Privacy notice

Well Life Clinic / WLC Oxted Ltd

Last updated: 6th May 2026
Version: 2.0

1. Introduction

This Privacy Notice explains how Well Life Clinic, operated by WLC Oxted Ltd, collects, uses, stores and shares personal information about patients, prospective patients, website users and other individuals who contact or use our services.

We are committed to protecting your privacy and handling your personal information safely, lawfully and transparently in accordance with the UK General Data Protection Regulation, the Data Protection Act 2018, the common law duty of confidentiality and applicable healthcare regulatory requirements.

This notice applies to all Well Life Clinic services, including but not limited to:

  • private GP appointments; 
  • ADHD assessment, diagnosis, prescribing and ongoing management, including private ADHD services and NHS Right to Choose services; 
  • blood tests and diagnostic testing; 
  • health assessments and screening; 
  • cancer screening; 
  • allergy testing; 
  • children’s health services; 
  • mental health services; 
  • men’s health and women’s health services; 
  • vaccinations and travel health; 
  • minor surgery, hand surgery, joint injections and vasectomy services; 
  • aesthetics and skin health services; 
  • weight management services; 
  • membership services; 
  • online enquiries, website use and booking systems. 

2. Who we are

For the purposes of data protection law, the controller of your personal information is:

WLC Oxted Ltd
Trading as Well Life Clinic
Registered company number: 15568565
Registered office: D S House, 306 High Street, Croydon, Surrey, CR0 1NG, UK

Clinic locations include:

Oxted Clinic
125–131 Station Road East
Oxted
Surrey
RH8 0QE
Email: hello@welllife-clinic.co.uk
Telephone: 01883 338336

Cobham Clinic
5 Between Streets
Cobham
KT11 1AA
Email: cobham@welllife-clinic.co.uk
Telephone: 01932 391883

CQC Provider ID: 1-19879350245

For any privacy or data protection queries, please contact: hello@welllife-clinic.co.uk 

3. What personal information we collect

We collect different types of information depending on the service you use.

3.1 Identity and contact details

This may include:

  • name; 
  • date of birth; 
  • gender/sex; 
  • address; 
  • email address; 
  • telephone number; 
  • emergency contact or next of kin details; 
  • NHS number, where relevant; 
  • GP practice details; 
  • parent, guardian or carer details, where relevant.


3.2 Health and clinical information

As a healthcare provider, we collect and create information about your health and care. This may include:

  • medical history; 
  • symptoms and presenting concerns; 
  • consultation notes; 
  • examination findings; 
  • allergies; 
  • medication and prescribing history; 
  • vaccination history; 
  • test results, including blood tests, screening results and diagnostic results; 
  • referral information; 
  • diagnosis and treatment plans; 
  • mental health information; 
  • ADHD assessment questionnaires, developmental history, school information and clinical reports; 
  • information from parents, carers, schools, GPs, consultants or other healthcare professionals; 
  • images or photographs where clinically required, for example for skin, wound, minor surgery or aesthetics records; 
  • safeguarding information where relevant; 
  • information about disability, reasonable adjustments or communication needs. 

Health information is classed as special category personal data and is subject to additional protection under data protection law.

3.3 Children’s information

Where we provide services to children, including children’s health and ADHD assessments, we may collect information about the child from:

  • the child directly, depending on their age and understanding; 
  • parents or legal guardians; 
  • carers; 
  • schools or education professionals; 
  • GPs, NHS services or other healthcare professionals. 

We will only collect information that is relevant and necessary for the child’s care, assessment, safeguarding or administration of the service.

3.4 ADHD service information

For ADHD assessment and treatment services, we may collect:

  • self-referral or GP referral information; 
  • screening forms and questionnaires; 
  • developmental, educational, occupational and family history; 
  • information from parents, partners, carers, schools or other relevant third parties; 
  • assessment notes and diagnostic conclusions; 
  • consultant psychiatrist review information; 
  • prescribing, titration and medication monitoring information; 
  • physical health monitoring information, including blood pressure, pulse, weight, ECGs or blood tests where clinically required; 
  • shared care or communication records with your GP. 

For NHS Right to Choose ADHD services, we may also process information required to manage the NHS referral pathway, confirm eligibility, provide care, liaise with your GP and claim payment from the relevant NHS commissioner.

We use secure system called Semble to process all of our clinical information. More information can be found here: https://www.semble.io/ 

3.5 Booking, payment and administration information

This may include:

  • appointment details; 
  • payment status; 
  • invoices and receipts; 
  • membership details; 
  • insurance information, where applicable; 
  • correspondence with you; 
  • call notes or enquiry records; 
  • complaints, feedback or incident records. 

We do not usually store full card payment details ourselves. Where card payments are processed, this will usually be handled by a payment provider.

3.6 Website and online information

When you use our website or online booking/enquiry forms, we may collect:

  • IP address; 
  • device and browser information; 
  • pages visited; 
  • date and time of website access; 
  • enquiry form information; 
  • cookie preferences; 
  • analytics information. 

Further information is set out in the cookies section below.

4. Where we get information from

We may receive information from:

  • you directly; 
  • parents, guardians, carers or family members; 
  • your GP practice; 
  • NHS bodies or commissioners, where relevant; 
  • hospitals, consultants or other healthcare professionals; 
  • laboratories, diagnostic providers and pharmacies; 
  • schools or education professionals, where relevant to ADHD or children’s assessments; 
  • insurers, where you ask us to liaise with them; 
  • online booking platforms or patient management systems; 
  • regulators or public authorities, where relevant. 

5. Why we use your information

We use your personal information for the following purposes:

5.1 Providing healthcare services

This includes:

  • assessing your health needs; 
  • providing consultations, diagnosis, treatment and advice; 
  • arranging blood tests, screening, diagnostics or onward referrals; 
  • prescribing medication; 
  • providing vaccination, minor surgery, aesthetics, ADHD, GP and other clinic services; 
  • maintaining accurate clinical records; 
  • communicating with you about your care. 

5.2 ADHD assessment and ongoing management

This includes:

  • assessing eligibility and suitability for ADHD assessment; 
  • collecting questionnaires and supporting information; 
  • carrying out clinical assessments; 
  • obtaining information from schools or other relevant individuals where appropriate; 
  • producing diagnostic reports; 
  • developing treatment plans; 
  • prescribing and monitoring ADHD medication; 
  • liaising with GPs, NHS services or other clinicians; 
  • managing Right to Choose referrals and associated NHS administration where applicable. 

5.3 Children’s care and safeguarding

We may use information to:

  • provide healthcare to children; 
  • involve parents, guardians or carers appropriately; 
  • consider the child’s wishes and capacity where relevant; 
  • respond to safeguarding concerns; 
  • share information where necessary to protect a child or another person from harm. 

5.4 Administration and service management

This includes:

  • booking and managing appointments; 
  • handling payments and invoices; 
  • managing membership services; 
  • responding to enquiries; 
  • dealing with complaints, incidents or feedback; 
  • maintaining audit trails and business records; 
  • supporting service quality and governance. 

5.5 Communication

We may contact you:

  • about appointments; 
  • with reminders; 
  • about test results; 
  • about follow-up care; 
  • to respond to your enquiry; 
  • about important service updates. 

We will not send direct marketing by email or text unless permitted by law or where you have provided consent where required. You can opt out of marketing communications at any time.

5.6 Legal, regulatory and professional obligations

We may use information where necessary to:

  • comply with CQC requirements; 
  • comply with professional standards and clinical record-keeping duties; 
  • respond to legal claims or requests from regulators; 
  • manage complaints or investigations; 
  • comply with safeguarding duties; 
  • maintain appropriate insurance and financial records. 

5.7 Website management and improvement

We may use website and cookie information to:

  • maintain website security; 
  • understand how visitors use the website; 
  • improve website functionality; 
  • manage online forms and bookings. 

6. Lawful basis for using your information

We must have a lawful basis under Article 6 UK GDPR to use your personal information.

Depending on the circumstances, we may rely on:

6.1 Contract

Where processing is necessary to provide private healthcare services you have requested, manage appointments, take payment or administer your membership.

6.2 Legal obligation

Where we need to comply with laws or regulatory obligations, including clinical record-keeping, safeguarding, tax, accounting, CQC or professional obligations.

6.3 Legitimate interests

Where processing is necessary for our legitimate business or clinical administration interests, provided your rights do not override those interests. This may include responding to enquiries, improving services, managing complaints, maintaining security and operating the clinic effectively.

6.4 Vital interests

In rare circumstances, where processing is necessary to protect someone’s life or prevent serious harm.

6.5 Public task

Where we are providing services under an NHS pathway or carrying out functions connected to NHS-funded care, such as NHS Right to Choose ADHD services, where applicable.

6.6 Consent

Where we rely on your consent for a specific purpose, such as certain marketing communications, optional information sharing or use of non-essential cookies. Where we rely on consent, you can withdraw it at any time.

Consent is not usually the main legal basis we rely on for providing healthcare, as we need to process relevant information to provide safe care and maintain clinical records.

7. Special category health information

Because we provide healthcare, we process health information and, in some cases, other special category information.

Our usual Article 9 condition for processing health information is:

Article 9(2)(h): processing is necessary for the provision of health or social care or treatment, or the management of health or social care systems and services.

Where relevant, we may also rely on:

  • Article 9(2)(a): explicit consent, for specific optional processing; 
  • Article 9(2)(c): vital interests, where necessary to protect life and the person cannot give consent; 
  • Article 9(2)(f): legal claims, where necessary to establish, exercise or defend legal claims; 
  • Article 9(2)(g): substantial public interest, for safeguarding or other legally recognised reasons; 
  • Article 9(2)(i): public health, where relevant to public health requirements. 

Where required, we will also rely on the relevant condition under Schedule 1 of the Data Protection Act 2018.

8. Confidentiality

As a healthcare provider, we owe patients a duty of confidentiality.

We will usually only share confidential patient information:

  • where you have agreed or would reasonably expect us to share it as part of your care; 
  • where sharing is necessary for direct care, for example with your GP, consultant, laboratory, pharmacy or other healthcare provider; 
  • where required by law; 
  • where necessary to protect you or another person from serious harm; 
  • where there is an overriding public interest; 
  • where required for safeguarding purposes; 
  • where necessary for legal or regulatory reasons. 

9. Who we share information with

We may share relevant information with:

  • GPs and NHS GP practices; 
  • NHS trusts, NHS commissioners or NHS services, where relevant; 
  • consultants, psychiatrists, clinicians and other healthcare professionals involved in your care; 
  • laboratories and diagnostic testing providers; 
  • pharmacies; 
  • hospitals or referral providers; 
  • schools or education professionals, where relevant to children’s ADHD assessments and with appropriate safeguards; 
  • insurers, where you ask us to do so or where necessary for a claim; 
  • booking, patient management, payment and IT system providers; 
  • accountants, auditors, legal advisers and insurers; 
  • regulators such as CQC, GMC or ICO where required; 
  • safeguarding authorities, local authorities or police where necessary and lawful. 

We will only share the minimum information necessary for the relevant purpose.

10. NHS Right to Choose ADHD services

Where you access our ADHD service through the NHS Right to Choose pathway, we may process and share information with:

  • your GP practice; 
  • NHS commissioners or other NHS bodies; 
  • clinicians involved in your assessment, diagnosis, prescribing or ongoing management; 
  • pharmacies and diagnostic providers where clinically required. 

This is to manage your referral, confirm eligibility, provide assessment and treatment, support medication management, communicate with your GP and manage NHS reporting or payment requirements.

11. Private healthcare, insurance and payment

If you are paying privately, we will process information necessary to manage your appointment, treatment, payment and clinical record.

If an insurer, employer or other third party is paying for or involved in your care, we will explain what information may need to be shared. We will usually seek your agreement before sharing clinical information with an insurer or third party, unless there is another lawful basis or legal requirement.

12. Children and young people

Where we provide services to children and young people, we will handle their information with particular care.

Depending on the child’s age, maturity and understanding, they may have their own rights in relation to their personal information. Parents or guardians will usually be involved in a child’s care, but there may be circumstances where information is handled confidentially in line with professional guidance, safeguarding requirements and the child’s best interests.

For ADHD assessments, we may need information from parents, guardians, carers and schools to support a full and accurate assessment.

13. How long we keep information

We will keep personal information only for as long as necessary for the purpose it was collected, including to meet clinical, legal, regulatory, professional, insurance and accounting requirements.

Clinical records will normally be kept in line with recognised healthcare record retention standards and professional guidance. Retention periods may vary depending on:

  • whether the record relates to an adult or child; 
  • the type of service provided; 
  • whether there is ongoing care; 
  • safeguarding concerns; 
  • complaints, incidents or legal claims; 
  • regulatory or insurance requirements. 
  • Adult clinical records: retained for at least 8 years after the last contact, or longer where clinically, legally or professionally required. 
  • Children’s clinical records: retained until the patient’s 25th birthday, or 26th birthday if the young person was 17 when treatment ended, or longer where required. 
  • Maternity records: 25 years where applicable. 
  • Complaints records: usually retained for at least 10 years. 
  • Financial records: usually retained for 6 years. 
  • Enquiry records where no treatment is provided: retained for a shorter period, for example 12–24 months, unless needed for legal or regulatory reasons. 

These periods should be confirmed against the clinic’s actual retention schedule before publication.

14. How we protect your information

We use appropriate technical and organisational measures to protect personal information, including:

  • secure clinical systems; 
  • role-based access controls; 
  • password protection and authentication; 
  • staff confidentiality obligations; 
  • staff training; 
  • secure email and communication processes where appropriate; 
  • audit trails; 
  • secure storage and disposal; 
  • supplier due diligence and contracts; 
  • incident reporting and management processes. 

No system can be guaranteed to be completely secure, but we take reasonable and proportionate steps to protect your information.

15. International transfers

We store and process personal information within the UK or European Economic Area.

Where we use suppliers who process information outside the UK, we will ensure appropriate safeguards are in place, such as adequacy regulations, standard contractual clauses or other lawful transfer mechanisms.

16. Automated decision-making

We do not use your health information to make solely automated decisions that have legal or similarly significant effects on you.

Clinical decisions are made by appropriately qualified healthcare professionals.

We may use AI-assisted or digital tools to support administrative and clinical processes, such as note organisation, correspondence, appointment management and service improvement. These tools do not replace clinical judgement, and decisions about your care remain with appropriately qualified healthcare professionals.

We will only use such tools where appropriate safeguards, confidentiality controls and lawful bases are in place. We will not knowingly enter identifiable patient information into public or unsecured AI tools.

17. Your rights

You have rights under data protection law, including the right to:

  • request access to your personal information; 
  • request correction of inaccurate or incomplete information; 
  • request erasure of information in certain circumstances; 
  • request restriction of processing; 
  • object to certain processing; 
  • request data portability in certain circumstances; 
  • withdraw consent where we rely on consent; 
  • complain to the Information Commissioner’s Office. 

These rights are not absolute. For example, we may need to retain clinical records where required for healthcare, legal, regulatory or professional reasons.

To exercise your rights, please contact: hello@welllife-clinic.co.uk

We may need to verify your identity before responding.

18. Access to medical records

You can request a copy of your medical records by making a subject access request.

For children’s records, requests may be made by a person with parental responsibility, but we will consider the child’s age, understanding, confidentiality rights and best interests before disclosing information.

We will usually respond within one calendar month, unless the request is complex or an extension is permitted by law.

19. Accuracy of your information

Please tell us if your personal details or medical information change. Accurate information helps us provide safe care.

20. Marketing

We may use your contact details to send information about our services where permitted by law. Where consent is required, we will ask for your consent first.

You can opt out of marketing at any time by contacting us or using the unsubscribe option in our communications.

We will not sell your personal information.

21. Cookies and website analytics

Our website uses cookies and similar technologies.

Cookies may be used to:

  • make the website work properly; 
  • remember your preferences; 
  • support security; 
  • understand how visitors use the website; 
  • improve website performance; 
  • support online forms and booking functionality; 
  • support marketing or analytics where consent is required. 

You can manage cookies through your browser settings or any cookie preference tool available on our website.

Non-essential cookies should only be used where permitted by law, and where consent is required, we will ask for your consent.

A separate cookie policy or cookie table should list the cookies used, their purpose, provider and duration.

22. Links to other websites

Our website may contain links to other websites, booking platforms or third-party services. We are not responsible for the privacy practices of those organisations. You should read their privacy notices before providing information to them.

23. Complaints

If you have concerns about how we handle your information, please contact us first so we can try to resolve the issue.

You can also complain to the Information Commissioner’s Office:

Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Website: ico.org.uk
Telephone: 0303 123 1113

24. Changes to this notice

We may update this Privacy Notice from time to time. The latest version will be published on our website.

Where changes are significant, we may take additional steps to bring them to your attention.