Privacy & Data Protection

At Spinach, we understand that trust forms the foundation of every healthcare relationship. Whether you're a startup developing innovative solutions or a healthcare provider caring for patients, the data you entrust to us carries enormous responsibility. We take this responsibility seriously, implementing robust security measures and transparent practices that protect the privacy and confidentiality of all users.

Our Commitment to Data Protection

Healthcare data is amongst the most sensitive information we handle in our digital world. We recognise that patient data, clinical insights, and operational information require the highest levels of protection. Our approach to data security reflects this understanding, with comprehensive safeguards designed to protect every interaction within our platform.

We believe transparency builds trust. This policy outlines exactly how we collect, use, store, and protect your data, ensuring you have complete visibility into our practices and your rights regarding personal information.

Data We Collect

Contact Information When you contact us through our website or enquiry forms, we collect basic information including your name, email address, professional credentials, and organisational affiliation. This information helps us understand your requirements and respond appropriately to your enquiries.

Website Usage Data We collect information about how you interact with our website, including pages visited, time spent reviewing different sections, and general browsing patterns. This data helps us improve our content and identify areas where we can better communicate our services.

Consultation and Communication Data When you engage us for consultancy services, we may collect and process clinical workflows, operational metrics, patient journey data, and other healthcare-specific information as required to deliver our services. This data is processed strictly according to project-specific agreements and requirements.

Communication Data When you contact our support team or participate in training sessions, we may retain communication records to ensure we can provide consistent, high-quality support and track the resolution of any issues.

How We Use Your Data

Service Delivery Your data enables us to provide personalised, effective consultancy solutions that address your specific healthcare challenges. Whether you're seeking guidance on streamlining patient pathways or developing new clinical protocols, we use your information solely to deliver the services you've contracted.

Website and Service Improvement Aggregated, anonymised usage data helps us understand how our website and services perform in real-world healthcare environments. These insights guide our service development, ensuring our consultancy offerings continue meeting the evolving needs of the healthcare sector.

Support and Training We use your information to provide ongoing support and guidance that helps you maximise the value of our consultancy services. This includes follow-up assistance and best practice recommendations tailored to your specific requirements.

Compliance and Legal Requirements When legally required, we may process data to comply with regulatory obligations, respond to legitimate legal requests, or protect the rights and safety of our users and the broader community.

Data Security Measures

Technical Safeguards We employ best-in-class security technologies to protect your data. Our infrastructure includes encryption at rest and in transit, secure authentication protocols, and regular security monitoring. Access controls ensure that only authorised personnel can access specific data sets, with all access logged and audited.

Operational Security Our team follows strict security protocols, including regular training on data protection best practices, background checks for personnel with data access, and clear procedures for incident response. We maintain detailed security policies that are regularly reviewed and updated to reflect current best practices.

Infrastructure Security Our consultancy services operate using secure, regularly audited infrastructure with multiple layers of protection. We implement appropriate safeguards to ensure data confidentiality whilst maintaining the flexibility required for diverse client projects.

Regulatory Compliance

GDPR Compliance As a company serving European clients, we fully adhere to the General Data Protection Regulation (GDPR). This includes implementing appropriate technical and organisational measures, respecting individual rights, and maintaining detailed records of our data processing activities.

UK Data Protection Standards We comply with UK data protection regulations, including the Data Protection Act 2018 and guidance from the Information Commissioner's Office (ICO). Our practices align with UK-specific requirements whilst maintaining compatibility with international standards.

Healthcare-Specific Regulations We understand the additional privacy requirements that apply to healthcare data and ensure our practices meet these elevated standards. Our approach reflects the sensitive nature of health information and the trust placed in healthcare organisations.

Your Data Rights

Access and Portability You have the right to access your personal data and, where technically feasible, receive it in a portable format. We provide clear mechanisms for exercising these rights whilst maintaining appropriate security measures.

Correction and Deletion If your personal information is inaccurate or you wish to delete your data, we provide straightforward processes for making these changes. We balance these rights with our legitimate business needs and any legal retention requirements.

Processing Restrictions You can request restrictions on how we process your data in certain circumstances. We'll work with you to accommodate these requests whilst ensuring we can continue providing essential services.

Objection Rights Where we process data based on legitimate interests, you have the right to object. We'll carefully consider your objections and cease processing unless we have compelling legitimate grounds that override your interests.

Data Sharing and Third Parties

We do not sell your personal data to third parties. Any data sharing occurs only in specific, controlled circumstances:

Service Providers We work with carefully selected third-party service providers who help us deliver our platform. These providers are contractually bound to protect your data and can only use it for the specific services they provide to us.

Legal Requirements We may share data when required by law, such as responding to court orders or regulatory investigations. We'll notify you of such requests where legally permitted.

Business Transfers In the unlikely event of a merger, acquisition, or sale of assets, your data protection rights would be preserved under any new ownership.

Data Retention

We retain your data only as long as necessary to provide our services and meet our legal obligations. Contact information from website enquiries is typically retained whilst we're actively engaged in discussions and for a reasonable period afterwards to accommodate potential future collaborations.

Project-specific data is retained according to individual client agreements and any applicable regulatory guidelines. We work with each client to establish appropriate retention periods that balance operational needs with privacy principles.

International Data Transfers

When we transfer data outside the UK or European Economic Area, we implement appropriate safeguards such as standard contractual clauses or adequacy decisions. We ensure that your data receives equivalent protection regardless of where it's processed.

Incident Response

Despite our robust security measures, we recognise that incidents can occur. We maintain comprehensive incident response procedures that enable rapid detection, containment, and resolution of any security issues. Where required by law or where we believe you should be informed, we'll notify you promptly of any incidents affecting your data.

Project-Specific Data Policies

This general privacy policy provides our foundational approach to data protection. However, we recognise that healthcare consultancy projects often have unique requirements, regulatory considerations, and data sensitivity levels. For specific client engagements, we develop tailored data handling protocols that may include:

Enhanced security measures for particularly sensitive data
Specific data retention and deletion schedules
Additional access controls and audit requirements
Bespoke compliance frameworks for specialist healthcare sectors
Data sovereignty requirements for international projects

These project-specific policies are developed collaboratively with each client to ensure they meet your exact requirements whilst maintaining our commitment to the highest standards of data protection. All such arrangements are documented in formal data processing agreements that form part of our consultancy contracts.

Contact Information

We welcome questions about our privacy practices and your data rights. Our data protection team is available to discuss any concerns or help you exercise your rights under applicable data protection laws.

For privacy-related enquiries, please contact us at: privacy@spinachconsultancy.com

Updates to This Policy

We may update this privacy policy periodically to reflect changes in our practices, legal requirements, or service offerings. When we make significant changes, we'll notify you through your account or other appropriate means, giving you time to review the updated policy before it takes effect.

We believe that protecting your privacy isn't just about compliance; it's about building the trust necessary for innovation in healthcare. By maintaining the highest standards of data protection, we create an environment where healthcare providers and startups can focus on what matters most: improving patient outcomes and advancing healthcare delivery.

Last updated: July 2025 This policy applies to all Spinach services and platforms, unless otherwise agreed.