Privacy Policy

This privacy policy describes how Harpenden Medical protects and makes use of the information you provide when you use this patient portal application (“the App”).

We reserve the right to update this policy from time to time. The latest version is published on this page.

This privacy policy was updated on: 25 March 2026.

If you have any questions about this policy, please contact us at info@harpendenmedical.com or call 01582 291 828. If you do not agree with this privacy policy, please do not use this App.

Harpenden Medical (“we”, “us”, “our”) is a private health and wellness clinic located at The Old Stables, Pipers Lane, Harpenden, AL5 1AJ. We are registered with the Care Quality Commission (CQC) and comply with all applicable UK data protection legislation including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This App allows registered patients to securely access their health information, including appointments, laboratory results, clinical letters, and medical documents. Certain general information such as our team, opening times, and contact details is available without registration.

Through this App, we may collect and process the following personal data:

• Your name, date of birth, email address, and phone number
• Health data including appointment records, lab results, clinical letters, medical documents, and consultation notes (sourced from our clinical system)
• Authentication data such as login credentials, managed securely via our authentication provider (we never store your password directly)
• Usage data including audit logs recording which pages you access and when, for security and regulatory compliance

We do not sell, rent, or share your personal data with any third parties for marketing purposes.

We process your personal data under the following lawful bases:

• Performance of a contract: to provide you with access to your medical records and appointment information as part of our patient services
• Legal obligation: to comply with CQC regulations, NHS data standards, and other healthcare regulatory requirements
• Legitimate interest: to maintain audit logs for security monitoring and to improve our services
• Explicit consent: for processing special category health data, which you provide when registering as a patient

Your personal data is used to:

• Display your upcoming and past appointments
• Show your laboratory test results and clinical documents
• Provide access to clinical correspondence and letters
• Display your patient profile information
• Authenticate your identity and manage secure access
• Maintain audit trails for regulatory compliance

This App uses only essential cookies required for authentication and session management. We do not use analytics cookies, advertising cookies, or any third-party tracking cookies.

Essential cookies used:

• Session cookie: maintains your authenticated session (expires on inactivity timeout)
• CSRF token: protects against cross-site request forgery attacks

Under UK GDPR, you have the right to:

• Request a copy of the personal data we hold about you
• Request correction of inaccurate personal data
• Request deletion of your data (subject to legal retention requirements for medical records)
• Request that we limit processing of your data
• Request your data in a structured, machine-readable format
• Object to processing based on legitimate interest
• Withdraw consent at any time where processing is based on consent

We will not sell, distribute, or lease your personal information to third parties unless we have your permission or are required by law to do so.

To exercise any of these rights, please contact us at info@harpendenmedical.com.

We promise to always hold your information securely. To prevent unauthorised disclosure or access to your information, we have implemented strong physical and electronic security safeguards:

• All data is transmitted over HTTPS (TLS encryption)
• Authentication cookies are set with Secure, HttpOnly, and SameSite attributes
• Sessions automatically expire after a period of inactivity
• API keys and secrets are stored as encrypted environment variables
• Content Security Policy headers protect against cross-site scripting
• All user input is sanitised to prevent injection attacks
• Regular security assessments including penetration testing
• Access audit logging for all patient data views

Harpenden Medical follows stringent procedures to ensure we work with all personal data in line with UK data protection legislation.

We use carefully selected third-party services to operate this App. Each provider is bound by data processing agreements and appropriate safeguards. We do not have control of third-party services outside of our own domain.

Some of our third-party service providers may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses and adequacy decisions, in compliance with UK GDPR.

Your medical records are retained in accordance with NHS records management guidelines and CQC requirements. Audit logs are retained for a minimum of 12 months for security and compliance purposes.

Authentication session data is temporary and is automatically deleted when your session expires.

This App may contain health records for patients under 18 where a parent or guardian has authorised access. We process children’s data with additional care and in accordance with UK GDPR provisions for minors.

If you are unhappy with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Website: ico.org.uk
Phone: 0303 123 1113