Privacy Policy

Privacy Policy

Learn how we collect, use, and protect your personal data in compliance with UK GDPR, HIPAA-aligned principles, and data protection laws.

Privacy Policy – Version 2025-12
Effective date: 20 December 2025

Data Controller

Company Legal Name: Rincewind Ltd. (trading as HealMinded)

Registered Address: 349C High Road, London, England, N22 8JA, United Kingdom

Company Number (UK): 13748045

Email: privacy@healminded.co.uk

Website: https://www.healminded.co.uk

Supervisory Authority (UK): Information Commissioner's Office (ICO)

This Privacy Policy describes how we collect, use, disclose, store, transfer, protect, and retain Personal Data and, where applicable, Protected Health Information (PHI), in compliance with UK GDPR & Data Protection Act 2018, and HIPAA-aligned privacy principles for U.S. health information where applicable. This Policy applies to all visitors and users of healminded.co.uk and related digital services.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Sensitive Personal Data (Special Category): Health data and any information revealing medical history, conditions, diagnostics, treatments or health status.
  • Protected Health Information (PHI): Per U.S. HIPAA standards, health data that identifies an individual and is created or received by a healthcare provider or its business associates.
  • Lawful Basis and Legal Bases: We process Personal Data only when we have a lawful basis, such as consent, contract performance, legal obligation, legitimate interests, or explicit consent for Special Category data.

2. Lawful Basis for Processing

We rely on legal bases under UK GDPR:

  • Consent (Art. 6(1)(a)) for cookies, marketing communications, and health data processing.
  • Contract (Art. 6(1)(b)) for services you request (e.g., quotes, coordination).
  • Legal obligation (Art. 6(1)(c)) as required under law.
  • Legitimate interests (Art. 6(1)(f)) for internal analytics and service improvement, balanced with rights.
  • Explicit consent (Art. 9(2)(a)) for Special Category data (health information).

For PHI linked to U.S. data subjects, we implement HIPAA principles around permitted uses/disclosures and minimum necessary standards.

3. What We Collect & Why

We collect information to:

  • • Provide and manage your services,
  • • Schedule communications and follow up,
  • • Coordinate with clinics,
  • • Send notifications and updates,
  • • Personalise your experience, and
  • • Comply with legal obligations.

Categories collected may include:

  • • Identifiers: name, contact details, date of birth;
  • • Health and treatment information (with explicit consent);
  • • Website analytics;
  • • Communications content and records (opt-in).

4. Consent & Special Category Data

Processing of health information requires explicit consent. Users will be asked to provide separate consent for health data and for U.S. PHI disclosures if applicable. We will not process or share this data without clear, informed consent.

5. Disclosure & Recipients

We may share Personal Data with:

  • • Clinicians/clinics you choose to engage with for your treatment plan;
  • • Service providers, processors, or sub-processors under contract with appropriate safeguards (Data Processing Agreements, UK GDPR Art. 28);
  • • Public authorities if required by law;
  • • Our professional advisors when necessary;
  • • Business Associates in the U.S. context under written agreements that define permitted PHI uses and disclosures.

Such sharing will always be minimised, restricted to purpose, and in accordance with legal obligations, including HIPAA's principle that PHI is only disclosed for permitted purposes under contract.

6. International Transfers

Where Personal Data is transferred outside the UK/EEA or to the U.S., we implement appropriate safeguards (e.g., UK SCC/IDTA or equivalent), and conduct transfer risk assessments as required under UK GDPR.

7. Retention

We retain Personal Data only as long as necessary and in accordance with legal or statutory retention requirements. After this period, Personal Data will be securely deleted or anonymised.

8. Data Subject Rights

You have rights under GDPR and, where applicable, under HIPAA-aligned privacy principles:

  • Access your Personal Data
  • Correction of inaccurate data
  • Deletion ("right to be forgotten")
  • Restriction of processing
  • Objection to processing
  • Portability of your data
  • Withdrawal of consent at any time

For U.S. PHI, requests will be handled under applicable rights to access, accounting of disclosures and amendments.

Requests can be sent to privacy@healminded.co.uk.

9. Security

We implement organisational and technical measures to protect data, including encryption, access controls, regular risk assessments, audit logs, and staff training, aligned with UK GDPR requirements and HIPAA Security Rule principles for PHI protection.

10. Changes to Policy

We may update this Policy. Material changes will be notified via the Website or direct communication.

Quick Reference (How to Exercise Your Rights)

  • Access/Erase/Portability/Objection: privacy@healminded.co.uk
  • Change Cookie Preferences: Cookie banner/settings (Cookiebot) on healminded.co.uk
  • Complaints (UK): Information Commissioner's Office (ICO) – www.ico.org.uk

Important Forms:

Download Privacy Policy Consent Form