Hospitual is currently in pilot/testing phase and is not yet open to the public; no live clinical or medical services are being provided through the platform at this stage.

Privacy Notice

HOSPITUAL LIMITED (trading as “Hospitual”)

1. Introduction

HOSPITUAL Limited (“Hospitual”, “we”, “our”, or “us”) respects the privacy and confidentiality of personal information and is committed to protecting personal data in accordance with applicable data protection legislation, healthcare governance obligations, professional confidentiality duties, and information security standards.

This Privacy Notice explains how Hospitual collects, uses, stores, shares, protects, and otherwise processes personal data when individuals use Hospitual digital healthcare services, operational systems, websites, and associated healthcare platforms.

This notice applies to individuals using Hospitual services including:

  • Tele-radiology
  • Tele-pathology
  • Online medical consultations
  • Specialist second opinion services

This notice may also apply to referring healthcare professionals, organisational clients, parents or guardians acting on behalf of patients, and other individuals interacting with Hospitual systems where applicable.

Hospitual processes personal data in accordance with the UK General Data Protection Regulation (“UK GDPR”), the Data Protection Act 2018, healthcare confidentiality obligations, and applicable professional and regulatory standards.

This Privacy Notice may be supplemented by additional service-specific privacy information, consent documentation, patient information notices, cookie notices, or contractual terms where relevant.

2. About Us

HOSPITUAL Limited operates a secure digital healthcare platform enabling patients, clinicians, and healthcare organisations to exchange medical information and obtain remote healthcare services and specialist clinical opinions.

Hospitual currently provides remote healthcare services and does not operate emergency services, inpatient facilities, or physical patient-facing clinical premises.

Registered Office

HOSPITUAL Limited
Flat 1 Windsor House
Heathfield Gardens
London, W4 4JT
United Kingdom

General Enquiries: [email protected]

For direct-to-patient services, Hospitual generally acts as a Data Controller in relation to personal data processed through its platform, governance activities, operational systems, and associated healthcare services.

In certain organisational or business-to-business service arrangements, Hospitual may act as a data processor, independent controller, or joint controller depending on the nature of the service, contractual arrangements, and applicable legal responsibilities.

3. Medical Confidentiality

The confidentiality of medical and health-related information is important to Hospitual.

Access to personal and clinical information is restricted to authorised personnel, participating clinicians, and service providers with a legitimate operational, clinical, governance, safeguarding, security, or legal need to access such information.

Hospitual implements technical and organisational measures designed to reduce the risk of unauthorised access, disclosure, alteration, loss, misuse, or unlawful processing of personal data.

Where Hospitual processes health-related personal data for healthcare purposes, processing is carried out by or under the responsibility of healthcare professionals or persons subject to appropriate confidentiality obligations.

4. Personal Data We Collect

Hospitual may collect and process the following categories of personal data.

4.1 Identification and Contact Information

  • Full name
  • Date of birth
  • Email address
  • Telephone number
  • Address information where required
  • Emergency or next-of-kin details where provided

4.2 Health and Clinical Information (Special Category Data)

  • Medical history and clinical information
  • Diagnostic imaging and DICOM files
  • Pathology materials and related information
  • Consultation notes and clinical correspondence
  • Radiology or pathology reports
  • Referral information and supporting clinical documentation
  • Safeguarding-related information where applicable

4.3 Account and Professional Information

  • Login and account credentials
  • Professional registration information
  • Clinician credentialing and verification records
  • Professional licence and indemnity information where applicable

4.4 Technical and Security Information

  • IP address
  • Device and browser information
  • Platform activity logs
  • Authentication and access records
  • Security and audit logs

4.5 Communication and Governance Information

  • Emails and correspondence
  • Messages submitted through the platform
  • Support requests
  • Complaints and feedback
  • Governance, safeguarding, audit, incident, and compliance-related records

5. How We Collect Personal Data

Hospitual may collect personal data:

  • Directly from patients, users, clinicians, or healthcare organisations
  • Through information uploaded to the Hospitual platform
  • Through communications with users, clinicians, or support services
  • From referring healthcare professionals or organisations where applicable
  • Through operational, governance, safeguarding, security, or compliance processes
  • Through use of Hospitual systems and platform infrastructure

Where users provide personal data relating to another individual, including dependants, children, parents, guardians, emergency contacts, or referring professionals, users should ensure they are authorised or otherwise permitted to provide such information.

6. Identity Verification

Hospitual and/or participating clinicians may request proof of identity, including government-issued photo identification, where reasonably necessary for patient safety, safeguarding, parental responsibility verification, fraud prevention, clinical governance, or legal and regulatory compliance.

Additional identity or parental responsibility verification measures may apply for patients under 18 years of age.

Hospitual may pause, decline, restrict, or redirect services where identity, safeguarding, parental responsibility, consent, or clinical suitability requirements cannot reasonably be verified.

7. How We Use Personal Data

Hospitual may process personal data for purposes including:

  • Providing tele-radiology, tele-pathology, and online consultation services
  • Delivering specialist medical opinions and healthcare-related communications
  • Managing user accounts and platform access
  • Verifying clinician credentials and professional eligibility
  • Identity verification and safeguarding
  • Clinical governance, quality assurance, peer review, and patient safety activities
  • Incident management, discrepancy review, and complaint handling
  • Maintaining platform security and preventing unauthorised access, misuse, or fraud
  • Regulatory, legal, contractual, and professional compliance
  • Business continuity, operational administration, and records management
  • Communicating with users regarding appointments, operational matters, support requests, and clinical updates where appropriate

8. Legal Bases for Processing

Hospitual processes personal data under one or more lawful bases permitted under the UK GDPR.

8.1 Article 6 UK GDPR

Processing may be necessary for:

  • Performance of a contract
  • Compliance with legal obligations
  • Legitimate interests including healthcare governance, safeguarding, platform security, fraud prevention, operational management, service administration, and service improvement
  • Consent where consent is specifically required by law

8.2 Article 9 UK GDPR – Special Category Health Data

Health and clinical information may be processed under:

  • Article 9(2)(h) — provision and management of healthcare services
  • Article 9(2)(f) — establishment, exercise, or defence of legal claims where applicable
  • Article 9(2)(c) — protection of vital interests where necessary
  • Additional lawful conditions where required by applicable law or regulatory obligations

Where applicable, processing is carried out in accordance with the Data Protection Act 2018 and professional confidentiality obligations applicable to healthcare services.

8.3 Examples of Processing Activities and Lawful Bases

Processing ActivityArticle 6 BasisArticle 9 Basis (where applicable)
Tele-radiology, tele-pathology, and consultationsContract / Legitimate InterestsArticle 9(2)(h)
Safeguarding and patient safety activitiesLegal Obligation / Vital InterestsArticle 9(2)(c) / 9(2)(h)
Complaint handling and legal defenceLegal Obligation / Legitimate InterestsArticle 9(2)(f)
Governance, audit, and quality assuranceLegitimate Interests / Legal ObligationArticle 9(2)(h)
Security monitoring and audit logsLegitimate Interests / Legal ObligationNot usually applicable

Hospitual does not carry out solely automated decision-making or profiling producing legal or similarly significant effects.

9. Clinical Governance and Patient Safety

Hospitual may process personal data as part of its healthcare governance, patient safety, quality assurance, safeguarding, and compliance responsibilities.

This may include:

  • Clinical audit and quality assurance
  • Peer review and discrepancy review
  • Incident investigation and governance review
  • Safeguarding assessment and escalation
  • Complaint management and patient feedback review
  • Risk management and compliance activities
  • Regulatory reporting and governance oversight

Access to personal data for these activities is restricted to authorised personnel with a legitimate operational, governance, or clinical need.

10. Communications

Hospitual may communicate with users through secure electronic methods including email, platform notifications, telephone communication, or other appropriate operational channels.

Communications may relate to:

  • Appointments and consultations
  • Clinical or operational updates
  • Support requests
  • Security or account-related notifications
  • Governance, safeguarding, or patient safety matters where appropriate

Where reasonably practicable, Hospitual aims to use communication methods appropriate to the sensitivity of the information being transmitted.

11. Sharing Personal Data

Personal data may be shared where reasonably necessary with:

  • Participating clinicians and healthcare professionals
  • Referring healthcare providers or organisations
  • Laboratories, imaging providers, or pathology providers where applicable
  • Secure cloud hosting and infrastructure providers
  • Operational, communication, or technical service providers supporting platform operations
  • Regulators, safeguarding authorities, law enforcement agencies, courts, or professional bodies where legally required or reasonably necessary for patient safety or safeguarding
  • Professional advisers, insurers, or compliance providers where reasonably necessary

Hospitual may also share information with emergency contacts, parents, guardians, authorised representatives, or referring clinicians where appropriate and lawful.

Where required, information sharing arrangements are supported by appropriate contractual, confidentiality, security, and data protection measures.

Hospitual does not sell personal data.

12. International Data Transfers

Hospitual uses secure cloud infrastructure provided through Google Cloud Platform, with primary hosting within the United Kingdom and/or European Economic Area where reasonably practicable.

Where personal data is transferred outside the United Kingdom or European Economic Area, appropriate safeguards are implemented in accordance with Chapter V UK GDPR.

These safeguards may include:

  • UK International Data Transfer Agreement (IDTA)
  • UK Addendum to the EU Standard Contractual Clauses (SCCs)
  • Adequacy regulations
  • Other lawful transfer mechanisms permitted under applicable law

13. Data Retention

Hospitual retains personal data only for as long as reasonably necessary for healthcare, legal, governance, security, safeguarding, insurance, and operational purposes.

Typical retention periods include:

  • Clinical and consultation records: minimum 8 years from the last clinical interaction
  • User account records: duration of account plus a reasonable retention period following closure
  • Security, audit, and access logs: minimum 6 months unless longer retention is reasonably required for governance, legal, or security purposes

Certain governance, complaint, contractual, insurance, incident, and operational records may be retained for up to 6 years or longer where reasonably necessary in connection with legal claims, regulatory obligations, insurance requirements, or applicable limitation periods under the Limitation Act 1980.

Further detail regarding retention periods, record categories, archival controls, and secure disposal processes is set out within Hospitual internal governance and records management procedures.

Data may be securely deleted, anonymised, archived, restricted, or retained where legally required or reasonably necessary.

14. Data Security

Hospitual implements technical and organisational measures designed to protect personal data and maintain the confidentiality, integrity, and availability of systems and information.

Security measures may include:

  • Encryption in transit and at rest
  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA)
  • Audit logging and security monitoring
  • Restricted administrative access
  • Access reviews and credential controls
  • Secure cloud infrastructure and access management controls

15. Children and Safeguarding

Hospitual services involving individuals under 18 years of age are normally accessed through a parent or legal guardian.

Additional identity, consent, safeguarding, or parental responsibility verification measures may be requested where reasonably necessary.

Hospitual may process or disclose personal data where reasonably necessary to:

  • Protect children or adults at risk
  • Comply with safeguarding obligations
  • Prevent serious harm
  • Support patient safety activities
  • Comply with applicable legal or regulatory duties

16. Your Rights

Under the UK GDPR, individuals have certain rights in relation to personal data processed by Hospitual.

These rights may include:

  • Right of access
  • Right to rectification
  • Right to erasure in certain circumstances
  • Right to restriction of processing
  • Right to object to processing in certain circumstances
  • Right to data portability
  • Right to withdraw consent where processing relies on consent

Requests relating to personal data rights may be submitted to: [email protected]

If individuals have concerns regarding how Hospitual processes personal data, they may contact Hospitual directly using the contact details provided in this Privacy Notice.

If individuals are dissatisfied with how Hospitual has handled a privacy-related concern, personal data request, or data protection matter, they also have the right to complain to the Information Commissioner's Office (ICO).

Telephone: 0303 123 1113

Making a complaint to the ICO does not affect any other legal rights or remedies available under applicable law.

Hospitual may request additional information or identity verification before responding to certain requests where reasonably necessary to protect confidentiality, patient safety, security, or the rights and freedoms of others.

Hospitual will normally respond in accordance with applicable legal requirements and statutory timeframes.

Certain rights may not apply in all circumstances, including where continued processing is necessary for:

  • Healthcare provision and patient safety
  • Safeguarding obligations
  • Clinical governance and regulatory compliance
  • Legal or professional obligations
  • Establishing, exercising, or defending legal claims
  • Protection of the rights and freedoms of others

Hospitual will not usually charge for responding to data protection requests. However, a reasonable fee may be permitted where requests are manifestly unfounded, excessive, or repetitive in accordance with applicable law.

17. External Websites

Hospitual websites, communications, or platform resources may contain links to third-party websites or external services.

Hospitual is not responsible for the privacy practices, content, security, or policies of external websites or services not operated by Hospitual.

Users should review the privacy notices, terms, and policies of any third-party websites or services they access.

18. Our Data Protection and Privacy Contact

Hospitual maintains responsibility for information governance, data protection, cybersecurity, and privacy compliance across its services and operational systems.

If you have any questions regarding this Privacy Notice, wish to exercise any of your data protection rights, or would like to contact Hospitual regarding privacy-related matters, please contact:

Email: [email protected]

Postal Address:
HOSPITUAL Limited
Flat 1 Windsor House
Heathfield Gardens
London, W4 4JT
United Kingdom

19. Updates to This Privacy Notice

Hospitual may update this Privacy Notice from time to time to ensure that it remains accurate and reflects operational, legal, regulatory, governance, or technical changes.

The most recent version of this Privacy Notice will be made available through Hospitual systems and website resources.

This Privacy Notice was last updated on 20 May 2026.

20. Cookies

Further information regarding the use of cookies and similar technologies can be found in the Hospitual Cookie Policy.