Privacy policy

This policy explains how Healthwatch Limited (Company No. 06997189), trading as FastTrack GP, collects and uses your personal data when you visit fasttrackgp.co.uk, book an appointment, or receive care from us. We are the data controller for your personal data.

FastTrack GP is the same-day private GP service of Mayfield Clinic. Both brands are operated by Healthwatch Limited.

Who's responsible for your data

• Controller: Healthwatch Limited, 3rd Floor, Mayfield House, 256 Banbury Road, Oxford OX2 7DE
• Data Protection Officer: Dr Amanda Northridge — info@mayfieldclinic.co.uk
• ICO registration: We are registered with the Information Commissioner's Office. You can verify our registration on the ICO public register at ico.org.uk/ESDWebPages/Search.

What we collect

• Identity and contact data: name, date of birth, email, phone, address.
• Clinical data (special category): symptoms, history, examination findings, treatment issued, referrals, test results, GP correspondence.
• Booking and payment data: appointment type, time, location, Stripe payment confirmation. We do not store full card numbers — Stripe holds these.
• Technical data: IP address, device, browser, pages visited, performance and error data. See our Cookie policy for the analytics detail.

Lawful bases (UK GDPR Article 6 / Article 9)

• Article 6(1)(b) — performance of a contract: managing your booking and providing the appointment.
• Article 6(1)(c) — legal obligation: clinical record-keeping, anti-fraud, tax records.
• Article 6(1)(f) — legitimate interest: site security, fraud prevention, service improvement.
• Article 6(1)(a) — consent: optional analytics cookies and any marketing communications.
• Article 9(2)(h) — provision of health care: lawful basis for processing your special-category clinical data, by clinicians under the duty of professional confidence.

How we use your data

• Take and confirm bookings, send reminders, deliver the consultation.
• Maintain a contemporaneous clinical record as required by the GMC and our regulators.
• Issue treatment, referral letters and fit notes; share these with the parties you ask us to (for example, your NHS GP, a pharmacy or a hospital).
• Verify your identity and confirm your NHS number via the NHS Personal Demographics Service (PDS) where this is needed for safe care, accurate clinical correspondence with your NHS GP, and to prevent record mismatch. PDS lookups are logged and auditable.
• Take payment, issue receipts, comply with HMRC and Companies Act 2006 record-keeping.
• Investigate complaints, near-misses and safeguarding concerns.

Who we share it with (sub-processors)

We share data only where strictly necessary, under contract, and with appropriate safeguards. The sub-processors below may receive your personal data:

• Hero Health (UK / EU) — appointment scheduling.
• EMIS Web — clinical record system for patient notes.
• Stripe Payments UK Ltd — payment processing.
• Our transactional email provider — booking confirmations and reminders.
• Freshdesk — customer support tickets and queries.
• Microsoft Suite (Microsoft 365) — clinical letter writing (referrals, correspondence).
• PostHog (EU region) — product analytics, with consent.
• Vercel Inc — site hosting.

We also use Xero (accounting and financial records), Slack (internal staff communication), Mapbox (clinic locator maps) and Supabase (database for non-clinical content — location data, public services, blog) as service providers. They do not receive patient data and are listed here for transparency only.

We do not transfer your personal data outside the EEA without an Article 46 transfer mechanism (UK Addendum to the EU Standard Contractual Clauses) in place.

We will also share data where we are legally required to (for example, a court order, safeguarding disclosure, or response to a CQC inspection).

How long we keep it

• Clinical records (adults): 10 years from the date of last contact, in line with GMC and NHS retention guidance.
• Clinical records (children): until the child reaches age 25, or 10 years from last contact — whichever is later.
• Financial records: 6 years, as required by the Companies Act 2006 and HMRC.
• Cookie / analytics data: retained per the durations in our Cookie policy.
• Marketing consent: until you withdraw it.

Your rights

Under the UK GDPR and Data Protection Act 2018 you have the right to:

• access a copy of your data (subject access request);
• ask us to correct inaccurate data;
• ask us to delete your data, subject to overriding legal obligations (we cannot delete clinical records during the retention period);
• restrict or object to processing;
• portability of data you have provided to us;
• withdraw consent for analytics or marketing at any time.

To exercise any right, email Dr Amanda Northridge, our Data Protection Officer, at info@mayfieldclinic.co.uk. We aim to respond within one calendar month.

If you are not satisfied, you can complain to the Information Commissioner's Office at ico.org.uk/concerns or 0303 123 1113.

Security

We use TLS in transit and encryption at rest. Access to clinical records is role-based and audited. Staff training on confidentiality and information governance is mandatory and refreshed annually.

Contact

For any privacy question: Dr Amanda Northridge, Data Protection Officer — info@mayfieldclinic.co.uk, or write to Healthwatch Limited (FastTrack GP), 3rd Floor, Mayfield House, 256 Banbury Road, Oxford OX2 7DE.

Last reviewed: 28 April 2026.