Happy Clinic Privacy Policy

Last updated: 7 June 2026    ·    Version 1.0

1. About this policy and who we are

This Privacy Policy explains how Happy Clinic collects, uses, shares and protects your personal information, and the rights you have under UK data protection law — the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018.

Happy Clinic is a tele-psychiatry service operated by Foress Media Ltd, a company registered in England and Wales under company number 09567845, with its registered office at 20-22 Wenlock Road, London, N1 7GU. Foress Media Ltd is the “data controller” responsible for your personal information.

Foress Media Ltd is registered with the Information Commissioner’s Office (ICO) under registration number ZA298624, and Happy Clinic is registered with and regulated by the Care Quality Commission (CQC) under provider ID 1-4409769368.

If you have any questions about this policy or how we handle your data, you can contact our Privacy Lead at privacy@happyclinic.co.uk or by writing to the registered office address above, marked for the attention of the Privacy Lead.


2. The information we collect

Depending on how you use our service, we may collect and process the following categories of personal information:

•      Identity and contact details — your name, date of birth, address, email address and telephone number, and a form of photographic identification used to verify your identity.

•      GP details — the name and contact details of your NHS GP.

•      Health information (special category data) — your medical history, current and past medication, symptoms, mental health history, the results of assessments and questionnaires, diagnoses, treatment plans, prescriptions, and the results of any physical health checks or laboratory tests.

•      Consultation records — clinical notes, letters and reports, and transcripts of your consultations produced by an AI-assisted scribe where you have consented. Consultations are not routinely audio or video recorded.

•      Payment information — the details needed to take payment for your appointments and any prescription or administrative fees. Card details are processed securely by our payment provider and are not stored by us.

•      Technical and usage information — information about how you access and use our website and patient portal, including IP address, device and browser type, and cookie data (see our separate Cookie Policy).


3. How we collect your information

We collect information:

•      Directly from you — when you register, book an appointment, complete forms or questionnaires, speak with a Clinician, or share documents with us such as NHS records, letters or previous reports.

•      From your GP or other healthcare providers — for example a summary of your medical record, where you have consented to this.

•      From family members or carers — where they are involved in your care and it is appropriate to do so.

•      From safeguarding agencies or other authorities — where relevant to your care or to protect you or others.

•      From laboratories and diagnostic providers — the results of any tests requested as part of your care.

•      Automatically — through cookies and similar technologies when you use our website and portal (see the Cookie Policy).


4. How we use your information and our lawful bases

Under the UK GDPR we must have a lawful basis for processing your personal information, and an additional condition for processing special category (health) data. We rely on the following:

4.1 To provide your care

We use your information to assess, diagnose and treat you, to issue prescriptions, to communicate with your GP and to keep accurate clinical records. Our lawful basis is the performance of our contract with you (Article 6(1)(b)). For health data, our condition is the provision of health care and treatment and the management of health care systems (Article 9(2)(h)), and we process this under the responsibility of a health professional bound by a duty of confidentiality.

4.2 To meet our legal and regulatory obligations

We use your information to comply with our obligations under healthcare, controlled-drugs, safeguarding, tax and company law, and CQC regulation. Our lawful basis is compliance with a legal obligation (Article 6(1)(c)), and for health data, reasons of public interest in public health or the provision of health care (Article 9(2)(h) or 9(2)(i) as applicable).

4.3 To manage and improve our service

We use your information for billing, administration, clinical audit, quality assurance, training and service improvement, and to respond to complaints. Our lawful basis is our legitimate interests in running a safe and effective service (Article 6(1)(f)), balanced against your rights, and, for any health data involved, the provision of health care (Article 9(2)(h)).

4.4 In an emergency or to protect someone

Where there is a serious risk to your life or someone else’s, we may process and share information to protect vital interests (Articles 6(1)(d) and 9(2)(c)). In these situations we may share information without your consent — including with emergency services, your GP, or a safeguarding agency — where this is necessary to protect you or another person from serious harm, or where the law requires it.

4.5 Where you give consent

For some activities — such as using an AI-assisted scribe or making any audio or video recording of a consultation, or non-essential cookies and any marketing — we rely on your consent (Article 6(1)(a), and Article 9(2)(a) for health data). You can withdraw consent at any time without affecting your care.


5. Who we share your information with

We only share your information where it is necessary for your care, where we have your consent, or where we are required or permitted to do so by law. We may share with:

5.1 Others involved in your care

•      Your GP, with your consent, so that your care is coordinated and safe.

•      Pharmacies, to issue and dispense your prescriptions (see our processors below regarding electronic prescribing).

•      Laboratories and diagnostic providers, to carry out and report tests requested as part of your care.

We strongly encourage you to allow us to communicate with your NHS GP, as this supports safe and coordinated care. If you have the capacity to do so, you may choose not to allow this; your Clinician will record your decision, explain any associated risks, and consider whether it remains safe and appropriate to provide treatment. In exceptional circumstances, where we believe there is a serious risk to your health or safety or to that of others, we may share relevant information with your GP or other healthcare professionals without your consent, where permitted by law.

Where another clinician is involved in your care, we will normally give you a copy of the relevant letter or report to pass on to them yourself, rather than contacting them directly.

5.2 Our service providers (data processors)

We use the following trusted third-party providers to deliver our service. They act on our written instructions as our data processors under a written contract, and may only use your information to provide their service to us:

•      Our clinic-management platform provider — providing the patient portal, online booking, electronic medical records and video consultation functionality. Data is hosted in the UK and/or the European Economic Area (EEA).

•      Our video-consultation provider — the underlying encrypted video service used within the platform for your consultations (provided from the EEA).

•      Signature Rx — our electronic private prescription service, used to generate and transmit prescriptions to pharmacies and to send you a prescription token.

•      Our clinical scribe provider — an AI-assisted clinical documentation (“scribe”) tool that produces a transcript of your consultation to help your Clinician prepare accurate notes, where you have consented.

•      Our payment provider — to process card payments securely. We do not store your full card details.

•      Our IT, email and communications providers — for secure email, document storage and appointment communications.

A current list of our processors is available on request from our Privacy Lead. Where you pay a laboratory or pharmacy directly for a service, that organisation is usually a separate data controller responsible for your information under its own privacy policy.

5.3 Others, where required

•      Regulators and authorities — such as the CQC, the GMC, or the police or courts, where we are legally required to share, or where there is a serious safeguarding or public-safety concern.

•      Professional advisers and insurers — for example our indemnity providers or legal advisers, where necessary to establish or defend legal claims (Article 9(2)(f)).

We will never sell your personal information, and we do not share it for third-party marketing without your explicit consent.


6. AI-assisted documentation of consultations

Where an AI-assisted scribe is used, we will explain this to you before the consultation, and it is used to produce a transcript that supports accurate record-keeping and high-quality care. Consultations are not routinely audio or video recorded; using an AI scribe does not, of itself, mean that a permanent audio or video recording is retained. Where any audio or video recording is proposed, we will seek your explicit consent, and you can decline without affecting your care. If you decline the use of the AI scribe, your Clinician will make written clinical notes in the usual way. Declining the AI scribe will not affect the care you receive. Transcripts (and any recordings) are held securely, accessed only by those who need them for your care or clinical governance, and are never used for marketing or to train third-party AI models. Full details are set out in our Terms and Conditions.


7. International transfers

We aim to keep your information within the UK and EEA. Where any of our providers process personal data outside the UK or EEA, we ensure an appropriate safeguard is in place — such as UK “adequacy” regulations, the International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses — so that your information receives an equivalent level of protection.


8. How long we keep your information

We keep your clinical records for as long as is necessary to provide your care and to meet our legal and regulatory obligations. For adult health records this is normally a minimum of 8 years from your last contact with the service, in line with recognised guidance for adult health records, unless a longer period is required by law or professional guidance. Non-clinical information (such as billing records) is kept only as long as needed for the relevant purpose. When information is no longer needed it is securely deleted or anonymised.


9. How we protect your information

We take the security of your information seriously and use appropriate technical and organisational measures, including encryption in transit and at rest, access controls, audit logging, staff confidentiality obligations and supplier due diligence. Our platform providers operate to recognised healthcare security standards. No system can be guaranteed completely secure, but we work to protect your information and to detect and respond to any incident promptly.


10. Your rights

Under the UK GDPR you have the following rights in relation to your personal information:

•      The right to be informed about how we use your data (this policy).

•      The right of access — to request a copy of the information we hold about you (a “Subject Access Request”).

•      The right to rectification — to have inaccurate information corrected.

•      The right to erasure — to ask us to delete your information, subject to our legal duty to retain clinical records.

•      The right to restrict or object to processing in certain circumstances.

•      The right to data portability for information you have provided to us, where applicable.

•      The right to withdraw consent at any time, where we rely on consent.

To exercise any of these rights, please contact our Privacy Lead at privacy@happyclinic.co.uk. We will respond within one month, although in complex cases this may be extended by a further two months, as permitted under UK GDPR. There is normally no charge.


11. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing. AI-assisted tools (such as the clinical scribe) support, but do not replace, the judgement of a qualified Clinician.


12. Cookies

Our website and patient portal use cookies and similar technologies. Please see our separate Cookie Policy for full details of the cookies we use and how you can manage your preferences.


13. Children

Happy Clinic provides services to adults aged 18 and over and is not intended for children. We do not knowingly collect information about anyone under 18.


14. Changes to this policy

We may update this Privacy Policy from time to time. The current version will always be published on our website, and we will tell you about any significant changes where appropriate. This policy was last updated on 7 June 2026.


15. How to contact us and complain

If you have any concern about how we handle your information, please contact our Privacy Lead at privacy@happyclinic.co.uk in the first instance so that we can try to put things right.

You also have the right to complain to the UK supervisory authority, the Information Commissioner’s Office, at any time. You can contact the ICO at www.ico.org.uk, by their helpline on 0303 123 1113, or by post to: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF.


Foress Media Ltd, operator of Happy Clinic. Registered in England and Wales, company number 09567845. Registered office: 20-22 Wenlock Road, London, N1 7GU. ICO registration ZA298624. © Foress Media Ltd.