with such details but in the interests of confidentiality, we follow strict disclosure procedures which may mean that we will require proof of identify from you prior to disclosing such information. We will usually provide your personal information to you in writing unless you request otherwise. Where your request has been made electronically (e.g., by email), a copy of your personal information will be provided to you by secure electronic means where possible.

The right to rectification

We take reasonable efforts to ensure that the personal information we are holding on you is accurate and up to date. However, if you do not believe this is the case, please contact us and we will promptly correct any information found to be incorrect.

The right to restriction of processing

In certain circumstances, you have the right to ask us to stop using your personal information, for example where you think that we no longer need to use your personal information.

The right to withdraw your consent

Where we rely on your consent to process your personal information, you have the right to withdraw such consent to further use of your personal information at any time.

The right to erasure

In certain circumstances, you have the right to request that your personal information is deleted such as where we no longer need your personal information for the purpose we originally collected it.

The right to object to direct marketing

You have a choice about whether or not you wish to receive marketing information from us and you have the right to request that we stop sending you marketing messages at any time. You can do this either by clicking on the “unsubscribe” button in any email that we send to you or by contacting us at support@astron.health.

The right to data portability

In certain circumstances, you have the right to request that we transfer any personal information that you have provided to us to a third party of your choice.

Rights relating to automated decision-making

We do not carry out any automated decision-making but in the event that this changes in the future, we will notify you.

The right to make a complaint with the Information Commissioner’s Office (ICO)

You have a right to complain to the ICO if you believe that any use of your personal information by us is in breach of applicable data protection laws and regulations. You can visit the ICO’s website at https://ico.org.uk for more information. Please note that lodging a complaint will not affect any other legal rights or remedies that you have.

Links to other websites

Our website may contain links to other websites of interest. However, once you have used these links to leave our site, you should note that we do not have any control over that other website. You should familiarise yourself with the privacy statement applicable to the website in question before use.

Contacting us

If you would like any further information about any of the matters in this policy or if you have any other questions about how we collect, store or use your personal information, you may contact our Data Protection Officer, Mr. Benjamin Whately, by email at ben@astron.health.

GDPR in Europe

Astron Health, which processes the personal data of individuals in the European Union and European Economic Area, in either role of ‘data controller’ or ‘data processor’, has appointed DataRep as its Data Protection Representative for the purposes of GDPR.

Updates to this policy

We may need to change this policy from time to time, for example, as the result of changes to law, technologies, or other developments. We will provide you with the most up-to-date notice and you can check this document periodically to view it.

This policy was last updated on 9 January 2025.