At Evergreen Medical, your privacy is extremely important to us. This policy explains how we collect, use, and protect your personal information when you visit our clinic, use our website, or communicate with us. We are committed to meeting the standards set out by the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and Healthcare Improvement Scotland (HIS) requirements for independent clinics.

1. Who We Are

Evergreen Medical is a doctor-led private clinic based in Morningside, Edinburgh, providing medical, aesthetic, and wellness services.
Data Controller: Evergreen Medical Ltd
Registered Office: 90 Morningside Road, Edinburgh EH10 4BY.
Email: info@evergreenmedical.co.uk
Telephone:  0131 608 6800

2. What Information We Collect

We may collect and process the following personal information:

• Identification and contact data – name, date of birth, address, phone number, email.
• Medical information – health history, medication, treatment notes, test results, photographs (where applicable).
• Payment and billing information – for processing fees and invoicing.
• Marketing preferences – where you have opted in to receive updates or newsletters.

3. How We Use Your Information

Your information is used to:

• Provide safe, effective clinical care.
• Maintain accurate medical records.
• Communicate about your appointments, results, or treatment plans.
• Comply with regulatory and legal obligations (HIS, GMC, etc.).
• Improve our services, website, and communications.
• Send updates and marketing information only where consent has been given.

We will never sell or share your data with third parties for marketing purposes.

4. Lawful Basis for Processing

We process your data under the following lawful bases:

• Provision of healthcare services (Article 9(2)(h))
• Legal obligation (for clinical record keeping and HIS compliance)
• Consent (for marketing or optional photographs)
• Legitimate interest (to manage appointments and ensure service quality)

5. Data Storage and Security

Your data is stored securely within GDPR-compliant clinical systems and encrypted UK based databases. Access is restricted to authorised clinical and administrative staff. We implement appropriate technical and organisational measures to safeguard all personal data.

6. Data Retention

Medical records are retained in accordance with legal and regulatory requirements (typically a minimum of 7 years after the last entry, or until the patient’s 25th birthday for children). Non-clinical contact information is retained only as long as necessary for communication or consented marketing purposes.

7. Sharing Your Information

We may share information with:

• Laboratories, pharmacies, or partner clinicians directly involved in your care.
• Regulators or insurers, where legally required.
  All partners are bound by strict confidentiality and data protection agreements.

8. Your Rights

Under UK GDPR, you have the right to:

• Access your data.
• Request correction of inaccurate information.
• Request deletion of data (where appropriate).
• Withdraw consent for marketing.
• Restrict or object to processing in certain circumstances.

To exercise any of these rights, please contact: info@evergreenmedical.co.uk.

9. Cookies and Website Analytics

Our website may use cookies to improve your browsing experience and analyse traffic. You can manage cookie preferences through your browser settings.

10. Complaints

If you have concerns about how we handle your data, please contact us in the first instance.If you remain dissatisfied, you can contact the Information Commissioner’s Office (ICO) at www.ico.org.uk.