Privacy Policy

HaemoSync – Clinical Decision Support Software

Last Updated: 29 November 2025

Contents

1. Introduction

BMZ Ethical Investments Ltd ("we", "us", "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and protect information when you use HaemoSync.

Data Controller

BMZ Ethical Investments Ltd

20-22 Wenlock Road, London, England, N1 7GU

Email: admin@lambertsportsclinic.co.uk

Telephone: 0208 133 5694

This policy applies to:

  • Healthcare professionals and clinic staff who use HaemoSync
  • Organisations that register for HaemoSync Connect or white-label services
  • Patient data processed through the HaemoSync platform

2. Data Protection Framework

We process personal data in accordance with:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Privacy and Electronic Communications Regulations (PECR)
  • NHS Data Security and Protection requirements (where applicable)

3. Information We Collect

3.1 Account and Registration Data

When you register for HaemoSync, we collect:

  • Name and professional title
  • Email address and telephone number
  • Organisation name and address
  • Professional registration details (e.g., GMC, NMC number)
  • Payment information (processed securely via our payment provider)

3.2 Patient Data

When healthcare professionals use HaemoSync, they may input:

  • Patient name and date of birth
  • NHS number or other patient identifiers
  • Medical history and symptoms
  • Blood test results and biomarker data
  • Clinical notes and observations
Important: For patient data, your organisation is the Data Controller and we act as a Data Processor on your behalf.

3.3 Usage Data

We automatically collect:

  • Log data (IP address, browser type, access times)
  • Feature usage and interaction data
  • Error reports and performance data
  • Device and operating system information

3.4 Cookies and Similar Technologies

We use cookies for:

  • Essential functionality (session management, authentication)
  • Analytics (to improve the Service)
  • Preferences (to remember your settings)

See Section 11 for more details on cookies.

4. How We Use Your Information

4.1 Providing the Service

We use your data to:

  • Create and manage your account
  • Process blood test orders and generate reports
  • Provide AI-powered panel recommendations and result interpretations
  • Deliver patient reports to authorised healthcare professionals
  • Process payments and issue invoices
Legal Basis: Performance of a contract

4.2 Improving the Service

We use anonymised and aggregated data to:

  • Improve our AI algorithms and recommendations
  • Analyse usage patterns and optimise features
  • Conduct research to enhance clinical decision support
Legal Basis: Legitimate interests (improving our services)

4.3 Communication

We may contact you regarding:

  • Service updates and important notices
  • Account and billing information
  • Security alerts
  • Marketing communications (only with consent)
Legal Basis: Legitimate interests / Consent (for marketing)

4.4 Legal and Regulatory Compliance

We process data to:

  • Comply with medical device regulations and MHRA requirements
  • Respond to legal requests and court orders
  • Maintain audit trails as required by law
Legal Basis: Legal obligation

5. Special Category Data

Blood test results and health information constitute special category data under UK GDPR. We process this data on the basis of:

  • Article 9(2)(h): Processing necessary for medical diagnosis and the provision of health care
  • Schedule 1, Part 1, Paragraph 2 of DPA 2018: Health and social care purposes
Healthcare professionals inputting patient data must ensure they have appropriate lawful basis and patient consent where required.

6. Data Sharing

6.1 We Share Data With:

Recipient Purpose Safeguards
Partner Laboratories Processing blood tests Data Processing Agreements
Payment Providers Processing payments PCI-DSS compliant
Cloud Hosting Providers Storing and processing data UK/EEA data centres, encryption
IT Support Providers Technical support Access controls, NDAs

6.2 We Do Not:

  • Sell personal data to third parties
  • Share patient data for marketing purposes
  • Transfer data outside the UK/EEA without appropriate safeguards

6.3 Legal Disclosures

We may disclose data if required by:

  • Law or court order
  • Regulatory authorities (e.g., MHRA, ICO, CQC)
  • To protect the safety of patients or the public

7. Data Retention

Data Type Retention Period Basis
Account data Duration of account + 7 years Legal/tax requirements
Patient data (reports) 10 years from creation Medical records guidance
Blood test orders 10 years Medical records guidance
Payment records 7 years HMRC requirements
Usage logs 2 years Legitimate interests
Marketing consent records Duration of consent + 2 years Accountability

After retention periods expire, data is securely deleted or anonymised.

8. Data Security

We implement appropriate technical and organisational measures including:

8.1 Technical Measures

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Multi-factor authentication
  • Regular security testing and vulnerability assessments
  • Automated backup and disaster recovery
  • Intrusion detection and monitoring

8.2 Organisational Measures

  • Staff training on data protection
  • Access controls based on role and need-to-know
  • Confidentiality agreements with all staff
  • Incident response procedures
  • Regular policy reviews

8.3 Data Breach Procedures

In the event of a personal data breach, we will:

  • Notify the ICO within 72 hours (where required)
  • Notify affected Data Controllers without undue delay
  • Document the breach and remedial actions

9. Your Rights

Under UK GDPR, you have the following rights:

Right Description
Access Request a copy of your personal data
Rectification Request correction of inaccurate data
Erasure Request deletion of your data (subject to legal obligations)
Restriction Request limitation of processing
Portability Receive your data in a portable format
Objection Object to processing based on legitimate interests
Withdraw Consent Withdraw consent for marketing at any time

To Exercise Your Rights:

Email: admin@lambertsportsclinic.co.uk

Subject Line: "Data Protection Request"

We will respond within 30 days. We may request identification to verify your identity.

Patient Rights: Patients wishing to exercise their data rights should contact their healthcare provider (the Data Controller) in the first instance.

10. International Transfers

We primarily store and process data within the United Kingdom.

Where data is transferred outside the UK, we ensure appropriate safeguards including:

  • UK adequacy regulations
  • Standard Contractual Clauses (SCCs)
  • Binding Corporate Rules (where applicable)

11. Cookies

11.1 What Are Cookies?

Cookies are small text files stored on your device when you visit our website or use our Software.

11.2 Cookies We Use

Cookie Type Purpose Duration
Essential Login, session management, security Session
Functional Remember preferences and settings 1 year
Analytics Understand usage, improve service 2 years

11.3 Managing Cookies

You can manage cookies through your browser settings. Disabling essential cookies may affect the functionality of HaemoSync.

12. Children's Privacy

HaemoSync is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children.

Patient data relating to minors may be processed by healthcare professionals in the course of providing care, subject to appropriate safeguards and parental/guardian consent where required.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via:

  • Email to your registered address
  • Notice within the Software
  • Update to the "Last Updated" date

We encourage you to review this policy periodically.

14. Complaints

If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with:

Information Commissioner's Office (ICO)

Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Website: www.ico.org.uk

Telephone: 0303 123 1113

We would appreciate the opportunity to address your concerns before you contact the ICO. Please contact us first at admin@lambertsportsclinic.co.uk.

15. Data Processing Agreement

For healthcare organisations using HaemoSync, we offer a Data Processing Agreement (DPA) that sets out:

  • The scope and purpose of processing
  • Technical and organisational security measures
  • Sub-processor arrangements
  • Assistance with data subject rights and breach notification

To request a DPA, contact: admin@lambertsportsclinic.co.uk

16. Contact Us

For questions about this Privacy Policy or our data practices, please contact:

Data Protection Contact

BMZ Ethical Investments Ltd

20-22 Wenlock Road, London, England, N1 7GU

Email: admin@lambertsportsclinic.co.uk

Telephone: 0208 133 5694