Privacy Policy

OH Specialists Hub

Privacy Policy

Version 2.0 · April 2026 · UK GDPR Compliant · ICO Registration ZC115930

1. Introduction

OH Specialists Hub (“we”, “us”, or “our”) is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our occupational health services, clinical platform, and AI-assisted tools.

This policy applies to all information collected through our services, including the OH Specialists Hub clinical platform at clinic.ohspecialistshub.co.uk, the OH Advisor AI assistant, our website at ohspecialistshub.co.uk, and any related services, communications, or events.

2. Data Controller and Data Protection Officer

Data Controller and Data Protection Officer:

Craig Page RGN.dipOH.

OH Specialists Hub

4 Houghton Road, Darlington, DL1 1SS

Email: dpa@ohspecialistshub.co.uk

ICO Registration: ZC115930 (registered 5 April 2026, expires 4 April 2027)

If you have any questions or concerns about this Privacy Policy or our data practices, please contact the Data Protection Officer using the details above.

3. Legal Basis for Processing

We process personal data under the following legal bases as defined by UK GDPR:

  • Consent — you have given clear consent for us to process your personal data for a specific purpose
  • Contract — processing is necessary to fulfil a contract with you or to take steps before entering into one
  • Legal obligation — processing is necessary to comply with a legal requirement
  • Legitimate interests — processing is necessary for our legitimate interests, where those interests are not overridden by your rights

For health data and other special category data, we rely on the following additional conditions under Article 9 UK GDPR:

  • Article 9(2)(b) — processing necessary for obligations in the field of employment, social security, and social protection
  • Article 9(2)(a) — explicit consent obtained directly from the individual prior to assessment (digitally recorded with timestamp and IP address)
  • Article 9(2)(f) — processing necessary for legal claims

4. Information We Collect

4.1 Clinical Platform — Employee / Patient Data

When an employer refers an employee for occupational health assessment, we collect:

  • Identity data: full name, date of birth, gender
  • Contact data: address, email address, telephone number
  • Employment data: employer name, job title, role description, hours per week, contract type
  • Health data (Special Category — Article 9): medical history, health questionnaire responses, clinical notes, OH assessment findings, fitness-for-work outcomes, recommendations, and pre-employment health screening results
  • Consent records: digital consent timestamp, IP address, unique consent token, declarations
  • Technical data: IP address, browser type, access timestamps for audit logging

4.2 Manager / HR Portal Data

When an employer organisation registers and uses the platform, we collect:

  • Account data: name, email address, company name, job title
  • Organisation profile: sector, headcount, website, telephone
  • DPA acceptance: digital signature timestamp, IP address, signatory name and company
  • Referral data: employee referral information submitted by the manager
  • Payment data: processed via Stripe — we store a Stripe customer ID only; no card data is held on our servers

4.3 OH Advisor AI Assistant

The OH Advisor is an AI-powered occupational health advisory tool available in two tiers within the platform:

OH Advisor HR (Manager-facing):

Processes anonymised occupational health and HR queries entered by managers. Users should not enter employee names, dates of birth, or other personal identifiers. Queries are processed via the Anthropic API (see Section 6). No query content is stored on our servers beyond the active session.

OH Advisor Pro (Clinician-facing):

Used by the treating clinician to assist with OH report drafting. This tier processes Special Category health data (Article 9 UK GDPR) including clinical notes, assessment findings, and medical history, solely for the purpose of generating occupational health report content. Processing is carried out under Article 9(2)(b) — occupational health purposes — and Article 9(2)(a) — explicit employee consent obtained prior to assessment. Data is transmitted to the Anthropic API over TLS 1.3 and is not used to train AI models under our data processing agreement with Anthropic.

5. How We Use Your Information

We use your personal information for the following purposes:

  • Delivering occupational health services: conducting health assessments, producing OH management reports, pre-employment medical screening, and fitness-for-work advice
  • Service administration: managing appointments, diary scheduling, consent management, and secure communications
  • AI-assisted report drafting: OH Advisor Pro assists the treating clinician in drafting OH reports — clinical judgement remains with the clinician at all times
  • Payment processing: collecting and processing service fees via Stripe
  • Legal and regulatory compliance: meeting obligations under UK GDPR, the Data Protection Act 2018, and applicable employment and health legislation
  • Security and audit: maintaining access logs with timestamp, user ID, and IP address for every clinical data access event
  • Platform improvement: anonymous, aggregated statistical analysis only — no identifiable health data used

We will only use your health data for the purposes of providing occupational health services and will not share it without your explicit consent, except where required by law.

6. Third-Party Data Processors and Sub-processors

We use the following sub-processors, each bound by data processing agreements with equivalent data protection obligations:

  • DigitalOcean LLC (United Kingdom, LON1 — London): UK cloud infrastructure hosting all platform data, clinical notes, and OH reports. All data remains on UK servers — no cross-border transfer. Contractually bound to UK GDPR standards.
  • Brevo SA (France / EU): Transactional email delivery only. No clinical data, health information, or patient-identifiable content is included in any email. Standard Contractual Clauses (SCCs) under the UK International Data Transfer Agreement (IDTA).
  • Stripe, Inc. (UK / EEA): Payment processing for service fees only. No health or clinical data is shared with Stripe. PCI DSS Level 1 certified. UK Addendum to EU Standard Contractual Clauses.
  • Anthropic, PBC (United States): AI language model API used by OH Advisor Pro for report drafting assistance. Data transmitted over TLS 1.3. Anthropic does not use data submitted via API to train its models under our enterprise data processing agreement. UK IDTA / Standard Contractual Clauses in place.

We will notify you of any proposed changes to sub-processors before they take effect, giving you the opportunity to object.

We will never sell your personal information to any third party.

7. International Data Transfers

All clinical data, OH reports, and patient health information are stored exclusively on UK infrastructure (DigitalOcean LON1, London). No clinical or Special Category data is replicated outside the United Kingdom.

Where transactional data is processed by sub-processors outside the UK (Brevo, Anthropic), appropriate safeguards are in place including:

  • UK International Data Transfer Agreements (IDTA)
  • Standard Contractual Clauses approved by the UK authorities
  • Adequacy decisions where applicable

No Special Category health data is transferred outside the UK except where strictly necessary for OH Advisor Pro report drafting via the Anthropic API, under the safeguards described above.

8. Data Retention

We retain your personal information only for as long as necessary for the purposes set out in this Policy and to comply with our legal obligations:

  • Occupational health records, clinical notes, and OH reports: 8 years from date of assessment, in accordance with British Medical Association (BMA) guidance on occupational health record retention
  • Pre-employment health records: 8 years from date of assessment regardless of whether the candidate was subsequently employed
  • Health surveillance records: up to 40 years where required by occupational health regulation
  • Access audit logs: 8 years — may not be deleted early
  • DPA acceptance records: retained for the duration of the business relationship and 8 years thereafter
  • Payment records: as required by HMRC and financial regulation (typically 7 years)
  • OH Advisor session queries: not stored beyond the active session

After the retention period expires, data is securely deleted or anonymised.

9. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

  • Right of access (Art. 15): request a copy of the personal data we hold about you
  • Right to rectification (Art. 16): request correction of inaccurate or incomplete data
  • Right to erasure (Art. 17): request deletion of your data — assessed against the 8-year legal retention obligation for clinical records
  • Right to restriction (Art. 18): request that we limit how we process your data
  • Right to data portability (Art. 20): request transfer of your data to another provider
  • Right to object (Art. 21): object to processing based on legitimate interests
  • Rights related to automated decision-making (Art. 22): the right not to be subject to solely automated decisions with significant effects

To exercise any of these rights, contact the Data Protection Officer at dpa@ohspecialistshub.co.uk.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO):

Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Tel: 0303 123 1113 · Website: ico.org.uk

10. Security of Your Information

We implement the following technical and organisational security measures to protect your personal information:

  • Encryption at rest: AES-256-GCM applied to all clinical notes, OH reports, and health questionnaire data before database storage
  • Encryption in transit: TLS 1.3 enforced for all connections — no unencrypted HTTP connections permitted
  • Data location: all Personal Data stored exclusively on UK infrastructure (DigitalOcean LON1, London) — zero replication outside UK jurisdiction
  • Access control: role-based access control (RBAC) — clinicians access only data for their practice; managers see only their own employees’ data
  • Authentication: JWT-based with 24-hour token expiry; passwords hashed using bcrypt (cost factor 12)
  • Audit logging: every data access logged with timestamp, user ID, IP address, and action type — retained 8 years
  • Database security: PostgreSQL 16 in an isolated Docker container with no direct external access
  • AI data handling: queries to the Anthropic API transmitted over TLS 1.3; no clinical data cached or stored beyond the request lifecycle

No method of electronic transmission or storage is 100% secure. While we take all reasonable measures, we cannot guarantee absolute security.

11. OH Advisor AI — Specific Notice

The OH Advisor is an AI-powered assistant built on the Anthropic Claude API. The following specific provisions apply to its use:

11.1 OH Advisor HR (Manager-facing)

  • Processes anonymised occupational health and HR queries only
  • Users must not enter employee names, dates of birth, NI numbers, or other personal identifiers
  • No query content is stored on OH Specialists Hub servers beyond the active session
  • Queries are processed by Anthropic via API — see Section 6 for safeguards
  • AI responses are informational only and do not constitute clinical advice or a clinical opinion

11.2 OH Advisor Pro (Clinician-facing)

  • Used exclusively by the treating clinician for OH report drafting assistance
  • Processes Special Category health data under Article 9(2)(b) and Article 9(2)(a) UK GDPR
  • Employee consent for AI-assisted report drafting is captured as part of the standard clinical consent process
  • Clinical judgement, accuracy, and professional responsibility for all report content remains with the treating clinician
  • Data sent to Anthropic API is not used for model training under our data processing agreement
  • All AI-assisted reports are reviewed and approved by the treating clinician before release to the employer

12. Children’s Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16 without verified parental or guardian consent. Where a pre-employment medical is conducted for an individual aged 16 or 17, additional consent safeguards apply.

13. Cookies and Tracking Technologies

The OH Specialists Hub clinical platform (clinic.ohspecialistshub.co.uk) uses session-based authentication tokens only. No advertising cookies or third-party tracking technologies are used within the clinical platform.

The marketing website (ohspecialistshub.co.uk) may use cookies for analytics and functionality. You can control cookie settings through your browser preferences. See our Cookie Policy on the marketing website for full details.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify registered users of any material changes by email and by posting the updated Policy within the platform.

The “Last Updated” date at the top of this Policy indicates when it was most recently revised. We encourage you to review this Policy periodically.

15. Contact Us

For any questions, concerns, or requests regarding this Privacy Policy or our data practices:

Data Protection Officer: Craig Page RGN.dipOH.

OH Specialists Hub

4 Houghton Road, Darlington, DL1 1SS

Email: dpa@ohspecialistshub.co.uk

ICO Registration: ZC115930

By using our services, you acknowledge that you have read and understood this Privacy Policy.

Version 2.0 · April 2026 · OH Specialists Hub · UK GDPR Article 9 Compliant

Acknowledgment: By using our services, you acknowledge that you have read and understood this Privacy Policy.