top of page

Privacy Policy

Purpose

The Mayfair General Practice Ltd ("The Mayfair GP", "we", "us" or "our") is committed to respecting your privacy and protecting your personal information. This Privacy Notice explains how we collect, use, store and manage your personal data when you use our website, whether you are a patient receiving our medical services, a supplier providing goods or services to us or a website visitor. We also explain your rights under UK and (where relevant) EU data protection laws, including the UK Data Protection Act 2018 and the UK/EU General Data Protection Regulation (GDPR).

Controller for Personal Data

A "controller" is the organisation responsible for determining why and how your personal data is used. For all purposes described in this notice, The Mayfair GP acts as the controller of the data processed via our website or where we directly interact with you for example where you are a patient unless otherwise stated. 

Scope

This notice covers all the ways in which we process personal data in connection with:

·       Patients: Where you access and use our healthcare, diagnostic or medical coordination services.

·       Suppliers: Where you provide services or products to us.

·       Website visitors: Anyone accessing, browsing or using our website and online content.

Types of Personal Data

Personal data means any information about you from which you can be identified. The information that we collect depends on your relationship with us.

​

For patients, this may include:

 

  • Identity Data: Name, date of birth, title and unique identifiers (e.g., patient ID).

  • Contact Data: Address, telephone numbers, email address.

  • Health Data: Details about medical consultations, health screening, diagnostic tests, clinical notes, referrals and care coordination.

  • Financial Data: Payment card details, bank account information and billing address.

  • Transaction Data: Payment records, appointment history, services received.

  • Technical Data: IP address, browser information, login details, time zone and device information.

  • Profile Data: Login credentials, feedback, preferences.

  • Usage Data: Interactions with our website, appointment booking behaviour.

  • Marketing and Communications Data: Marketing preferences, newsletter opt-ins.

 

For suppliers and website visitors, categories are similar excluding Health Data and focused on identification, contact and business information.

Lawful Bases: How We Use Your Personal Data

We only use your personal data when permitted by law. Our main reasons include:

​

·       Performance of a contract: To deliver healthcare services to you.

·       Legal obligation: To comply with medical, financial and regulatory obligations.

·       Legitimate interests: For general business administration and management, provided your rights do not override our interests.

·       Consent: Where you have agreed (e.g., for marketing or posting testimonials). You may withdraw consent at any time.

·       Vital interests: To protect your health in urgent or emergency situations.

·       Public obligation: Where we must process data for reasons of public health or public interest.

Consent for Treatment versus Consent for Data Use

When you agree to treatment, you are giving consent for your clinician to provide care. This is different from consent to process your personal data. Your health information is handled under data protection laws and used only for your care, legal obligations or where you have separately agreed (for example, research or marketing).

How We Collect Your Personal Data

We collect personal data through several channels:

​

·       Directly from you: When you register, book appointments, complete forms, provide feedback, communicate by phone or email or interact online.

·       From third parties: For example, specialist providers, diagnostic labs, referral doctors, payment processors or partners involved in your care.

·       Automatically: Through your use of our website, including cookies and analytics technologies (see our Cookie Notice for details).

Processing Tables

The processing tables below set out the main activities for which we process personal data, the categories of personal data involved and the lawful basis we rely upon for each activity, depending on your relationship with us.

​

Patients: Processing Information

​

Where you engage our private medical and health services.

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Categories of Personal Data

Processing Activities

Performance of a contract; Legitimate interests (query resolution)

Performance of a contract

Performance of a contract

Identity Data, Contact Data,

To communicate for product/service support

To engage you as a supplier of goods/services

Identity Data, Contact Data

Identity Data, Contact Data, Financial Data, Transaction Data

Manage payments, fees and charges we owe you

Lawful Basis

Categories of Personal Data

Processing Activities

Legitimate interests (business operation, security); Legal obligation

Legitimate interests (respond to you)

Legitimate interests (records, analysis)

Identity Data, Contact Data, Technical Data

To administer, secure and troubleshoot our website and IT systems

When you contact us via our website (forms, links, chat features)

Identity Data, Contact Data

Identity Data, Contact Data, Financial Data, Transaction Data

Managing our relationship, including notification of privacy policy changes

Lawful Basis

Categories of Personal Data

Processing Activities

Legitimate interests (business improvement); Consent (where required by cookies law)

Consent (where required by cookies law)

Use data analytics to improve our website, services, marketing, relationships

Technical Data, Usage Data

Technical Data, Usage Data

Use of non-essential cookies (retargeting, analytics and similar)

Legitimate interests (business development, marketing)

Identity Data, Contact Data, Profile Data, Usage Data, Marketing Data, Technical Data

Deliver relevant web content and advertising, measure ad effectiveness

Legitimate interests (running the business, for information security, fraud prevention); Legal obligation

Consent (Opt-in) or Soft Opt-in (where applicable)

Consent (prior to posting; request update/removal by contacting us)

Identity Data, Contact Data, Technical Data

To administer and protect our business, IT system and online platform (security, troubleshooting, etc.)

Register you for newsletters and marketing communications

Identity Data, Contact Data

Identity Data

To post testimonials on our website that may contain personal information

Performance of a contract; Legal obligation (healthcare regulation)

Identity Data, Contact Data, Health Data

Managing health screening, diagnostic results, referrals and care coordination

Privacy Policy

Purpose

The Mayfair General Practice Ltd ("The Mayfair GP", "we", "us" or "our") is committed to respecting your privacy and protecting your personal information. This Privacy Notice explains how we collect, use, store and manage your personal data when you use our website, whether you are a patient receiving our medical services, a supplier providing goods or services to us or a website visitor. We also explain your rights under UK and (where relevant) EU data protection laws, including the UK Data Protection Act 2018 and the UK/EU General Data Protection Regulation (GDPR).

Controller for Personal Data

A "controller" is the organisation responsible for determining why and how your personal data is used. For all purposes described in this notice, The Mayfair GP acts as the controller of the data processed via our website or where we directly interact with you for example where you are a patient unless otherwise stated. 

Scope

This notice covers all the ways in which we process personal data in connection with:

·       Patients: Where you access and use our healthcare, diagnostic or medical coordination services.

·       Suppliers: Where you provide services or products to us.

·       Website visitors: Anyone accessing, browsing or using our website and online content.

Types of Personal Data

Personal data means any information about you from which you can be identified. The information that we collect depends on your relationship with us.

​

For patients, this may include:

 

  • Identity Data: Name, date of birth, title and unique identifiers (e.g., patient ID).

  • Contact Data: Address, telephone numbers, email address.

  • Health Data: Details about medical consultations, health screening, diagnostic tests, clinical notes, referrals and care coordination.

  • Financial Data: Payment card details, bank account information and billing address.

  • Transaction Data: Payment records, appointment history, services received.

  • Technical Data: IP address, browser information, login details, time zone and device information.

  • Profile Data: Login credentials, feedback, preferences.

  • Usage Data: Interactions with our website, appointment booking behaviour.

  • Marketing and Communications Data: Marketing preferences, newsletter opt-ins.

 

For suppliers and website visitors, categories are similar excluding Health Data and focused on identification, contact and business information.

Lawful Bases: How We Use Your Personal Data

We only use your personal data when permitted by law. Our main reasons include:

​

·       Performance of a contract: To deliver healthcare services to you.

·       Legal obligation: To comply with medical, financial and regulatory obligations.

·       Legitimate interests: For general business administration and management, provided your rights do not override our interests.

·       Consent: Where you have agreed (e.g., for marketing or posting testimonials). You may withdraw consent at any time.

·       Vital interests: To protect your health in urgent or emergency situations.

·       Public obligation: Where we must process data for reasons of public health or public interest.

Consent for Treatment versus Consent for Data Use

When you agree to treatment, you are giving consent for your clinician to provide care. This is different from consent to process your personal data. Your health information is handled under data protection laws and used only for your care, legal obligations or where you have separately agreed (for example, research or marketing).

How We Collect Your Personal Data

We collect personal data through several channels:

​

·       Directly from you: When you register, book appointments, complete forms, provide feedback, communicate by phone or email or interact online.

·       From third parties: For example, specialist providers, diagnostic labs, referral doctors, payment processors or partners involved in your care.

·       Automatically: Through your use of our website, including cookies and analytics technologies (see our Cookie Notice for details).

Processing Tables

The processing tables below set out the main activities for which we process personal data, the categories of personal data involved and the lawful basis we rely upon for each activity, depending on your relationship with us.

​

Patients: Processing Information

​

Where you engage our private medical and health services.

Patients and Special Categories of Personal Data 

Where you are a patient and we process your health and medical records, we commonly rely on your explicit consent for medical purposes and also where applicable on the condition that the processing is necessary for the provision of healthcare or treatment by a health professional who is subject to obligations of confidentiality (as provided by Article 9(2)(h) UK GDPR).

​

This means we will always ask for your clear and specific permission before collecting, using, or sharing your health information, unless we need to process it to provide you with medical care or meet other legal obligations related to healthcare. 

​

Your consent or our legal obligations allow us to deliver appropriate medical care, conduct diagnostic tests, make specialist referrals and coordinate your treatment. You have the right to withdraw your consent at any time but this may affect our ability to continue providing certain healthcare services to you. We will explain the implications of withdrawal at the time of your request.

​

Supplier: Processing Information

​

Where you provide goods or services necessary for our operations as a service provider. 

Website Visitor: Processing Information

Where you access our web content, make enquiries or interact online.

Use of Artificial Intelligence

We may or our service providers may use AI tools to assist in producing patient summaries and improving coordination of our services.  Importantly, these tools do not make clinical decisions; they assist our professionals in their administrative work.

Cookies and Similar Technologies

We use cookies and similar technologies to understand how visitors interact with our site, improve usability and offer tailored experiences. Some cookies are essential for operation; others (such as those for analytics or advertising) require your consent. See our Cookie Notice for further details.

Providing Personal Data

Some personal data is required by law or to fulfil your contract with us (for example, booking medical appointments). If you do not provide the necessary information, we may not be able to provide the requested service and will inform you if that is the case.

Marketing Communications

We may send you communications about our services, events and health-related updates. You have the right to opt out of receiving them at any time, either by using the unsubscribe link provided in emails or by contacting info@themayfairgp.com. Opting out will not affect messages necessary for your medical care (such as appointment reminders).

How We Disclose Personal Information

Why & When We Share Your Data

​

At The Mayfair GP, we only share your personal data when necessary and always with appropriate safeguards in place. Sharing personal information enables us to deliver services to you comply with legal obligations, operate our practice and keep your care safe and effective. We may share personal data as follows: 

​

  • Internally within our Team: Your data is used by our doctors, nurses and administrative staff but only those who need it for your care or service delivery. Staff are bound by confidentiality agreements. Example: Your practitioner may need access to your consultation history; our admin team requires your contact details to arrange appointments.

  • Within our Corporate Group or Affiliate: Sometimes, information is shared within our group companies for management, compliance or technical support.

  •  Service Partner: We use trusted third-party service providers, including:

    • Website hosting (Wix): Stores and processes certain data necessary for running our website.

    • Clinical and Practice Management System: Securely hosts patient records and appointment information, used by our clinical staff.

    • Payment Providers: Facilitate payments and handle financial transactions.

  • Healthcare Professionals and Third Parties Involved in Your Care: If you are referred to a specialist or for tests, we share the minimum necessary data for safe treatment. We will obtain your explicit consent before sharing medical information with other providers (for example, a referral to a consultant or access by a diagnostics laboratory).

  • Legal, Accountancy and Professional Advisers: We may share data with auditors, legal advisers or insurers if required to manage our business, ensure compliance or defend/exercise legal claims.

  • Regulatory Bodies & Authorities: If legally required (for example, in public health reporting, tax or law enforcement investigations) we may disclose your data.

  • Marketing Partners: With your opt-in consent, we might share your contact details with marketing or business partners who send information or offers relevant to your interests. You can withdraw consent at any time.

  • Advertising Networks & Analytics Providers: Where consented, we may share anonymised or aggregated data with analytics services (e.g., for retargeting ads).

  • Business Transfers: In the case of business changes (mergers, acquisitions), your data may be shared with new owners subject to existing protections.

  • Other Circumstances: Where required by law or to protect vital interests (e.g., prevent harm), data may be shared as strictly necessary.

International transfers for UK/EU

We may transfer and process your personal data outside of the United Kingdom (UK) /European Union (EU) to countries where data protection laws are less stringent than those in the UK/EU. When we transfer your personal data outside of the UK/ EU we only do so to entities that offer our users the same level of data protection as that afforded by the UK Data Protection Act 2018 (including the UK GDPR) and the EU GDPR/ Data Protection Laws. 

 

1.     We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information; or 

2.     We will use specific contracts approved for use in the UK or EU which give personal information the same protection it has in the UK/EU. For example, the use of Article 46 UK and EU GDPR safeguard mechanisms to transfer personal data endorsed by the UK Government or European Commission. 

For other countries we will use local law guidance to ensure personal data is transferred securely where there is a requirement in law to do so. 

Data Security

We employ robust measures (technical and organisational) to protect your data against loss, misuse, unauthorised access, disclosure or destruction. Only qualified staff and trusted partners with a legitimate purpose can access your data. Although we strive to secure all information, internet transmission is not fully secure; sending data is at your own risk.

Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting or other requirements.

Data Subject Rights

Under certain circumstances, you have rights under Data Protection Laws. Not all rights are absolute and depending on where you are located, not all rights are given to you. You can:

​

Request access to your personal data: This is known as a "subject access request" and enables you to receive a copy of the personal data we hold about you.

Request correction of your personal data: This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal data: This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you at the time of your request.

Object to processing of your personal data: This is where we are processing your personal data based on a legitimate interest or those of a third party and you may challenge this.  However, we may be entitled to continue processing your information based on our legitimate interests or where this is relevant to any legal claims.  See also Marketing communications. 

Request restriction of processing your personal information: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the information's accuracy (b) where our use of the information is unlawful but you do not want us to erase it (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

Request transfer of your personal information (“data portability”): This is where in some circumstances we will provide to you or a third party you have chosen your personal data in a structured, commonly used, machine-readable format.

Right to withdraw consent: This is where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. Depending on the processing activity, we may not be able to provide certain services to you if you withdraw your consent. We will advise you if this is the case at the time you withdraw your consent.

Automated decision making:  This is where decisions are made about you by automated means. We do not carry out automated decision making. 

Carrying Out Your Data Subject Rights 

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information or to exercise any of your other rights. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

​

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

​

If you wish to exercise any of the rights set out above, please contact us.

Keeping Personal Information Accurate and Current 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. Please contact us if you wish to update your personal data.

Concerns and Complaints 

We would appreciate the chance to deal with your concerns in the first instance. Please see Contact us section. If you have unresolved issues, you have the right to complain at any time to a data protection supervisory authority for data protection issues such as the UK data protection regulator – the Information Commissioner’s Office (ICO).  

You may lodge a complaint with a supervisory authority if you live or work outside the UK or you have a complaint concerning our personal data processing activities. 

Changes to Our Privacy Notice 

This privacy notice may be changed from time to time in response to legal, technical or business developments. We will take appropriate measures to inform you when we update our privacy notice. We will obtain your consent to any material privacy notice changes if and where this is required by applicable Data Protection Laws.

Contact Us 

If you would like more information about the way we manage personal information that we hold about you please contact us at:

​

 

Version Control 

This version was last updated in January 2026.

Identity Data, Contact Data

Categories of Personal Data

Performance of a contract

To register and book appointments

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Lawful basis

Processing Activities

Processing Activities

Identity Data, Contact Data

Categories of Personal Data

Performance of a contract

To engage you as a supplier of goods/services

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Lawful basis

Processing Activities

Processing Activities

Identity Data, Contact Data

Categories of Personal Data

Legitimate interests (respond to you)

When you contact us via our website (forms, links, chat features)

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Lawful basis

Processing Activities

Processing Activities

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

Identity Data, Contact Data, Health Data

Performance of a contract; Legitimate interests (e.g. debt recovery)

To process and deliver medical services including payments and administration

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Performance of a contract; Legitimate interests

Processing Activities

To respond to enquiries and ongoing care needs

Identity Data, Contact Data

Identity Data, Contact Data, Financial Data, Transaction Data

Performance of a contract; Legitimate interests (query resolution)

To communicate for product/service support

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Performance of a contract

Processing Activities

Manage payments, fees and charges we owe you

Identity Data, Contact Data, Technical Data

Identity Data, Contact Data

Legitimate interests (business operation, security); Legal obligation

To administer, secure and troubleshoot our website and IT systems

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Legitimate interests (records, analysis)

Processing Activities

Managing our relationship, including notification of privacy policy changes

Technical Data, Usage Data

Identity Data, Contact Data, Profile Data, Usage Data, Marketing Data, Technical Data

Legitimate interests (business improvement); Consent (where required by cookies law)

Use data analytics to improve our website, services, marketing, relationships

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Legitimate interests (business development, marketing)

Processing Activities

Deliver relevant web content and advertising, measure ad effectiveness

Technical Data, Usage Data

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Consent (where required by cookies law)

Processing Activities

Use of non-essential cookies (retargeting, analytics and similar)

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

Consent (Opt-in) or Soft Opt-in (where applicable)

Register you for newsletters and marketing communications

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Performance of a contract; Legal obligation (healthcare regulation)

Processing Activities

Managing health screening, diagnostic results, referrals and care coordination

Identity Data, Contact Data, Technical Data

Identity Data

Legitimate interests (running the business, for information security, fraud prevention); Legal obligation

To administer and protect our business, IT system and online platform (security, troubleshooting, etc.)

Performance of a contract; Legitimate interests (e.g. debt recovery)

Performance of a contract

Performance of a contract; Legitimate interests

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

To process and deliver medical services including payments and administration

To register and book appointments

Identity Data, Contact Data

Identity Data, Contact Data, Health Data

To respond to enquiries and ongoing care needs

Lawful Basis

Consent (prior to posting; request update/removal by contacting us)

Processing Activities

To post testimonials on our website that may contain personal information

Patients and Special Categories of Personal Data 

Where you are a patient and we process your health and medical records, we commonly rely on your explicit consent for medical purposes and also where applicable on the condition that the processing is necessary for the provision of healthcare or treatment by a health professional who is subject to obligations of confidentiality (as provided by Article 9(2)(h) UK GDPR).

​

This means we will always ask for your clear and specific permission before collecting, using, or sharing your health information, unless we need to process it to provide you with medical care or meet other legal obligations related to healthcare. 

​

Your consent or our legal obligations allow us to deliver appropriate medical care, conduct diagnostic tests, make specialist referrals and coordinate your treatment. You have the right to withdraw your consent at any time but this may affect our ability to continue providing certain healthcare services to you. We will explain the implications of withdrawal at the time of your request.

​

Supplier: Processing Information

​

Where you provide goods or services necessary for our operations as a service provider. 

Website Visitor: Processing Information

Where you access our web content, make enquiries or interact online.

Use of Artificial Intelligence

We may or our service providers may use AI tools to assist in producing patient summaries and improving coordination of our services.  Importantly, these tools do not make clinical decisions; they assist our professionals in their administrative work.

Cookies and Similar Technologies

We use cookies and similar technologies to understand how visitors interact with our site, improve usability and offer tailored experiences. Some cookies are essential for operation; others (such as those for analytics or advertising) require your consent. See our Cookie Notice for further details.

Providing Personal Data

Some personal data is required by law or to fulfil your contract with us (for example, booking medical appointments). If you do not provide the necessary information, we may not be able to provide the requested service and will inform you if that is the case.

Marketing Communications

We may send you communications about our services, events and health-related updates. You have the right to opt out of receiving them at any time, either by using the unsubscribe link provided in emails or by contacting info@themayfairgp.com. Opting out will not affect messages necessary for your medical care (such as appointment reminders).

How We Disclose Personal Information

Why & When We Share Your Data

​

At The Mayfair GP, we only share your personal data when necessary and always with appropriate safeguards in place. Sharing personal information enables us to deliver services to you comply with legal obligations, operate our practice and keep your care safe and effective. We may share personal data as follows: 

​

  • Internally within our Team: Your data is used by our doctors, nurses and administrative staff but only those who need it for your care or service delivery. Staff are bound by confidentiality agreements. Example: Your practitioner may need access to your consultation history; our admin team requires your contact details to arrange appointments.

  • Within our Corporate Group or Affiliate: Sometimes, information is shared within our group companies for management, compliance or technical support.

  •  Service Partner: We use trusted third-party service providers, including:

    • Website hosting (Wix): Stores and processes certain data necessary for running our website.

    • Clinical and Practice Management System: Securely hosts patient records and appointment information, used by our clinical staff.

    • Payment Providers: Facilitate payments and handle financial transactions.

  • Healthcare Professionals and Third Parties Involved in Your Care: If you are referred to a specialist or for tests, we share the minimum necessary data for safe treatment. We will obtain your explicit consent before sharing medical information with other providers (for example, a referral to a consultant or access by a diagnostics laboratory).

  • Legal, Accountancy and Professional Advisers: We may share data with auditors, legal advisers or insurers if required to manage our business, ensure compliance or defend/exercise legal claims.

  • Regulatory Bodies & Authorities: If legally required (for example, in public health reporting, tax or law enforcement investigations) we may disclose your data.

  • Marketing Partners: With your opt-in consent, we might share your contact details with marketing or business partners who send information or offers relevant to your interests. You can withdraw consent at any time.

  • Advertising Networks & Analytics Providers: Where consented, we may share anonymised or aggregated data with analytics services (e.g., for retargeting ads).

  • Business Transfers: In the case of business changes (mergers, acquisitions), your data may be shared with new owners subject to existing protections.

  • Other Circumstances: Where required by law or to protect vital interests (e.g., prevent harm), data may be shared as strictly necessary.

International transfers for UK/EU

We may transfer and process your personal data outside of the United Kingdom (UK) /European Union (EU) to countries where data protection laws are less stringent than those in the UK/EU. When we transfer your personal data outside of the UK/ EU we only do so to entities that offer our users the same level of data protection as that afforded by the UK Data Protection Act 2018 (including the UK GDPR) and the EU GDPR/ Data Protection Laws. 

 

1.     We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information; or 

2.     We will use specific contracts approved for use in the UK or EU which give personal information the same protection it has in the UK/EU. For example, the use of Article 46 UK and EU GDPR safeguard mechanisms to transfer personal data endorsed by the UK Government or European Commission. 

For other countries we will use local law guidance to ensure personal data is transferred securely where there is a requirement in law to do so. 

Data Security

We employ robust measures (technical and organisational) to protect your data against loss, misuse, unauthorised access, disclosure or destruction. Only qualified staff and trusted partners with a legitimate purpose can access your data. Although we strive to secure all information, internet transmission is not fully secure; sending data is at your own risk.

Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting or other requirements.

Data Subject Rights

Under certain circumstances, you have rights under Data Protection Laws. Not all rights are absolute and depending on where you are located, not all rights are given to you. You can:

​

Request access to your personal data: This is known as a "subject access request" and enables you to receive a copy of the personal data we hold about you.

Request correction of your personal data: This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal data: This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you at the time of your request.

Object to processing of your personal data: This is where we are processing your personal data based on a legitimate interest or those of a third party and you may challenge this.  However, we may be entitled to continue processing your information based on our legitimate interests or where this is relevant to any legal claims.  See also Marketing communications. 

Request restriction of processing your personal information: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the information's accuracy (b) where our use of the information is unlawful but you do not want us to erase it (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

Request transfer of your personal information (“data portability”): This is where in some circumstances we will provide to you or a third party you have chosen your personal data in a structured, commonly used, machine-readable format.

Right to withdraw consent: This is where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. Depending on the processing activity, we may not be able to provide certain services to you if you withdraw your consent. We will advise you if this is the case at the time you withdraw your consent.

Automated decision making:  This is where decisions are made about you by automated means. We do not carry out automated decision making. 

Carrying Out Your Data Subject Rights 

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information or to exercise any of your other rights. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

​

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

​

If you wish to exercise any of the rights set out above, please contact us.

Keeping Personal Information Accurate and Current 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. Please contact us if you wish to update your personal data.

Concerns and Complaints 

We would appreciate the chance to deal with your concerns in the first instance. Please see Contact us section. If you have unresolved issues, you have the right to complain at any time to a data protection supervisory authority for data protection issues such as the UK data protection regulator – the Information Commissioner’s Office (ICO).  

You may lodge a complaint with a supervisory authority if you live or work outside the UK or you have a complaint concerning our personal data processing activities. 

Changes to Our Privacy Notice 

This privacy notice may be changed from time to time in response to legal, technical or business developments. We will take appropriate measures to inform you when we update our privacy notice. We will obtain your consent to any material privacy notice changes if and where this is required by applicable Data Protection Laws.

Contact Us 

If you would like more information about the way we manage personal information that we hold about you please contact us at:

​

 

Version Control 

This version was last updated in January 2026.

Controller for Personal Data

A "controller" is the organisation responsible for determining why and how your personal data is used. For all purposes described in this notice, The Mayfair GP acts as the controller of the data processed via our website or where we directly interact with you for example where you are a patient unless otherwise stated. 

Scope

This notice covers all the ways in which we process personal data in connection with:

·       Patients: Where you access and use our healthcare, diagnostic or medical coordination services.

·       Suppliers: Where you provide services or products to us.

·       Website visitors: Anyone accessing, browsing or using our website and online content.

Types of Personal Data

Personal data means any information about you from which you can be identified. The information that we collect depends on your relationship with us.

​

For patients, this may include:

 

  • Identity Data: Name, date of birth, title and unique identifiers (e.g., patient ID).

  • Contact Data: Address, telephone numbers, email address.

  • Health Data: Details about medical consultations, health screening, diagnostic tests, clinical notes, referrals and care coordination.

  • Financial Data: Payment card details, bank account information and billing address.

  • Transaction Data: Payment records, appointment history, services received.

  • Technical Data: IP address, browser information, login details, time zone and device information.

  • Profile Data: Login credentials, feedback, preferences.

  • Usage Data: Interactions with our website, appointment booking behaviour.

  • Marketing and Communications Data: Marketing preferences, newsletter opt-ins.

 

For suppliers and website visitors, categories are similar excluding Health Data and focused on identification, contact and business information.

Lawful Bases: How We Use Your Personal Data

We only use your personal data when permitted by law. Our main reasons include:

​

·       Performance of a contract: To deliver healthcare services to you.

·       Legal obligation: To comply with medical, financial and regulatory obligations.

·       Legitimate interests: For general business administration and management, provided your rights do not override our interests.

·       Consent: Where you have agreed (e.g., for marketing or posting testimonials). You may withdraw consent at any time.

·       Vital interests: To protect your health in urgent or emergency situations.

·       Public obligation: Where we must process data for reasons of public health or public interest.

How We Collect Your Personal Data

We collect personal data through several channels:

​

·       Directly from you: When you register, book appointments, complete forms, provide feedback, communicate by phone or email or interact online.

·       From third parties: For example, specialist providers, diagnostic labs, referral doctors, payment processors or partners involved in your care.

·       Automatically: Through your use of our website, including cookies and analytics technologies (see our Cookie Notice for details).

Processing Tables

The processing tables below set out the main activities for which we process personal data, the categories of personal data involved and the lawful basis we rely upon for each activity, depending on your relationship with us.

​

Patients: Processing Information

​

Where you engage our private medical and health services.

Privacy Policy

Purpose

The Mayfair General Practice Ltd ("The Mayfair GP", "we", "us" or "our") is committed to respecting your privacy and protecting your personal information. This Privacy Notice explains how we collect, use, store and manage your personal data when you use our website, whether you are a patient receiving our medical services, a supplier providing goods or services to us or a website visitor. We also explain your rights under UK and (where relevant) EU data protection laws, including the UK Data Protection Act 2018 and the UK/EU General Data Protection Regulation (GDPR).

Controller for Personal Data

A "controller" is the organisation responsible for determining why and how your personal data is used. For all purposes described in this notice, The Mayfair GP acts as the controller of the data processed via our website or where we directly interact with you for example where you are a patient unless otherwise stated. 

Scope

This notice covers all the ways in which we process personal data in connection with:

·       Patients: Where you access and use our healthcare, diagnostic or medical coordination services.

·       Suppliers: Where you provide services or products to us.

·       Website visitors: Anyone accessing, browsing or using our website and online content.

Types of Personal Data

Personal data means any information about you from which you can be identified. The information that we collect depends on your relationship with us.

​

For patients, this may include:

 

  • Identity Data: Name, date of birth, title and unique identifiers (e.g., patient ID).

  • Contact Data: Address, telephone numbers, email address.

  • Health Data: Details about medical consultations, health screening, diagnostic tests, clinical notes, referrals and care coordination.

  • Financial Data: Payment card details, bank account information and billing address.

  • Transaction Data: Payment records, appointment history, services received.

  • Technical Data: IP address, browser information, login details, time zone and device information.

  • Profile Data: Login credentials, feedback, preferences.

  • Usage Data: Interactions with our website, appointment booking behaviour.

  • Marketing and Communications Data: Marketing preferences, newsletter opt-ins.

 

For suppliers and website visitors, categories are similar excluding Health Data and focused on identification, contact and business information.

Lawful Bases: How We Use Your Personal Data

We only use your personal data when permitted by law. Our main reasons include:

​

·       Performance of a contract: To deliver healthcare services to you.

·       Legal obligation: To comply with medical, financial and regulatory obligations.

·       Legitimate interests: For general business administration and management, provided your rights do not override our interests.

·       Consent: Where you have agreed (e.g., for marketing or posting testimonials). You may withdraw consent at any time.

·       Vital interests: To protect your health in urgent or emergency situations.

·       Public obligation: Where we must process data for reasons of public health or public interest.

Consent for Treatment versus Consent for Data Use

When you agree to treatment, you are giving consent for your clinician to provide care. This is different from consent to process your personal data. Your health information is handled under data protection laws and used only for your care, legal obligations or where you have separately agreed (for example, research or marketing).

How We Collect Your Personal Data

We collect personal data through several channels:

​

·       Directly from you: When you register, book appointments, complete forms, provide feedback, communicate by phone or email or interact online.

·       From third parties: For example, specialist providers, diagnostic labs, referral doctors, payment processors or partners involved in your care.

·       Automatically: Through your use of our website, including cookies and analytics technologies (see our Cookie Notice for details).

Processing Tables

The processing tables below set out the main activities for which we process personal data, the categories of personal data involved and the lawful basis we rely upon for each activity, depending on your relationship with us.

​

Patients: Processing Information

​

Where you engage our private medical and health services.

Processing Activities

Categories of Personal Data

Lawful Basis

To register and book appointments

Identity Data, Contact Data

Performance of a contract

To respond to enquiries and ongoing care needs

Identity Data, Contact Data, Health Data

Performance of a contract; Legitimate interests

To process and deliver medical services including payments and administration

Identity Data, Contact Data, Financial Data, Transaction Data, Health Data

Performance of a contract; Legitimate interests (e.g. debt recovery)

Managing health screening, diagnostic results, referrals and care coordination

Identity Data, Contact Data, Health Data

Performance of a contract; Legal obligation (healthcare regulation)

Register you for newsletters and marketing communications

Identity Data, Contact Data

Consent (Opt-in) or Soft Opt-in (where applicable)

To post testimonials on our website that may contain personal information

Identity Data

Consent (prior to posting; request update/removal by contacting us)

To administer and protect our business, IT system and online platform (security, troubleshooting, etc.)

Identity Data, Contact Data, Technical Data

Legitimate interests (running the business, for information security, fraud prevention); Legal obligation

Patients and Special Categories of Personal Data 

Where you are a patient and we process your health and medical records, we commonly rely on your explicit consent for medical purposes and also where applicable on the condition that the processing is necessary for the provision of healthcare or treatment by a health professional who is subject to obligations of confidentiality (as provided by Article 9(2)(h) UK GDPR).

​

This means we will always ask for your clear and specific permission before collecting, using, or sharing your health information, unless we need to process it to provide you with medical care or meet other legal obligations related to healthcare. 

​

Your consent or our legal obligations allow us to deliver appropriate medical care, conduct diagnostic tests, make specialist referrals and coordinate your treatment. You have the right to withdraw your consent at any time but this may affect our ability to continue providing certain healthcare services to you. We will explain the implications of withdrawal at the time of your request.

​

Supplier: Processing Information

​

Where you provide goods or services necessary for our operations as a service provider. 

Processing Activities

Categories of Personal Data

Lawful Basis

To engage you as a supplier of goods/services

Identity Data, Contact Data

Performance of a contract

Manage payments, fees and charges we owe you

Identity Data, Contact Data, Financial Data, Transaction Data

Performance of a contract

To communicate for product/service support

Identity Data, Contact Data

Performance of a contract; Legitimate interests (query resolution)

Website Visitor: Processing Information

Where you access our web content, make enquiries or interact online.

Processing Activities

Categories of Personal Data

Lawful Basis

When you contact us via our website (forms, links, chat features)

Identity Data, Contact Data

Legitimate interests (respond to you)

Managing our relationship, including notification of privacy policy changes

Identity Data, Contact Data

Legitimate interests (records, analysis)

To administer, secure and troubleshoot our website and IT systems

Identity Data, Contact Data, Technical Data

Legitimate interests (business operation, security); Legal obligation

Deliver relevant web content and advertising, measure ad effectiveness

Deliver relevant web content and advertising, measure ad effectiveness

Legitimate interests (business development, marketing)

Use data analytics to improve our website, services, marketing, relationships

Technical Data, Usage Data

Legitimate interests (business improvement); Consent (where required by cookies law)

Use of non-essential cookies (retargeting, analytics and similar)

Technical Data, Usage Data

Consent (where required by cookies law)

Use of Artificial Intelligence

We may or our service providers may use AI tools to assist in producing patient summaries and improving coordination of our services.  Importantly, these tools do not make clinical decisions; they assist our professionals in their administrative work.

Cookies and Similar Technologies

We use cookies and similar technologies to understand how visitors interact with our site, improve usability and offer tailored experiences. Some cookies are essential for operation; others (such as those for analytics or advertising) require your consent. See our Cookie Notice for further details.

Providing Personal Data

Some personal data is required by law or to fulfil your contract with us (for example, booking medical appointments). If you do not provide the necessary information, we may not be able to provide the requested service and will inform you if that is the case.

Marketing Communications

We may send you communications about our services, events and health-related updates. You have the right to opt out of receiving them at any time, either by using the unsubscribe link provided in emails or by contacting info@themayfairgp.com. Opting out will not affect messages necessary for your medical care (such as appointment reminders).

How We Disclose Personal Information

Why & When We Share Your Data

​

At The Mayfair GP, we only share your personal data when necessary and always with appropriate safeguards in place. Sharing personal information enables us to deliver services to you comply with legal obligations, operate our practice and keep your care safe and effective. We may share personal data as follows: 

​

  • Internally within our Team: Your data is used by our doctors, nurses and administrative staff but only those who need it for your care or service delivery. Staff are bound by confidentiality agreements. Example: Your practitioner may need access to your consultation history; our admin team requires your contact details to arrange appointments.

  • Within our Corporate Group or Affiliate: Sometimes, information is shared within our group companies for management, compliance or technical support.

  •  Service Partner: We use trusted third-party service providers, including:

    • Website hosting (Wix): Stores and processes certain data necessary for running our website.

    • Clinical and Practice Management System: Securely hosts patient records and appointment information, used by our clinical staff.

    • Payment Providers: Facilitate payments and handle financial transactions.

  • Healthcare Professionals and Third Parties Involved in Your Care: If you are referred to a specialist or for tests, we share the minimum necessary data for safe treatment. We will obtain your explicit consent before sharing medical information with other providers (for example, a referral to a consultant or access by a diagnostics laboratory).

  • Legal, Accountancy and Professional Advisers: We may share data with auditors, legal advisers or insurers if required to manage our business, ensure compliance or defend/exercise legal claims.

  • Regulatory Bodies & Authorities: If legally required (for example, in public health reporting, tax or law enforcement investigations) we may disclose your data.

  • Marketing Partners: With your opt-in consent, we might share your contact details with marketing or business partners who send information or offers relevant to your interests. You can withdraw consent at any time.

  • Advertising Networks & Analytics Providers: Where consented, we may share anonymised or aggregated data with analytics services (e.g., for retargeting ads).

  • Business Transfers: In the case of business changes (mergers, acquisitions), your data may be shared with new owners subject to existing protections.

  • Other Circumstances: Where required by law or to protect vital interests (e.g., prevent harm), data may be shared as strictly necessary.

International transfers for UK/EU

We may transfer and process your personal data outside of the United Kingdom (UK) /European Union (EU) to countries where data protection laws are less stringent than those in the UK/EU. When we transfer your personal data outside of the UK/ EU we only do so to entities that offer our users the same level of data protection as that afforded by the UK Data Protection Act 2018 (including the UK GDPR) and the EU GDPR/ Data Protection Laws. 

 

1.     We will only transfer your personal information to countries that have been deemed to provide an adequate level of protection for personal information; or 

2.     We will use specific contracts approved for use in the UK or EU which give personal information the same protection it has in the UK/EU. For example, the use of Article 46 UK and EU GDPR safeguard mechanisms to transfer personal data endorsed by the UK Government or European Commission. 

For other countries we will use local law guidance to ensure personal data is transferred securely where there is a requirement in law to do so. 

Data Security

We employ robust measures (technical and organisational) to protect your data against loss, misuse, unauthorised access, disclosure or destruction. Only qualified staff and trusted partners with a legitimate purpose can access your data. Although we strive to secure all information, internet transmission is not fully secure; sending data is at your own risk.

Data Retention

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for including for the purposes of satisfying any legal, regulatory, tax, accounting or reporting requirements. We may retain your personal data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation in respect to our relationship with you.

 

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means and the applicable legal, regulatory, tax, accounting or other requirements.

Data Subject Rights

Under certain circumstances, you have rights under Data Protection Laws. Not all rights are absolute and depending on where you are located, not all rights are given to you. You can:

​

Request access to your personal data: This is known as a "subject access request" and enables you to receive a copy of the personal data we hold about you.

Request correction of your personal data: This enables you to have any incomplete or inaccurate information we hold about you corrected.

Request erasure of your personal data: This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. We may not always be able to comply with your request of erasure for specific legal reasons which will be notified to you at the time of your request.

Object to processing of your personal data: This is where we are processing your personal data based on a legitimate interest or those of a third party and you may challenge this.  However, we may be entitled to continue processing your information based on our legitimate interests or where this is relevant to any legal claims.  See also Marketing communications. 

Request restriction of processing your personal information: This enables you to ask us to suspend the processing of your personal data in the following scenarios: (a) if you want us to establish the information's accuracy (b) where our use of the information is unlawful but you do not want us to erase it (c) where you need us to hold the information even if we no longer require it as you need it to establish, exercise or defend legal claims or (d) you have objected to our use of your information but we need to verify whether we have overriding legitimate grounds to use it.

Request transfer of your personal information (“data portability”): This is where in some circumstances we will provide to you or a third party you have chosen your personal data in a structured, commonly used, machine-readable format.

Right to withdraw consent: This is where we are relying on consent to process your personal data. This will not affect the lawfulness of any processing carried out before you withdraw your consent. Depending on the processing activity, we may not be able to provide certain services to you if you withdraw your consent. We will advise you if this is the case at the time you withdraw your consent.

Automated decision making:  This is where decisions are made about you by automated means. We do not carry out automated decision making. 

Carrying Out Your Data Subject Rights 

You will not have to pay a fee to access your personal data or to exercise any of the other rights. However, we may charge a reasonable fee if your request is clearly unfounded, repetitive or excessive. We may need to request specific information from you to help us confirm your identity and ensure your right to access your personal information or to exercise any of your other rights. This is a security measure to ensure that personal information is not disclosed to any person who has no right to receive it. We may also contact you to ask you for further information in relation to your request to speed up our response.

​

We try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

​

If you wish to exercise any of the rights set out above, please contact us.

Keeping Personal Information Accurate and Current 

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during your relationship with us. Please contact us if you wish to update your personal data.

Concerns and Complaints 

We would appreciate the chance to deal with your concerns in the first instance. Please see Contact us section. If you have unresolved issues, you have the right to complain at any time to a data protection supervisory authority for data protection issues such as the UK data protection regulator – the Information Commissioner’s Office (ICO).  

You may lodge a complaint with a supervisory authority if you live or work outside the UK or you have a complaint concerning our personal data processing activities. 

Changes to Our Privacy Notice 

This privacy notice may be changed from time to time in response to legal, technical or business developments. We will take appropriate measures to inform you when we update our privacy notice. We will obtain your consent to any material privacy notice changes if and where this is required by applicable Data Protection Laws.

Contact Us 

If you would like more information about the way we manage personal information that we hold about you please contact us at:

​

 

Version Control 

This version was last updated in January 2026.

bottom of page