Privacy Policy

1.Introduction

This Privacy Policy explains how Sapien Medica Limited (“Sapien Medica”, “we”, “us”, “our”) processes personal data when you use our website at www.sapienmedica.com (the “Website”) or otherwise interact with us, on any device or platform. It also explains the rights you have under the United Kingdom General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
In this Policy, “personal data” means any information relating to an identified or identifiable individual, for example, your name, address, email address, telephone number, or information about your health or treatment. Terms such as “processing”, “controller”, “processor”, “recipient”, and “consent” carry the meanings given to them in Article 4 of the UK GDPR.

2.Who Is the Controller and How to Contact Us

The controller of the personal data described in this Policy is:

Sapien Medica Limited
85 Great Portland Street, London W1W 7LT, United Kingdom
Telephone: +44 20 7183 5450
Email: contact@sapienmedica.com

You can contact our data protection lead by email at contact@sapienmedica.com or by post at the address above, marked for the attention of the Data Protection Lead.

3.The Personal Data We Collect

We collect personal data only where it is necessary for the purposes described in this Policy. The categories we collect depend on how you use the Website and what you ask us to do for you.

3.1 If you only browse the Website
If you use the Website purely for information purposes, without registering, submitting an enquiry, or otherwise providing us with any data, we collect only the technical information that your browser transmits to our server. This may include your IP address, the date, time, and time-zone offset of your request, the page or resource requested, the HTTP status code returned, the volume of data transmitted, the referring URL, your operating system, browser type and version, and your browser language settings.

3.2 If you contact us or submit an enquiry
If you contact us through the Website, by email, by telephone, or by messaging service (including WhatsApp and SMS), we may also process the personal data you provide, which typically includes:

Your name, address, email address, telephone number, country of residence, and preferred contact channel.

Information about your medical situation that you choose to share with us, including the type of treatment you are seeking, your current diagnosis, prior investigations, and any preferred or proposed treatment date.

The substance of any message you send us, and any documents (including medical records, imaging files, and clinic letters) that you upload or attach.

3.3 If you ask us to facilitate care
Where you ask us to facilitate access to a Partner Provider (“Clinic or Hospital”), we may also collect insurance and payment information, identity verification material (such as a copy of your passport where required by an overseas hospital), and your written or recorded consent and instructions to us. In respect of Service Fees, Card payment data is captured directly by our payment service provider and is not stored on Sapien Medica systems.

4.Why We Process Your Personal Data and Our Legal Bases

We process personal data only where we have a lawful basis under Article 6 of the UK GDPR, and, where that data falls within a special category (including health data), an additional condition under Article 9. The bases and conditions we rely on are set out below.

4.1 Consent-Article 6(1)(a) and Article 9(2)(a)
Where you ask us to facilitate medical care, you give us your explicit consent to collect, process, and transfer your health-related data to Partner Providers, including hospitals, clinics, and individual clinicians, inside and outside the United Kingdom, so that they can review your case, advise on suitable services, propose pricing, and where instructed deliver care. You also give us your consent to contact you through your chosen channel (web form, email, telephone, WhatsApp, or SMS) in connection with that work. You may withdraw consent at any time. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.

4.2 Performance of a contract-Article 6(1)(b)
Where you have asked us to provide our coordination and facilitation services, we process the personal data necessary to take steps before entering into our engagement and to perform that engagement once concluded.

4.3 egitimate interests-Article 6(1)(f)
We process limited personal data on the basis of our legitimate interests, including for IT and network security, fraud prevention, defending legal claims, internal administration, and limited marketing and market research where this does not override your rights and freedoms. You can ask us for details of the balancing assessment we have performed.

4.4 Legal obligation-Article 6(1)(c)
We process personal data where necessary to comply with applicable law, including tax, accounting, anti-money-laundering, and regulatory record-keeping obligations.

4.5 Vital interests and provision of healthcare-Articles 6(1)(d), 9(2)(c), and 9(2)(h)
In a medical emergency where you cannot give consent, we may process and disclose your health information to protect your life or health. Where the processing is necessary for the assessment of clinical needs, care planning, or the management of healthcare services, and is undertaken by, or under the responsibility of, a person subject to a duty of professional secrecy, we rely on the provision-of-healthcare condition.

5.Who Receives Your Personal Data

Within Sapien Medica, only personnel whose roles require it may access your personal data. We share your data outside Sapien Medica only where required by law, where necessary to perform our contract or engagement with you, where justified by a legitimate interest, or where you have given your consent. The principal categories of recipient are:

Partner Providers-independent clinicians, clinics, and JCI-accredited hospitals in the United Kingdom and overseas (including in Singapore, Turkey, Egypt, India, and other jurisdictions) to whom we refer your case at your request, for review, second opinion, or treatment.

Service providers acting as our processors-including providers of IT and cloud-hosting services, secure file transfer, video-consultation platforms, payment processing, telecommunications, marketing and email infrastructure, professional advisers (legal, accounting, insurance), and travel and accommodation providers where applicable. Each processor acts under a written data-processing agreement that requires it to protect your information.

Insurers, assistance companies, or corporate clients funding your treatment, but only where you have authorised this.

Regulators, law-enforcement agencies, courts, and other public bodies, where we are legally required to disclose information.

In the event of a corporate transaction (such as a sale or restructuring), prospective and actual buyers and their advisers, subject to confidentiality undertakings.

If you only browse the Website without submitting any information, we do not pass your personal data to any third party for that purpose. We do not sell your personal data and we do not share it with third parties for their own marketing.

6.How Long We Keep Your Personal Data

We keep your personal data only for as long as necessary for the purposes described in this Policy. The default retention periods we apply are set out below; longer periods may apply where law, professional standards, or limitation periods require it.

Category of data	Retention period
Server log files (technical and security data)	Up to 90 days from the date of the request, unless a longer period is needed to investigate misuse, fraud, or a security incident
Patient and case files (including health information, correspondence, instructions, and treatment records)	8 years from the end of treatment, in line with NHS England retention guidance for adult clinical records. Paediatric records are retained until the patient’s 25th birthday or the relevant period after the end of treatment, whichever is later
Enquiry data (web form submissions, emails, and messages that do not progress to a case file)	12 months from the date of last contact
Newsletter and marketing data	Until you withdraw consent or object, plus 24 months for suppression record-keeping
Recruitment data-unsuccessful applicants	6 months from the conclusion of the recruitment process, unless you consent to inclusion in our talent pool, in which case up to 5 years from your consent (or until earlier withdrawal)
Accounting, tax, and contract records	6 years from the end of the financial year to which they relate, or longer where statutory limitation periods apply
Cookies and similar technologies	As described in our Cookies Policy

7.International Transfers of Your Personal Data

Sapien Medica’s business model involves transferring personal data from the United Kingdom to recipients in countries outside the UK, in jurisdictions where Partner Providers are based. These transfers are essential to the services you have asked us to facilitate.
Where the destination country is not subject to a UK adequacy regulation, we ensure that any recipient of your personal data is contractually obliged to adhere to standards of protection that are equivalent to those under the UK GDPR. This means that, even in jurisdictions where UK GDPR standards are not prevalent, recipients must comply with UK GDPR regulatory requirements in relation to your personal data before any transfer takes place. To achieve this, we put in place one of the safeguards permitted under the UK GDPR, which may include the UK International Data Transfer Agreement (IDTA).
Where the transfer involves your special category health data, we obtain your explicit consent in advance and conduct a Transfer Risk Assessment to confirm that the safeguards provide essentially equivalent protection in the recipient jurisdiction. You can ask us for a copy of the safeguards in place by contacting us at contact@sapienmedica.com.
Please be aware that data protection in the United States and certain other countries may not provide the same level of protection as the law of the United Kingdom, and that public authorities in those countries may in some circumstances have access to data without the same legal remedies as are available in the UK.

8.Your Rights

Subject to the conditions and limitations set out in the UK GDPR, you have the following rights in relation to your personal data:

the right of access-to ask for a copy of the personal data we hold about you;

the right to rectification-to ask us to correct inaccurate or incomplete data;

the right to erasure-to ask us to delete your data in certain circumstances (this right is qualified, particularly in respect of clinical records subject to mandatory retention);

the right to restriction of processing-to ask us to limit our use of your data in certain circumstances;

the right to data portability-to receive certain data in a structured, commonly used, machine-readable format and to ask us to transmit it to another controller where technically feasible;

the right to withdraw consent-at any time, where we rely on your consent;

the right to object-to processing based on our legitimate interests or on a public-interest task, and to direct marketing in any case;

the right to lodge a complaint with the Information Commissioner’s Office or another supervisory authority.

Requests are free of charge unless they are manifestly unfounded or excessive, in which case we may charge a reasonable fee or refuse to act on the request. We may need to verify your identity before responding. We aim to respond within one month of receipt; for complex or numerous requests we may extend this period by a further two months and will tell you within the first month if we do.
To exercise any of these rights please email contact@sapienmedica.com or write to us at the address in Section 2.

9.Automated Decision-Making and Profiling

Sapien Medica does not use solely automated decision-making within the meaning of Article 22 of the UK GDPR to make decisions about you that produce legal or similarly significant effects. We do not carry out profiling for the purpose of evaluating your personal characteristics. If we ever introduce such processing, we will tell you in advance and ensure that you have the right to obtain human review.

10.Data You Must Provide

Some personal data is necessary for the Website to function correctly and to be served securely; if your browser does not transmit that technical data, the Website may not work properly. When you contact us through a form, by email, or by messaging service, you only need to provide the personal data necessary for us to handle your request. Without that information we may be unable to respond or to facilitate the services you have asked us to arrange.

11.Cookies

We use cookies and similar technologies on the Website. Some cookies are strictly necessary for the Website to function and are set automatically. Other cookies are used only with your consent, given through our cookie banner, and you can withdraw your consent or change your preferences at any time using the cookie settings link in the Website footer. You can also adjust your browser settings to block cookies, although this may stop parts of the Website from working. Full details, including the categories of cookies we use, the cookies we set, and how to manage them, are set out in our separate Cookies Policy.

12.External Services

e use a number of external services to operate, secure, improve, and market the Website. Depending on the page and on your cookie preferences, these may include analytics, advertising, customer relationship management, web hosting and deployment, font delivery, conversion-rate optimisation, customer review, social media, and similar services-for example, Google Analytics, Google Ads, FullStory, YouTube, Salesforce, Pardot, Adobe Fonts, Unbounce, Trustpilot, Meta (including the Facebook Pixel), Vercel, and the social-media platforms on which we maintain a presence.
These services may set cookies, collect usage statistics, process IP addresses, and in some cases transfer personal data to the United States or other third countries. Where required, we rely on your consent (managed through the cookie banner), Standard Contractual Clauses, the UK IDTA or Addendum, or another lawful transfer mechanism. Each provider acts under its own privacy notice and, where it processes your data on our behalf, under a written data-processing agreement with us.

13.Newsletter

If you subscribe to a Sapien Medica newsletter sometime in the future, we will send you marketing communications and related information based on your consent or where we are otherwise permitted by law to do so. We will use a double opt-in process: after you submit your subscription, we will send you an email asking you to confirm. We log the date, time, and IP address of the registration and the confirmation step, for evidential and audit purposes.
Our newsletter may include tracking technologies that help us understand whether emails are opened and which links are clicked. You can unsubscribe at any time using the unsubscribe link in any newsletter email or by contacting us at contact@sapienmedica.com.

14.Referrals and Partner Clinics

At your request, we may organise an initial appointment with one of our Partner Providers. In that case we transfer your contact details and any health-related information necessary for the consultation to the relevant clinician or clinic, on the basis of your explicit consent and the conditions described in Sections 4 and 7 of this Policy.

Medical confidentiality and the return flow of information

For data protection and medical confidentiality reasons, the Partner Provider does not provide us with health-related information about you in return. Any clinical information generated as a result of your consultation, second opinion, or treatment is the responsibility of the Partner Provider and is governed by that provider’s own privacy notice and the law of the jurisdiction in which it operates. If you would like a copy of clinical information held by a Partner Provider, you should request it directly from that Partner Provider.

15.Social Media Pages

Sapien Medica maintains pages on a number of social media platforms to communicate with you, share information about our services, and respond to public messages. When you visit one of those pages, the platform provider may process your personal data for its own purposes, including advertising and market research, on terms set by the platform and outside Sapien Medica’s control. Each platform operates under its own privacy notice.
Where we receive personal data through messages or comments on our social media pages, we process that data on the basis described in this Policy. You may exercise your rights under Section 8 by contacting us using the details in Section 2; we will then act in respect of any data within our control.

16.Changes to This Policy

We may update this Privacy Policy from time to time. The version number and effective date at the top of the document will indicate when it was last revised. Where the changes are material we will notify you directly or by a prominent notice on the Website before the changes take effect.

17.How to Contact Us

Sapien Medica Limited, 85 Great Portland Street, London W1W 7LT, United Kingdom. Telephone: +44 20 7183 5450. Email: contact@sapienmedica.com Company number: 12664242