Privacy & Cookie Policy
INTEGRATED PRIVACY POLICY, COOKIE POLICY & GDPR COMPLIANCE STATEMENT
Effective Date: 2 July 2026
Document Version: 1.4 (Integrated Master Digital Copy)
Review Date: 4 June 2027
Introduction & Scope
This comprehensive policy applies to all users interacting with Eman Health, including individual private patients, employees, corporate employers, and commercial clients utilizing our remote primary care consulting, digital diagnostic paths, and questionnaire-based occupational health systems.
Eman Health (“we”, “us”, or “our”) is operated under the corporate parent entity KRAO Services Ltd (Company Number 14391915), with our registered Care Quality Commission (CQC) primary operational base located at Eman Health at Dog Kennel Lane Surgery, 64 Dog Kennel Lane, Oldbury, West Midlands, B68 9LZ.
We are fully committed to protecting your privacy and ensuring absolute compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the Access to Medical Reports Act 1988, and the strict confidentiality guidelines mandated by the Care Quality Commission (CQC) and the General Medical Council (GMC). This statement outlines exactly how we collect, process, safeguard, and retain your personal, demographic, and special category medical data.
1. Data We Collect
As an independent healthcare provider, we process both personal data and special category data (health records).
-
Personal & Administrative Information: We collect demographic identifiers including your name, date of birth, biological sex, billing address, contact telephone numbers, corporate email addresses, and any administrative background data provided via intake forms, clinical screening questionnaires, or direct correspondence.
-
Special Category Health Information: We collect comprehensive health-related data necessary to perform safe clinical assessments, prescribe medications, or generate objective Occupational Health Reports. This includes past medical histories, current clinical conditions, psychological health screenings, ongoing symptoms, family histories, physiological measurements, current medications, and third-party diagnostic updates. We only collect this detailed clinical data when you grant your explicit, unambiguous consent or when it is legally necessitated to fulfill statutory medical duties.
-
Technical & Website Usage Data: When you browse www.emanhealth.co.uk, we may automatically collect telemetry details including your Internet Protocol (IP) address, operating system, browser type, navigation timelines, and patterns of interaction with our online systems for security monitoring and digital service refinement.
2. How We Process Your Data
We enforce strict data minimization frameworks to ensure your personal and health records are utilized exclusively for explicit clinical and operational milestones:
-
Clinical Service Provision & Outpatient Logistics: Your data is processed to deliver private GP consultations, execute clinical diagnostic ordering, issue electronic prescriptions, orchestrate external specialist referrals, and formulate objective workplace fitness-for-work certificates and Occupational Health Reports.
-
AI Processing Frameworks: Where automated systems or Artificial Intelligence tools are leveraged to support document organization, administrative sorting, or clinical data synthesis, the data is entirely anonymized prior to processing. All identifiable personal markers are completely stripped away to prevent any risk of individual re-identification, ensuring complete privacy protection.
-
Secure Professional Communications: We use your verified contact channels to distribute critical service notifications, including automated secure booking confirmations, payment receipts, diagnostic lab alerts, clinical updates, and direct delivery of formal medical reports.
3. Legal Bases for Processing Data
Under the UK GDPR, we rely on clear legal pillars to handle your information:
-
Explicit Consent (Article 6(1)(a) & Article 9(2)(a)): For the processing of special category health information and the generation of elective clinical or occupational reports, you provide explicit, active consent when completing our digital questionnaires or initiating a private clinical encounter.
-
Contractual Necessity (Article 6(1)(b)): The processing of basic contact details and payment parameters is mandatory to fulfill our formal contract with you or your employer under an active Service Level Agreement (SLA).
-
Legal Obligation & Vital Interests (Article 6(1)(c) & Article 9(2)(c)): We may process and disclose clinical data when legally compelled by statutory UK reporting regulations, court orders, CQC regulatory audits, or to prevent catastrophic physical harm or safeguard vulnerable individuals.
4. Controlled Data Sharing & Disclosures
Eman Health enforces a zero-tolerance policy against selling or sharing personal medical data with third-party marketing brokers. Data sharing is restricted exclusively to authorized clinical, diagnostic, and legal channels:
-
Internal Clinical Roles: Access to your full, unredacted medical record is limited strictly to our authorized clinical staff—specifically our Medical Director and Registered Manager, Dr Khaled Ajam-Oghli (GMC: 7071638)—and any fully vetted sessional clinicians or occupational health professionals deployed under our direct subcontracting umbrella.
-
Disclosure to Corporate Employers: In accordance with the Access to Medical Reports Act 1988, finalized Occupational Health Reports or fitness certificates are only shared with your employer's HR or management teams after you have been granted your right of prior review and have given explicit, signed authorization to release the document.
-
Third-Party Diagnostic & Pharmacy Systems: To execute your comprehensive care plan, relevant patient identifiers and diagnostic clinical orders are shared securely with our designated processing partners:
-
The Doctors Laboratory (TDL) for pathology profiles and blood processing.
-
Vista Health for advanced radiological and imaging appointments.
-
Electronic Prescribing Integrations embedded within our electronic patient record to generate secure prescription tokens.
-
-
Linguistic Support Infrastructure: Where verbal or written translation is required to secure patient understanding, basic communication indicators are integrated with Word360 translation networks under strict confidentiality clauses.
-
Statutory Legal Mandates: We will disclose clinical information to law enforcement bodies, the General Medical Council, or Local Authority Safeguarding Teams if formally directed by an order of the court, or if required to prevent immediate, life-threatening harm to the patient or the general public.
5. Absolute Data Security Infrastructure
We implement multi-layered physical, administrative, and technological security controls designed to align with CQC "Well-Led" requirements and UK data protection mandates:
-
Core Cloud EPR Encryption: All long-term electronic health records, diagnostic uploads, and clinical interaction histories are compiled and hosted on the specialized WriteUpp Electronic Patient Record (EPR) platform. Data managed within WriteUpp is protected by advanced industry-standard AES-256 bit encryption architectures at rest, and secure Transport Layer Security (TLS/HTTPS) protocols in transit.
-
Rigorous Local Access Controls: Access to our cloud interfaces requires mandatory Multi-Factor Authentication (MFA) tokens for all active operator accounts, reinforced by automatic 3-minute device inactivity hardware locks on our primary equipment. Local physical hardware runs active full-disk BitLocker encryption, and the storage of patient files on local hard drives or unsecured physical media is strictly prohibited.
-
Ultra-Secure Document Delivery Framework: To guarantee absolute confidentiality between our practice, individual patients, and corporate employers, all outbound medical reports, clinical summaries, and fitness certificates are transmitted exclusively via the Egress secure platform. Egress ensures military-grade end-to-end encrypted transmission, allowing authenticated recipients to open, read, and manage health communications safely without the risk of interception or data leak.
6. Your Statutory Rights Under UK GDPR
As a data subject, you hold powerful statutory rights regarding the personal and clinical info we maintain. You can exercise these rights at any point:
-
Right of Access (Subject Access Request): You have a right to obtain a full, unredacted digital copy of your medical records and all clinical questionnaires compiled by our practice free of charge.
-
Right to Rectification: You may request that we immediately update or correct any factually inaccurate or outdated demographic, administrative, or employment details in your records. Please note that you cannot alter the historical, objective clinical opinions logged by a medical practitioner.
-
Right to Erasure ("Right to be Forgotten"): You can request the deletion of your personal parameters. However, under UK medical law, independent healthcare providers are subject to strict statutory health retention regulations that take legal precedence over erasure requests for core clinical charts.
-
Right to Restrict or Object to Processing: You have the right to limit the scope of how we process your information or object to specific administrative automated procedures.
-
Right to Data Portability: You can request that your records be exported in a structured, standard machine-readable format to be easily shared with an alternative private provider or NHS team.
To exercise any of these rights, please email your formal request directly to our administrative hub at support@emanhealth.co.uk. We verify the identity of all requesting individuals prior to data release and aim to fulfill all verified statutory requests within the legally mandated 30-day window.
7. Data Retention Protocols
Medical health charts and occupational files are classified as official clinical records. Eman Health retains your data only for as long as necessary to provide services, satisfy our professional liabilities, and remain compliant with the UK Records Management Code of Practice for Health and Social Care.
Standard clinical consultations and corporate occupational health surveillance records are securely archived for a minimum baseline period of 8 to 25 years (depending on the clinical sub-category, statutory screening parameters, or chemical exposures involved) before being securely and permanently purged from our encrypted systems.
8. Revisions to This Privacy Policy
KRAO Services Ltd reserves the right to make periodic modifications to this Privacy Policy to ensure alignment with expanding operations, digital platform migrations, or shifting UK data laws. Any formal modifications will be immediately signaled on our website by an updated "Effective Date" at the top of this document.
9. Contact & Supervisory Authorities
For any queries regarding this policy, the security of your medical profile, or to exercise your individual data rights, please contact our clinical management team:
-
Email: support@emanhealth.co.uk
-
Telephone: 07459354139
-
Address: Eman Health at Dog Kennel Lane Surgery, 64 Dog Kennel Lane, Oldbury, West Midlands, B68 9LZ, UK
If you believe Eman Health has failed to process your personal data in accordance with UK law, you have the right to lodge a formal regulatory complaint with the UK supervisory body: the Information Commissioner’s Office (ICO) via their helpline at 0303 123 1113 or via www.ico.org.uk (Our Data Registration Number: ZB532451).
10. Integrated Cookie & Tracking Policy
Our digital web architecture utilizes standard cookies and tracking web components to keep our website running smoothly, secure our booking networks, analyze demographic interactions, and refine patient experience.
10.1 Classifications of Cookies Utilized
-
Essential & Security Cookies: These functional elements are programmatically required to verify user sessions, manage secure electronic payment checkouts, and prevent malicious server cross-site scripting attacks. These cookies are hardcoded and cannot be deactivated, as the site cannot function safely without them.
-
Analytics & Performance Tracking Cookies: These cookies provide our analytics systems with anonymous statistical data regarding unique page views, navigation routes, and element interaction times. They allow us to spot broken links and technical slowdowns. These cookies are completely deactivated by default and are only initialized if you grant active consent.
-
System Preference & Functionality Cookies: These elements remember your language settings, contrast selections, and forms history to prevent repetitive data typing during subsequent site visits.
10.2 Consent Architecture & Browser Settings
Upon your initial visit to www.emanhealth.co.uk, an integrated cookie consent banner will actively request that you confirm your preferences for non-essential cookies. You can accept, decline, or dynamically filter your analytics permissions.
You can also block, clear, or audit cookies manually at any time through your local web browser settings (Chrome, Safari, Edge, Firefox). Please note that completely blocking all functionality cookies may degrade the interactive elements of our digital scheduling forms.
10.3 Third-Party Web Framework Disclosures
Our website infrastructure is built upon the Wix platform engine. Wix deploys persistent and session-based technical cookies across your browser device to ensure site rendering speed, track server loading thresholds, and lock active transactional gateways. For an exhaustive itemized layout of the background cookies managed by our parent web engine, please review the official Wix Cookie Policy directly.
11. Final Acknowledgement & Digital Agreement
By interacting with the digital booking engines of Eman Health, completing our online medical questionnaires, or entering into a clinical service space managed by KRAO Services Ltd, you formally acknowledge that you have read, understood, and accept the collection, processing, cloud storage, and secure transmission protocols of your personal and special category health information as detailed throughout this Privacy Policy.
​
End of Document