Privacy Policy

Nuffield Health is committed to protecting and respecting your privacy.

Nuffield Health understands that your personal data is entrusted to us and appreciates the importance of protecting and respecting your privacy. To this end we comply fully with the data protection law in force in the UK including UK GDPR and the Data Protection Act 2018 (“Data Protection Laws”) and with all applicable clinical confidentiality guidelines including those published from time to time by the General Medical Council (GMC) and the Nursing and Midwifery Council (NMC).

This Privacy Policy sets out the basis on which we collect and process personal data about you including our practices regarding the collection, use, storage and disclosure of personal data that we collect from you and/or hold about you, and your rights in relation to that data.

This Privacy Policy applies to anyone who receives services at or from Nuffield Health so please read the Privacy Policy carefully to understand how we process your personal data. By providing your personal data to us or by using our services, website or other online or digital platform(s) you are accepting or agreeing to the practices as described or referred to in this Privacy Policy.

View a summary of the Privacy Policy aimed at those aged 13 to 19 years here.

About us

For the purpose of Data Protection Laws, the data controller is Nuffield Health, with registered address at: Epsom Gateway, Ashley Avenue, Epsom, Surrey, KT18 5AL, a Registered Charity Number: 205533 (England & Wales), a Charity Registered in Scotland Number: SC041793 and a Company Limited by Guarantee Registered in England Number: 576970.

When we refer to ‘we’, ‘us’ and ‘our’, we mean Nuffield Health.

During these unprecedented times, Nuffield Health’s main priority is the health and safety of our patients, colleagues and the wider community as well as supporting the NHS in responding to the COVID-19 pandemic. Our support of the NHS in responding to the pandemic will remain our focus for the foreseeable future.

As a result of these unique circumstances, we may need to share your personal data with the NHS and other regulatory and government bodies. Each of our hospitals is working in collaboration with their local NHS trusts to ensure we can provide the right help, exactly where and when it is needed and this may involve personal data being shared between us and the relevant local NHS trusts. This will be done in accordance with Data Protection Laws and any amendments to applicable legislation made by the Secretary of State. We will also consider any guidance provided by the Information Commissioner’s Office.

When the NHS and its healthcare professionals provide your healthcare services at a Nuffield Health hospital, the privacy notice of the relevant NHS trust may also apply. Please consult the applicable NHS trust's privacy notice or policy.

The basis on which Nuffield Health will process your data is set out in the section below.

Using your personal data and the legal basis for processing during the COVID-19 pandemic
Nuffield Health will rely on UK GDPR Article 6 (1) (b) and Article 9 (2) (h) for the processing of your data. In addition, Nuffield Health will rely one or more of the following basis when sharing personal data as part of our support work with the NHS during the COVID-19 pandemic:

  • Contract: using your personal data is necessary to provide your care and related services and to fulfil our contract with you for the delivery of your care (Article 6 (1) (b)
  • Legal obligation: the processing is necessary for compliance with a legal obligation Article 6 (1)(c)*
  • Vital interests: the processing is necessary to protect someone’s life. Article 6 (1)(d)
  • Public interest: the processing is necessary to perform a task in the public interest. Article 6 (1)(e)
  • Legitimate interests: the processing is necessary for an organisation’s legitimate interests or the legitimate interests of a third party Article 6 (1)(f)

When processing special category data (as detailed in the 'What personal data may we collect from you' section) for the purposes of;

  • Employment, social security and social protection Article 9 (2)(b)
  • Vital interests of the Data Subject Article 9 (2)(c)
  • Substantial public interest Article 9 (2)(g)
  • Provision of health or social care Article 9 (2)(h)
  • Public interest in the area of public health such as protecting against serious cross border threats to health Article 9 (2)(i)

* This includes the Notice by Secretary of State under Reg 3(4) of Health Service Control of Patient Information Regulations issued 1st April 2020 allowing healthcare providers to share personal data and any other such notice that may be issued to support efforts against COVID-19.

Sharing personal information
During the COVID-19 pandemic your personal data may also be shared for the following purposes:

  • Understanding COVID-19 trends and risks to public health and controlling and preventing the spread of COVID-19
  • Identifying and understanding information about patients or potential patients with or at risk of COVID-19 including patient exposure to COVID-19
  • Management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19
  • Understanding capacity and availability information about patient access to health services and adult social care services
  • Monitoring and managing the response to COVID-19 by health and social care bodies and the Government including providing information (including workforce details) to the public about COVID-19
  • Delivering services to patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19
  • Research and planning in relation to COVID-19

Data Subject Rights
Due to the current circumstances, if you submit or need to discuss a Subject Access Request (‘SAR’) or other Data Subjects Rights request, wherever possible please contact us via email at:

Data Security
We assure you that all necessary steps will continue to be taken to maintain the security of your personal information and our focus will be to prioritise information flows, to ensure ongoing safe and effective care during these unprecedented times.

Changes to this Privacy Policy
We will regularly review this Privacy Policy and its applicability throughout the COVID-19 outbreak. We reserve the right to update this Privacy Policy at any time, and we will provide you with a new Privacy Policy if and when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

When we refer to personal data in this policy, we mean information that can or has the potential to identify you as an individual.

Accordingly, we may hold and use personal data about you as a customer, a patient or in any other capacity, for example, when you visit one of our websites, complete a form, access our services or speak to us.

Personal data we collect from you may include the following:

  • information that you give us when you enquire or become a customer or patient of us or apply for a job with us including name, address, contact details (including email address and phone number)
  • the name and contact details (including phone number) of your next of kin
  • details of referrals, quotes and other contact and correspondence we may have had with you
  • details of services and/or treatment you have received from us or which have been received from a third party and referred on to us
  • information obtained from customer surveys, promotions and competitions that you have entered or taken part in
  • recordings of calls we receive or make
  • notes and reports about your health and any treatment and care you have received and/or need, including about clinic and hospital visits and medicines administered
  • where you are a gym member, details of your attendance at a Nuffield Health gym
  • patient feedback and treatment outcome information you provide
  • information about complaints and incidents
  • information you give us when you make a payment to us, such as financial or credit card information
  • other information received from other sources, including from your use of websites and other digital platforms we operate or the other services we provide, information from business partners, advertising networks, analytics providers, or information provided by other companies who have obtained your permission to share information about you. See section below on Cookies.

Where you have named someone as your next of kin and provided us with personal data about that individual, it is your responsibility to ensure that that individual is aware of and accepts the terms of this Privacy Policy.

Where you use any of our websites, we may automatically collect personal data about you including:

  • Technical information, including the Internet protocol (IP) address used to connect your computer to the Internet, browser type and version, time zone setting, browser plug-in types and versions, operating system and platform,
  • Information about your visit, including the full Uniform Resource Locators (URL), clickstream to, through and from our site (including date and time), products you viewed or searched for, page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), methods used to browse away from the page.

The data that we request from you may include special category data. This includes information that relates to the following:

  • racial or ethnic origin, or
  • religious or philosophical beliefs, or
  • genetic data, biometric data for the purpose of uniquely identifying a natural person, or
  • data concerning a natural person's sex life, gender or sexual orientation, or
  • details of your current or former physical or mental health. This may include personal data about any services you have received (both from us directly and other healthcare providers such as GPs, dentists or hospitals (private and/or NHS)) or need, including about clinic and hospital visits and medicines administered. This may also include details of previous healthcare services you have received from other healthcare providers including circumstances where medical negligence is alleged, or being investigated, against that third party provider. Further details are provided below on the way we handle such personal data

Other people’s personal data
If you provide us with another person’s personal data you must inform that person about the contents of this Privacy Policy.

Changes to your personal data
If you change any of your personal data which we already hold about you please make sure you notify us quickly so that we can update our systems to reflect the changes although our systems will also continue to hold the originally recorded personal data.

Deleting your Nuffield Health account and data
Please send your account deletion request to Your account will be disabled within 30 days.

We may collect personal data about you if you:

  • visit one of our websites
  • enquire about any of our services or treatments
  • register to be a customer or patient with us or book to receive any of our services or treatments
  • fill in a form or survey for us
  • carry out a transaction on our website
  • participate in a competition or promotion or other marketing activity
  • make online payments
  • contact us, for example by email, telephone or social media
  • participate in interactive features on any of our websites
  • use our Digital Wellbeing Platform portal
  • attend a Nuffield Health gym.

In the interests of training and continually improving our services, calls to Nuffield Health and its agents may be monitored or recorded. Private calls to and from patients in our hospitals are not recorded.

We may collect personal data about you from third parties such as:

  • If you are an employee of one of our corporate clients who has taken up one of our services, we may be passed your name, contact number and email address, in order to get in touch with you to inform you of your eligibilty for our services, to arrange an appointment or collect further information from you;
  • We have a number of independent third parties acting on our behalf who may collect personal data from you to allow us to carry out the services we offer e.g. an independent physiotherapist may carry out your initial Triage call or a subsequent consultation and collect personal data from you which is subsequently shared with Nuffield Health for the continuity of your care and may be used for quality and monitoring purposes;
  • Your work/business contact information e.g. name, job title, address, email, contact number, which may have been collected from agencies, partner organisations or other third parties, for the purpose of business to business marketing activity, to allow Nuffield Health to provide you with direct marketing communication about relevant products or services to you in your professional capacity or your organisation;
  • We carry out work on behalf of the NHS and for the continuity of your care we may be passed medical information usually in the form of a referral for the purposes of your treatment with Nuffield Health or a third-party consultant;
  • Nuffield Health use the services of independent consultants who carry out procedures at our Hospitals. Consultants may need to share your personal data and medical records with Nuffield Health;

Insurance providers will pass Nuffield Health personal data of patients who have commenced a claim and require medical treatment with Nuffield Health. This will normally be in the form of a referral and may consist of basic details e.g full name, date of birth, address, contact number and email address and the type of procedure/treatment they require.

Social media platforms such as Facebook, Instagram, TikTok, Snapchat and Twitter make certain information indirectly available to us as administrators of our fan pages, and as users of paid advertising. Whilst we are not able to see individual’s personal data, we can ask the social media platforms to use the personal data they hold to target our advertising campaigns at specific demographics of people – for instance based on the town in which they live, their age or their occupation.

Your personal data will be kept confidential and secure and will only be used for the purpose(s) for which it was collected and in accordance with this Privacy Policy, applicable Data Protection Laws, clinical records retention periods and clinical confidentiality guidelines.

Set out below are some of the ways in which we process personal data although to do so lawfully we need to have a legal ground for doing so. We normally process personal data if it is:

  • necessary to provide you with our services - to enable us to carry out our obligations to you arising from any contract entered into between us and you including relating to the provision by us of services or treatments to you and related matter such as billing, accounting and audit, credit or other payment card verification and anti-fraud screening
  • in our or a third party's legitimate interests to do so - see details below. For further information about direct marketing to businesses and legitimate interest, please see the ‘Marketing’ section below
  • required or allowed by any applicable law or legal obligation or as necessary in the public interest of for the protection of a person’s vital interest
  • with your explicit consent for example: direct consumer marketing communications.

Generally, we will only ask for your consent to processing if there is no other legal grounds to process. In these circumstances, we will always aim to be clear and transparent about why we need your consent and what we are asking it for. Where we are relying on consent to process personal data you have the right to withdraw your consent at any time by contacting us using the details below and we will stop the processing for which consent was obtained.

To process special category data (as detailed in the 'What personal data we may collect from you' section) we rely on additional legal grounds and generally, they are as follows:

  • With your explicit consent
  • It is necessary for the purposes of preventive or occupational medicine, to assess whether you are able to work, medical diagnosis, to provide health or social care treatment, or to manage health or social care systems and services. This may also include monitoring whether the quality of our services or treatment is meeting expectations
  • It is necessary to establish, make or defend legal claims or court action
  • It is necessary so that we can comply with employment law
  • It is necessary for a public interest purpose in line with any applicable law or legal obligation. This should assist in protecting the public against dishonesty, malpractice or other seriously improper behaviour for example, investigating complaints, clinical concerns, regulatory breaches or investigations e.g the Care Quality Commission or GMC or ICO. It may also include assisting governmental bodies in controlling public health issues e.g. COVID19.

Processing of personal data which you have made public:
As stated above, one of the legal grounds for processing data is where it is in our legitimate interest to do so, taking into account your interests, rights, and freedoms. This allows us to manage the relationship that exists between you and us and can include the following reasons:

  • provide you with information, products or services that you request from us
  • managing all aspects of our relationship with you, our products and services and any third parties who may provide products or services on our behalf
  • allow you to participate in interactive features of our services, when you choose to do so
  • notify you about changes to our products or services
  • keep our records up to date
  • respond to requests where we have a legal or regulatory obligation to do so
  • check the accuracy of information about you and the quality of your treatment or care, including auditing medical and billing information for insurance claims as well as part of any claims or litigation process
  • support your doctor, nurse or other healthcare professional
  • assess the quality and/or type of care you have received (including giving you the opportunity to complete customer satisfaction surveys) and any concerns or complaints you may raise, so that these can be properly investigated
  • to conduct and analyse market research
  • to ensure that content from any of our websites is presented in the most effective manner for you and for your computer
  • to allow us to enforce our website terms of use, our policy terms and conditions or other contracts, or to protect our or other's rights, property or safety
  • to share your personal information with people or organisations in order to run our business or comply with any legal and/or regulatory obligations including to defend ourselves from claims, exercise our rights and adhere to laws and regulations that apply to us and the third parties we work with
  • to take part in, or be the subject of, any sale, purchase, merger or takeover of all or part our business
  • to administer your account on our Digital Wellbeing Platform and allow you to login into it, if you have one
  • to personalise the marketing emails we send you, where you have consented to us doing so
  • to target our advertising on social networks at users of those platforms that meet certain criteria
  • to administer your membership to a Nuffield Health service
  • to monitor your usage of our gyms.

We protect all personal data we hold about you by ensuring that we have appropriate organisational and technical security measures in place to prevent unauthorised access or unlawful processing of personal data and to prevent personal data being lost, destroyed or damaged. We conduct assessments to ensure the ongoing security of our information systems. Any personal data you provide will be held for as long as is necessary having regard to the purpose for which it was collected and in accordance with all applicable UK laws.

Personal data that we collect from you may be transferred to, and stored at, a destination outside of the UK. This includes transfers to the European Economic Area ("EEA"), as well as transfers to staff operating outside the EEA who work for us or for one of our suppliers. Where we transfer your personal data outside of the UK, we will ensure that there are adequate protections in place for your rights, in accordance with Data Protection Laws. By submitting your personal data, and in providing any personal data to us, you understand the basis for this transfer, storing or processing. We will take all steps reasonably necessary to ensure that your information is treated securely and in accordance with this Privacy Policy.

All information you provide to us is stored securely. Any payment transactions on our website will be processed securely by third party payment processors. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our website, you are responsible for keeping that password confidential. We ask you not to share a password with anyone.

The transmission of information via the internet cannot be guaranteed as completely secure. However, we ensure that any information transferred to our websites is via an encrypted connection. Once we have received your information, we will use strict procedures and security features to minimise the risk of unauthorised access.

At your request, we may occasionally transfer personal information to you via email, or you may choose to transfer information to us via email. Email is not always a secure method of information transmission; if you choose to send or receive such information via email, you do so understanding the risks associated with doing so.

Unless we explain otherwise to you, we will retain your personal data on the basis of the following guidelines:

  • for as long as we have a reasonable business need, such as managing our relationship with you and managing our business
  • for as long as we provide services and/or treatment to you and then for as long as someone could bring a claim against us; and/or
  • in line with legal and regulatory requirements or guidance.

Please see the section ‘Your Rights Under Data Protection Laws’ for details on how to exercise your data protection rights, including the right to be forgotten.

In the usual course of our business we may disclose your personal data (which will be limited to the extent reasonably necessary) to certain third party organisations that we use to support the delivery of our services. This may include the following:

  • business partners, suppliers and sub-contractors for the performance of any contract we enter into with you,
  • organisations providing IT systems support and hosting in relation to the IT systems on which your information is stored,
  • third party debt collectors for the purposes of debt collection,
  • delivery companies for the purposes of transportation,
  • third party service providers for the purposes of storage of information and confidential destruction, third party marketing companies for the purpose of sending marketing emails, subject to having an appropriate lawful basis for such processing.

Where a third-party data processor is used, we ensure that they operate under contractual restrictions with regard to confidentiality and security, in addition to their obligations under Data Protection Laws.

We may also disclose your personal data to third parties in the event that we sell or buy any business or assets or where we are required by law to do so.

Special category data (including information relating to your health) will only be disclosed to third parties in accordance with this Privacy Policy. That includes third parties involved with your treatment or care, or in accordance with UK laws and guidelines of appropriate professional bodies. Where applicable, it may be disclosed to any person or organisation who may be responsible for meeting your treatment expenses or their agents. It may also be provided to external service providers and regulatory bodies (unless you object) for the purpose of clinical audit to ensure the highest standards of care and record keeping are maintained.

Medical professionals working with us: We share clinical information about you with our medical professionals as we consider necessary for your treatment and care. Medical professionals working with us might be our employees, or they might be independent consultants in private practice. In the case of independent consultants, the consultant is the data controller of your personal data, either alone or jointly with us and will be required to maintain their own records in accordance with Data Protection Laws and applicable clinical confidentiality guidelines and retention periods. During your treatment pathway, Nuffield Health is required to create and maintain a single patient record, including a complete and accurate record of the care and treatment provided, for each of our patients. However, in certain circumstances a consultant may also create and maintain their own records. Where that is the case, we may refer you to that consultant to respond to and act on any requests from you to exercise your rights over your data, under Data Protection Laws. Our contracts with independent consultants require them to cooperate with those requests. In all circumstances, those consultants will only process your personal data for the purposes set out in this Privacy Policy or as otherwise notified to you.

External practitioners: If we refer you externally for treatment, we will share with the person or organisation that we refer you to, the clinical and administrative information we consider necessary for that referral. It will always be clear when we do this.

Your GP: If the practitioners treating you believe it to be clinically advisable, we may also share information about your treatment with your GP. You can ask us not to do this, in which case we will respect that request if we are legally permitted to do so, but you should be aware that it can be potentially very dangerous and/or detrimental to your health to deny your GP full information about your medical history, and we strongly advise against it.

Your insurer: We share with your medical insurer information about your treatment, its clinical necessity and its cost, only if they are paying for all or part of your treatment with us. We provide only the information to which they are entitled. If you raise a complaint or a claim we may be required to share personal data with your medical insurer for the purposes of investigating any complaint/claim.

The NHS: If you are referred to us for treatment by the NHS, we will share the details of your treatment with the part of the NHS that referred you to us, as necessary to perform, process and report back on that treatment.

Medical regulators: We may be requested – and in some cases can be required - to share certain information (including personal data and special category data) about you and your care with medical regulators who inspect our clinical facilities and standards. For example, if you make a complaint, or if the conduct of a medical professional involved in your treatment is alleged to have fallen below the appropriate standards, a regulatory body may wish to investigate. Regulatory bodies may include the Care Quality Commission, Health Improvement Scotland, Health Inspectorate Wales, the Regulation and Quality Improvement Authority for Northern Ireland, the Human Fertilisation and Embryology Authority (HEFA), the General Medical Council or the Nursing and Midwifery Council. Where access to personal data is granted, we always ensure that we do so within the framework of the law and with due respect for your privacy.

From time to time we may also make information available on the basis of necessity for the provision of healthcare, but subject always to patient confidentiality.

In an emergency and if you are incapacitated, we may also process your personal data (including special category data) or make personal data available to third parties on the basis of protecting your ‘vital interest’ (i.e. your life or your health).

We will use your personal data in order to monitor the outcome of your treatment by us and any treatment associated with your care, including any NHS treatment.

We participate in national audits and initiatives to help ensure that patients are getting the best possible outcomes from their treatment and care. The highest standards of confidentiality will be applied to your personal data in accordance with Data Protection Laws and confidentiality. Any publishing of this data will be in anonymised (i.e. no personal data included), statistical form. Anonymous or aggregated data may be used by us, or disclosed to others, for research or statistical purposes.

In the interest in providing comparable clinical outcome and performance data to the public across independent sector providers in healthcare, we – like all independent hospital operators – are required by law to provide activity data, including some personal data, as set out in more detail below, for publication by The Private Healthcare Information Network (PHIN).

PHIN is responsible for collecting, processing and publishing information on the quality and cost of privately-funded healthcare in the UK. The publication of this information is intended to:

  • provide GPs with reliable information to inform their decisions about which providers to choose
  • help future patients make informed choices about where to seek treatment
  • enable providers of care (hospitals and consultant clinicians) to improve the quality and safety of their services by better understanding their performance by comparison with other providers
  • to support regulator information to help identify any causes of concern
  • enabling them to target inspections and help ensure safer care for patients.

Providers must provide PHIN with details of each episode of care, including a summary of each record of treatment including; the dates when each patient was in hospital, what treatment was carried out and by whom.

Providers are also required to provide: patient satisfaction survey data, Patient Reported Outcome Measures (PROMS) – patient reported health improvements following treatment and details of any adverse events relating to the patients treated.

Certain personal data will be provided to PHIN, including patients postcode of residence. PHIN securely submits such data and records to information authorities such as:

  • for England, NHS digital;
  • for Wales, the NHS Wales Informatics Service;
  • for Scotland, the Information and Statistics Division;
  • for Northern Ireland, the Health and Social Care Board; and
  • for UK-wide mortality data, the Office of National Statistics.

PHIN will only disclose records of care and personal data to the non-departmental bodies/authorities identified above, as required by law or where there is an overriding public interest, and /or to investigate or prevent fraud. Data Protection Laws give all individuals the right to make a ‘Subject Access Request’ to obtain a copy of any information that any organisation holds about them (as set out in more detail below). As PHIN cannot identify individuals from the data it holds, applicants would need to provide further proof of identity in order for them to determine whether it is possible to access any information held. Further information about how PHIN uses information, including its Privacy Notice, is available at:

The national data opt-out is an NHS Digital service which allows an NHS patient to opt out of their confidential patient information being used for research and planning in certain specific circumstances.

Further information on the National Data Opt-Out programme can be found here:

Certain information which you submit may also be collected to enable us to better understand our customers, to improve our website, to inform general marketing and to help provide a better experience of our services. We may use cookies to do this.

We may also use other companies to set cookies on our websites and gather cookie information for us – please refer to the information detailed below. From time to time we may also analyse Internet Protocol (IP) addresses or other anonymous data sources.

Our websites use cookies to distinguish you from other users of our websites. This helps us to provide you with a good experience when you browse our websites and also allows us to improve our websites.

By law, website operators are required to ask for a website user’s permission when placing certain kinds of cookie on their devices for the first time.

Where consent is required, the law states that it should be “informed consent”, which means we must ensure that you understand what cookies are and why we want to use them. We are committed to providing the best digital service to you whilst at the same time fully protecting your privacy. For further information on our cookies policy and how we use cookies through use of all our online services, please see below.

What are Cookies?
Cookies are text files containing small amounts of information which are downloaded to your device when you visit a website. Cookies are then sent back to the originating website on each subsequent visit, or to another website that recognises that cookie. Cookies are useful because they allow a website to recognise a user’s device.

Cookies do lots of different jobs, like letting you navigate between pages efficiently, remembering your preferences, and generally improving your user experience. They can also help to ensure that adverts you see online are more relevant to you and your interests.

Necessary Cookies
These cookies are essential in order to enable you to move around our websites and use its features, such as accessing secure areas of the websites. Without these cookies, services you have asked for cannot be provided.

Your consent is not required for the delivery of those cookies which are strictly necessary to provide services requested by you.

We use these types of cookies.

Analytics Cookies
These cookies collect information about how visitors use a website, for instance which pages visitors go to most often, and if they get error messages from web pages. These cookies don’t collect information that identifies a visitor. All the information these cookies collect is aggregated and therefore anonymous. It is only used to improve how a website works. Web analytics that use cookies to gather data to enhance the performance of a website fall into this category. For example, they may be used for testing designs and ensuring a consistent look and feel is maintained for the user. This category does not include cookies used for behavioural/ targeted advertising networks.

We use these types of cookies, but you are able as a user to follow the link below and manage whether or not they are implemented on your device.

Experience Cookies
These cookies allow our websites to remember choices you make (such as your user name, language or the region you are in) and provide enhanced, more personal features. These cookies can also be used to remember changes you have made to text size, fonts and other parts of web pages that you can customise. They may also be used to provide services you have asked for such as watching a video. The information these cookies collect is generally anonymised and they cannot track your browsing activity on other websites.

We use these types of cookies, but you are able as a user to follow the link below and manage whether or not they are implemented on your device.

Advertising Cookies
These cookies are used to deliver adverts more relevant to you and your interests They are also used to limit the number of times you see an advertisement as well as help measure the effectiveness of the advertising campaign. They are usually placed by advertising networks with the website operator’s permission. They remember that you have visited a website and this information is shared with other organisations such as advertisers. Quite often targeting or advertising cookies will be linked to site functionality provided by the other organisation.

We use these types of cookies, but you are able as a user to follow the link below and manage whether or not they are implemented on your device.

Definitions used above are consistent with those supplied by the International Chamber of Commerce ‘ICC UK Cookie Guide’ April 2012.

Please note that third parties (including, for example, advertising networks and providers of external services like web traffic analysis services) may also use cookies, over which we have no control.

For more information on our position on the use of cookies, please contact us: Nuffield Health Digital Marketing Team, Nuffield Health, Epsom Gateway, Ashley Avenue, Epsom, Surrey, KT18 5AL

You block cookies by activating the setting on your browser that allows you to refuse the setting of all or some cookies. However, if you use your browser settings to block all cookies (including essential Category 1 Cookies) you may not be able to access all or parts of our websites. For information on how to delete cookies, please refer to:

Nuffield Health carries out two types of direct marketing: 1) Business to Consumer (B2C) which means, if you engage with Nuffield Health in your capacity as an individual i.e. you are a gym member or a patient, then we may process your personal data for marketing purposes but only if we have your prior consent to do so; and 2) Business to Business (B2B) which means, if you engage with Nuffield Health in your professional capacity e.g. if you represent a company with whom Nuffield Health has an existing or prospective business relationship, Nuffield Health may keep you up to date with services we offer/provide.

Whether you have received a B2C marketing communication or a B2B marketing communication you will have the right to ask us to stop sending you marketing communication. We would ask you to give us a reasonable amount of notice, to give us time to update our systems. While the precise timings vary by department we generally ask that you give us at least 30 days’ notice.

Business to Consumer (B2C)
If you have consented to our processing your personal data for marketing purposes, in accordance with this Privacy Policy, we may send you information (via mail, email, phone or SMS) about our products and services which we consider may be of interest to you. You have the right to opt out of receiving any further marketing communication at any time. You may also receive service communications from time to time which will not include an unsubscribe option as they are not considered marketing communication and will remain unaffected by your marketing preferences.

Business to Business (B2B)
B2B customers will have the right to opt out of receiving any further specific marketing communication at any time. Our marketing emails will include an unsubscribe option which you can select or, If you no longer wish to receive web based marketing information you can unsubscribe by emailing For non-web based marketing information please write to: Marketing Department, Nuffield Health, Epsom Gateway, Ashley Avenue, Epsom, Surrey, KT18 5AL. You may also receive service communications from time to time which will not include an unsubscribe option as they are not considered marketing communication and will remain unaffected by your marketing preferences.

Many of our premises are surveyed by CCTV for the purposes of security and ensuring the health and safety of our members, patients, staff and guests. Images and videos must be retained for 30 days in accordance with ICO guidelines.

The law gives you certain rights in respect of the personal data that we hold about you as well as information about what we do with it, who we share it with and how long we will hold it for. We may make a reasonable charge for additional copies of that data beyond the first copy, based on our administrative costs. The website of the Information Commissioner's Office ( has a wealth of useful information in respect of your rights in your personal data. In addition to your right to stop marketing, detailed above, below is a short overview of the most commonly-used rights.

  • Data Subject Access Request - With some exceptions designed to protect the rights of others you have the right to a copy of the personal data that we hold about you as well as information about what we do with it, who we share it with and how long we will hold it for. We may make a reasonable charge for additional copies of that data beyond the first copy, based on our administrative costs.
  • The Right of Erasure ('Right to be Forgotten') - the right to have your personal information erased where we have no reason to continue processing;
  • Data Portability - the right to move, copy or transfer personal information you have provided to us;
  • Rights in relation to automated decision making which has a legal effect or otherwise significantly affects you. Please note that by following the 'track my data's journey' link below you can find out whether the services you have used with Nuffield Health relies on automated decisions. If we have made a wholly automated decision (i.e with no human judgment at all) you have the right to request that someone views that decision
  • Right to Rectification - You have the right to have the personal data we hold about you corrected if it is factually inaccurate. It is important to understand that this right does not extend to matters of opinion, such as medical diagnoses. If any of your personal data has changed, especially contact information such as: email address, postal address and phone number please get in touch with your local Hospital, Health Clinic, Fitness and Wellbeing Gym as appropriate or the Nuffield Health Contact Centre on 03339 201350 so we can ensure your personal data is kept up to date.

If you want to exercise your rights in respect of your personal data, the best way to do so is to contact us by email on, or to write to us for the attention of the data protection officer at the address below. In order to protect your privacy, we may ask you to prove your identity before we take any steps in response to such a request.

Data Protection Officer, Nuffield Health, Epsom Gateway, Ashley Avenue, Epsom, Surrey, KT18 5AL

Please note that we do not hold or directly handle personal data that social media platforms use to target advertising towards you. If you would like to exercise one of your rights in respect of that personal data, please see the relevant social media platform’s privacy notice.

If you are not satisfied with how we handle your request, you can contact the Information Commissioner’s Office on 0303 123 1113 or visit their website

Your Data's Journey

We want to be as transparent as possible about how your personal data may be processed as this will vary depending on how you engage with Nuffield Health. As we have multiple fitness, health and wellbeing services your data’s journey through Nuffield Health can vary greatly. For more detailed information about how your data may be processed through each of our services, please follow the links below:

Changes to our Privacy Policy

We keep our Privacy Policy under regular review and as a result it may be amended from time to time without notice. We therefore encourage you to review this Privacy Policy regularly. This Privacy Policy was last updated in May 2022.


If you have any questions in relation to our privacy policy, please email us at or write to the Data Protection Officer at:

Nuffield Health
Epsom Gateway
Ashley Avenue
KT18 5AL