Privacy Notice

Last Updated: 20/05/2025

1.0 Introduction

This privacy notice tells you what to expect us to do with your personal information when you make contact with us or use one of our services. It explains:

  • why we are able to process your information;
  • what purpose we are processing it for;
  • whether you have to provide it to us;
  • how long we store it for;
  • whether there are other recipients of your personal information;
  • whether we intend to transfer it to another country; and
  • whether we do automated decision-making or profiling.

This privacy notice explains what personal information we collect about those who visit our website and communicate with us, how we use it, the circumstances in which we may disclose it to others and how we keep it secure.

We are committed to protecting and respecting your privacy. If you have any questions regarding this privacy notice and our approach to privacy, please contact us.

2.0 Who we are

Hexarad Group Ltd (Hexarad) is registered as a limited company in England and Wales under registration number 12127115, and our registered office is at Lynwood House, Station Road, Harrow, Middlesex, HA1 2AW. Hexarad's principal place of business and trading address is 163 Tower Bridge Road, London SE1 3LW.

To enable us to offer services that process personal data in the UK we have registered with the Information Commissioner's Office (ICO) under registration no. ZB039888 and engaged 8foldGovernance (a provider of consultancy services, specialising in information governance) to act as our Data Protection Officer (DPO). You can contact us, including our Data Protection Officer (DPO), via our contact page.

3.0 The information we process

We obtain information about you when you use our website, when you contact us about products and services, for example by email or telephone, or in the course of business with you or an organisation that you represent. Or through the delivery of our teleradiology services.

Information provided directly by you

Some of the personal information we process is provided to us directly by you for one of the following reasons:

  • You have made an enquiry to us.
  • You have initiated or completed a commercial transaction with us.
  • We are providing services to you or the organisation or entity you work for or represent.
  • You have made a complaint to us.
  • You wish to attend or have attended, an event we have organised or attended alongside you.
  • You have subscribed to our e-newsletter.
  • You have applied for a job with us.
  • You work with or for us.
  • You visit our website and consent to our use of cookies.

Information received indirectly

We also receive personal information indirectly, in the following scenarios:

  • Where we are providing services to the organisation or entity you work for or represent, and they have provided your information to us.
  • Where you have made your contact information available on your organisation's website and we use this to contact you and your organisation.
  • Where you have made your contact information available via a social media platform and we use this to contact you and your organisation.
  • You have applied for a job with us and we seek a reference from an organisation or individual you have previously worked for or with.
  • An employee of ours gives your contact details as an emergency contact or a referee.

Through delivery of Hexarad teleradiology services

Through the delivery of Hexarad's teleradiology services to our customers, the personal and special category data of our customer's patients is processed. In this situation, Hexarad may be the data controller or data processor depending on the customer. Our customers are data controllers of the data provided. Our customers provide us with radiological images, relevant data and clinical information of their patients so that our reporters can analyse and produce a report providing diagnostic findings to facilitate the direct care that our customers' patients receive. The resulting report will be securely shared with our customers to review and pass on the necessary findings to their patients.

Hexarad is regulated by the Care Quality Commission ("CQC"), and under CQC obligations we are required to maintain proper records of the care and treatment provided. Our reporters (registered radiographers and doctors) are regulated by the HCPC and GMC and are under professional obligations to provide care and treatment.

In cases where we indirectly receive personal data through other routes, we'll contact you to let you know we are processing your personal information if it is not disproportionate or prejudicial to do so. Please do not supply any other person's personal data to us, unless we prompt you to do so.

To support the processing of personal data and special categories of data under this processing activity the lawful basis will be:

  • Art. 6(1)(e) — Public task (personal data)
  • Art. 9(2)(h) — Healthcare purposes (special category data)

4.0 The Lawful Basis for the Processing of Personal Data

The table below describes the personal data we collect and our lawful basis for processing this data. When we process data on the basis of a legitimate interest, we apply the following test to determine whether it is appropriate:

  • Purpose — is the purpose of processing personal data legitimate?
  • Necessity — is the processing necessary to fulfil that purpose?
  • Balance — do the individual's interests, rights or freedoms override the legitimate interest?
Purpose of collection Data collected Purpose for collection Lawful basis Data Sharing Retention period
To provide you with information and to deliver services Name, job title, company name, email address, telephone number, business sector. To provide appropriate information via email or telephone about products and services that you have requested. To provide further, related, information about the identified area of interest. Performance of a contract / Legitimate interests Internal Maximum 7 years from the date the information is collected.
Transactional information Name, registered address, email address, telephone number, and bank account details (for credit accounts). To enable invoicing for goods and services. For accounting and taxation purposes. Contract management and in support of any contractual claim which may arise. Performance of a contract / Compliance with a legal obligation / Legitimate interests Internal, Professional advisers 7 years from the performance of the contract for financial records. Relevant statutes of limitation for legal claims.
Delivery of teleradiology services (patients) Radiographic images, accession number, Name, DOB, Exam name, clinical indications, NHS number, Medical Record Number (MRN), prior reports and images. To provide diagnostic services to facilitate the direct care patients receive by our customers. Public Task (Article 6(1)(e) of GDPR) Internal, Diagnostic Clinicians, Customers Maximum 1 year for the radiographic images. 8 years for each report completed.
Service Improvement Anonymised radiographic images and clinical information Service delivery and improvement Performance of a contract Internal, Professional Advisers Continued retention
Data Subject Rights Name, email address, telephone number, and proof of ID. To enable data subjects to exercise their rights over personal data. Compliance with a legal obligation Internal 2 years from the date the information is collected, unless subject to further investigation

5.0 Automated decision-making or profiling

We do not undertake any automated decision-making or profiling in relation to your personal data.

6.0 Your data protection rights

The rights available to you depend on our reason for processing your information. Under data protection law, you have rights including:

  • Your right of access — You have the right to ask us for copies of your personal information.
  • Your right to rectification — You have the right to ask us to rectify personal information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • Your right to erasure — You have the right to ask us to erase your personal information in certain circumstances.
  • Your right to restriction of processing — You have the right to ask us to restrict the processing of your personal information in certain circumstances.
  • Your right to object to processing — You have the right to object to the processing of your personal information in certain circumstances.
  • Your right to data portability — You have the right to ask that we transfer the personal information you gave us to another organisation, or to you, in certain circumstances.

Under most circumstances you are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.

You can contact us to take up any of these rights via email to enquiries@hexarad.com or by telephone: +44 203 327 1183 or by post: 2nd Floor, 163 Tower Bridge Rd, London SE1 3LW, UK.

7.0 Sharing your information

We will not share your information with any third parties for the purposes of direct marketing.

We use data processors who are third parties who provide elements of services for us. We have the necessary contracts in place with our data processors. This means that they cannot do anything with your personal information such as share it with other organisations unless we have instructed them to do it. They will hold your personal data securely and retain it for the period we instruct.

In some circumstances, we are legally obliged to share information. For example, with our insurers or lawyers or to comply with/under a court order. In any scenario, we'll satisfy ourselves that we have a lawful basis on which to share the information and document our decision-making.

8.0 International Transfers

When it is necessary for us to transfer personal data outside of the UK, the appropriate technical and organisational safeguards will be in place. All international transfers will only take place if it is compliant with the relevant legislation.

9.0 Visitors to our website

We use Google Analytics to collect information and details of visitor behaviour patterns on our website. We do this to understand things such as the number of visitors to the different areas of the website. This information is only processed in a way which does not identify anyone. We do not make and do not allow Google to make, any attempt to find out the identities of those visiting our website.

Where we do want to collect personally identifiable information through our website, we will make this clear at the point personal information is collected and we will explain what we intend to do with it.

10.0 Use of cookies

Like many other websites, our website uses cookies. 'Cookies' are small pieces of information sent by a website to your device and stored to enable that website to recognise you when you visit in the future. They can also be used to collect statistical data about your browsing activity and patterns of behaviour but do not identify you as an individual. This helps us to understand how people who visit our website use it, enabling us to improve the layout and content for visitors.

For more information about which cookies are used by our website, please see our Cookie Notice.

It is possible to switch off cookies by setting your browser preferences and settings. Turning cookies off may result in a loss of functionality when using our website.

11.0 How to make a complaint

We strive to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we may receive about this very seriously. We encourage people to inform us if they think that any collection or use of information by us is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures. You can do this by contacting us via our contact form or the following methods:

  • Email: enquiries@hexarad.com
  • Telephone: +44 203 327 1183
  • Post: 2nd Floor, 163 Tower Bridge Rd, London SE1 3LW, UK

If you remain dissatisfied, you have the right to make a complaint to the Information Commissioner's Office (ICO). Please see the ICO's website for more information: www.ico.org.uk

12.0 Links to other websites

Where we provide links to websites of other organisations, this privacy notice does not cover how that organisation processes personal information. We encourage you to read the privacy notices on the other websites you visit.

13.0 Changes to this Privacy Notice

We reserve the right to modify this Privacy Notice at any time, so please make sure to review this frequently. Our most updated Privacy Notice is posted on our website. All changes will apply with immediate effect.