Clinics now in Dorset, with monthly clinics continuing in Oxford!

Privacy Policy - Dr Steph Arnold

Last updated: 5 May, 2026

We are committed to protecting your privacy and handling your personal information in a fair, lawful, and transparent way. This policy explains what information we collect, how we use it, and your rights.

By engaging with our services, you acknowledge that your personal information will be collected, stored, and used as described in this Privacy Policy.

For most medical care, we process your information because it is necessary to provide healthcare and meet our legal obligations, not solely because you have given consent. Where we do rely on your consent (for example, for certain recordings, Heidi AI transcription, or optional services), you can withdraw it at any time.

1. Who We Are

We are Dr Steph Arnold, a UK healthcare provider. We are the “data controller” for your personal information under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. What Information We Collect

We may collect and store information in different formats, including:

  • Written: medical notes, letters, forms, test results

  • Audio: phone calls, voice messages, recordings (with consent)

  • Visual: photographs, scans, X-rays, video (with consent)

  • Memory/Observation: what healthcare staff remember or observe about your care

This may include:

  • Your name, date of birth, contact details

  • Medical history, diagnoses, and treatment records

  • Appointment and prescription details

  • Information about your sexual history and sexual orientation, where relevant to your care and treatment

  • Information about children and young people where relevant to their care

We collect sexual history and orientation information only when it is clinically relevant — for example, to assess health risks, provide appropriate screening, or offer the most suitable treatment. This information is treated with the highest level of confidentiality and is never shared without a lawful basis.

3. How We Use Your Information

We use your information to:

  • Provide safe and effective medical care

  • Arrange appointments, prescriptions, and referrals

  • Communicate with you about your care

  • Work with other healthcare professionals involved in your treatment

  • Meet our legal and regulatory obligations (including safeguarding)

We will never sell your personal data.

4. Use of Heidi AI Transcription

In some consultations, we use Heidi AI transcription technology to create an accurate written record of what was discussed.

  • The system securely processes audio from the consultation to produce a text transcript.

  • Transcripts are stored in your medical record and treated with the same level of confidentiality as all other health information.

  • Heidi AI operates under strict data protection agreements and complies with UK GDPR requirements.

  • Audio is processed securely and is not used for marketing or non-clinical purposes.

  • You can ask at any time if Heidi AI will be used in your consultation and request that it is not used.

  • For information about Heidi, please see their website: Heidi Patient Experience

5. Lawful Basis for Processing

We process personal data under:

  • Article 6(1)(e) UK GDPR – task carried out in the public interest

  • Article 9(2)(h) UK GDPR – provision of health or social care

In some cases, we may also rely on your explicit consent.

6. Children and Young People

We take extra care when handling children’s information:

  • Under 16s: We usually involve a parent or guardian in your care. If a clinician believes you have enough understanding to make your own decisions (Gillick competence), we may keep your information confidential unless there is a safeguarding concern.

  • Ages 16–18: You are presumed able to make your own healthcare decisions. We will not share your information with parents or guardians without your consent, unless there is a serious risk to your safety.

7. Sharing Your Information

We may share your information with:

  • NHS organisations and other healthcare providers involved in your care

  • Laboratories, pharmacies, and referral services

  • Safeguarding authorities if there is a risk of harm

  • Regulators and legal bodies where required by law

We only share the minimum necessary information and always aim to protect your privacy.

8. How Long We Keep Your Information

We keep your records for as long as required by law and professional guidelines. Retention periods vary depending on the type of record:

  • Adult medical records: Minimum of 8 years after your last treatment.

  • Children and young people: Until your 25th birthday (or 26th if aged 17 at the conclusion of treatment).

  • Maternity records: 25 years after the birth of the last child.

  • Cancer diagnosis and oncology records: Retained for your lifetime and for a minimum of 30 years after the date of diagnosis or end of treatment, whichever is later. This ensures continuity of care, supports long-term monitoring, and meets clinical and legal requirements.

When records are no longer required, they are securely destroyed or permanently deleted in line with NHS and ICO guidance.

9. Your Rights

Under the UK GDPR, you have the right to:

  • Access the personal information we hold about you (Subject Access Request);

  • Request correction of inaccurate or incomplete information;

  • Request deletion of your information, where applicable;

  • Restrict processing of your information in certain circumstances;

  • Object to the use of your information for non-clinical purposes;

  • Withdraw consent where we rely on consent as the lawful basis for processing;

  • Data portability – request a copy of your information in a structured, machine-readable format (where applicable).

We will respond to all valid requests within one month, unless the request is complex, in which case we may extend the deadline by up to two further months (we will inform you if this is the case).

10. Security of Your Information

We use a combination of technical, physical, and organisational measures to protect your personal data, including:

  • Encrypted electronic records

  • Secure communication systems

  • Access controls and staff training on confidentiality

  • Regular audits and compliance checks

11. Website Privacy & Cookies

When you visit our website, we may collect certain information automatically and through cookies or similar technologies. This section explains what we collect, why, and how you can control it.

a) Information We Collect Automatically

  • Your IP address and approximate location

  • Browser type and version

  • Device type and operating system

  • Pages you visit, time spent on each page, and navigation paths

  • Date and time of your visit

This information is used to improve our website, monitor performance, and ensure security. It is not used to personally identify you unless combined with other information you provide.

b) Cookies

Cookies are small text files placed on your device when you visit our site. We use:

  • Essential cookies – required for the site to function (e.g., security, page navigation)

  • Analytics cookies – help us understand how visitors use our site (e.g. Google Analytics)

  • Preference cookies – remember your settings (e.g., language choice)

We do not use cookies for targeted advertising.

c) Managing Cookies

When you first visit our site, you will see a cookie banner allowing you to accept or reject non‑essential cookies. You can also manage or delete cookies at any time through your browser settings.

d) Third‑Party Services

Some website features may use third‑party tools (e.g., embedded maps, video players) that set their own cookies. We recommend reviewing their privacy policies for more details.

e) Contact Forms and Online Enquiries

If you submit a form on our website, we will collect the information you provide (e.g., name, telephone number, email, message) to respond to your enquiry. This data is transmitted securely and stored only for as long as necessary to handle your request.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in the law, guidance, or our practices. The latest version will always be available on our website.

13. Contact Us

If you have any questions, concerns, or requests about how your personal information is used, please contact:

Data Protection Officer

Dr Stephanie Arnold

office@drsteph.co.uk

01865 570 869

You also have the right to complain to the Information Commissioner’s Office (ICO) if you believe your data protection rights have been breached:

Website: www.ico.org.uk

Helpline: 0303 123 1113

Dr Steph Arnold

Expert dermatology for true skin health

office@drsteph.co.uk

UK (+44) 01865 570869

© 2024-2026. All rights reserved.

Logo of a pink flower on a blue background
Logo of a pink flower on a blue background
Booking terms and conditions
Website terms and conditions
Privacy policy