The Company is a Healthcare and Health Digital Solutions business which provides staffing solutions and digital platforms in the health sector. The Company must process personal data (including sensitive personal data) so that it can provide these services – in doing so, the Company acts as a data controller.

Circumstances where the company is not the data controller

The Company is not the data controller when providing NHS funded services (i.e. Checkup online & Video consultations), the data controller is the organisation who buys & uses the services. Checkup Health Platform will always be the data processor in this scenario.

NHS England Products

Please note that if you access our service using your NHS login details the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provide to NHS England to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS login’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

What this policy covers:

This policy explains how we use your data to deliver our healthcare app( CheckUp Health), websites and services. This includes:

Services are provided through the following:

The Flame lily Healthcare Limited, the company that provides the services CheckUp Health, the technology software brand for Digital health services. When we talk about “we”, “The Company”, we mean The Flame Lily healthcare limited and CheckUp Health.

This means The Flame Lily Healthcare limited is using CheckUp Health and is the data “controller” of your personal data. Some services we offer with our partners, or on behalf of them may use the CheckUp Health technology.

You may give your personal details to the Company directly, such as on an application or registration form or via our website and or apps or we may collect them from another source such as other health services providers and platforms.The Company must have a legal basis for processing your personal data. For the purposes of providing you with healthcare and medical services and/or information relating to support relevant to you, we will only use your personal data in accordance with this privacy statement. At all times we will comply with current data protection laws.


  1. Collection and use of personal data
    • Purpose of processing and legal basis
    • Legitimate interest
    • Statutory/contractual requirement
    • Recipients of data
  2. Information to be provided when data is not collected directly from the data subject
    • Categories of data
    • Sources of data
  3. Overseas transfers
  4. Data retention
  5. Your rights
  6. Automated decision making
  7. Cookies
  8. Login files
  9. Links to external sites
  10. Sale of the business
  11. Data security
  12. Changes to this privacy statement
  13. Complaints or queries

1. Collection and use of personal data

a. Purpose of processing and legal basis

The Company will collect your personal data (which may include sensitive personal data) and will process your personal data for the purposes of providing you with required services. We collect information directly from you when you choose to participate in our offers and programs, create an account on our websites or in our mobile applications to access services, call or email us, or otherwise provide information directly to us and developing and managing our services and relationship with you and our clients.

Individuals are made aware of risks, rules, safeguards and rights in relation to the processing of personal data and how to exercise their rights in relation to such processing. In particular, the specific purposes for which personal data are processed is explicit and legitimate and determined at the time of the collection of the personal data. If you have opted-in we may also send you marketing information and news via email/ text. You can opt-out from receiving these at any time by clicking “unsubscribe” when you receive these communications from us.

In some cases we may be required to use your data for the purpose of investigating, reporting and detecting crime and also to comply with laws that apply to us. We may also use your information during the course of internal audits to demonstrate our compliance with certain industry standards.

We must have a legal basis to process your personal data. The legal bases we rely upon to offer our services to you are:

  • Your consent
  • Where we have a legitimate interest
  • To comply with a legal obligation that we have
  • To fulfil a contractual obligation that we have with you

b. Legitimate interest

This is where the Company has a legitimate reason to process your data provided it is reasonable and does not go against what you would reasonably expect from us. Where the Company has relied on a legitimate interest to process your personal data our legitimate interests is/are as follows:

  • Managing our database and keeping you and clients records up to date
  • Individual care and treatment
  • Providing services to you and our clients
  • Contacting you to seek your consent where we need it
  • Giving you information about similar products or services that you have used from us recently
  • Improving how we deliver services to you to suit your needs
  • We sometimes analyse your data and how you use our products to help us manage our business better
  • This could be things like fixing bugs in our app, understanding current user trends, or working out what users might want in the future
  • This doesn't involve making any decisions which would have a big effect on you. If this information is used alongside your personal data, we will make sure that our interests never come before your rights

c. Statutory/contractual requirement

The Company has certain legal and contractual requirements to collect personal data (e.g. to comply with Regulation and in some circumstances safeguarding requirements.) We use your health and medical information for safety, training, regulatory, and compliance purposes.

This means that:

If we're legally required to, or asked by a regulator, we may need to share your information with regulatory bodies like the General Medical Council, Medicines and Healthcare Products Regulatory Agency or Care Quality Commission

We may audit how you use our services, for example to review the quality of results provided by our products

To detect and prevent fraud, we may need to share your personal and financial information with banks, financial institutions and fraud prevention services.

d. Recipient/s of data

The Company will process your personal data and/or sensitive personal data with the following recipients:

  • Your pharmacy of choice if you choose one and save them in your app
  • Your GP, if you use our private service
  • NHS or clinical service partners
  • Referral services like specialists,therapists, pharmacists and hospitals
  • We use your location to recommend services near you, like pharmacies and hospitals

Depending on how you access our services, we get your location from your phone, internet browser, IP address or postal address or from organisations we are contracted with to provide you services.

Data we hold and collect from you

Personal Data

When you register with us, we'll ask you for your:

  • First Name
  • Last Name
  • Date of Birth
  • Gender
  • Address
  • Ethnicity
  • Email address
  • Mobile number
  • A copy of your ID (identity documentation) such as a driving licence
  • A copy of your address proof such as utility/ energy bill

The information you give us must be accurate. If you give us information about yourself or another person, you're confirming that you're authorised to do so.

Personal Demographic Service (PDS)

If you are receiving care from a health or care organisation, that organisation may share your NHS number with other organisations providing your care. This is so that the health and care organisations are using the same number to identify you whilst providing your care. By using the same number the health and care organisations can work together more closely to improve your care and support.

Your NHS number is accessed through an NHS England service called the Personal Demographic Service (PDS). A health or care organisation sends basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in our case management system. These data are retained in line with our record retention policies and in accordance with the Data Protection Act 1998, Government record retention regulations and best practice. Further information is available on our web site

We will share information only to provide health and care professionals directly involved in your care access to the most up-to-date information about you. Access to information is strictly controlled, based on the role of the professional, and where the user has a direct care relationship with you.

The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS Number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process, because hospital staff will know who to talk to.

You have the right to object to the processing of your NHS Number in this way. This will not stop you from receiving care, but will result in the benefits outlined above not being realised. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options that you have.

If you wish to opt-out from the use of your NHS Number in this way, please contact us on +44 345 565 2081 or email to [email protected].

Sensitive Personal Data

When you use our services, we collect information about your health, including:

  • General health
  • Symptoms, treatments and medications
  • Consultations, such as notes and recordings
  • Procedures, such as surgery, scans or X-rays
  • Interactions with our services, like using our monito health at home modules or other digital services. These interactions may be shared with our clinical staff so that we can provide you with healthcare, and so that we can provide a better experience
  • Some of this information comes directly from you, but it can also come from third parties, such as your GP

If you use our private service, we'll send your appointment notes to your NHS GP, if you give us your consent.

Details of your conversations with us

  • We also keep a record of your consultations and your conversations with us. This is so we have an easy way to access your consultations to monitor the quality of our service and healthcare
  • And, if you have consented, so that we can use them to improve our services. This includes:
    • Your information you input in your Personal Health Records(PHR) and MyHealth
    • Your conversations in app
    • Your emails, calls or live chat conversations with our support team
    • Video and/or audio recordings from consultations
    • We keep your health and medical data secure by applying technical and organisational measures to protect it

How long do we keep your data?

We follow advice from the Department of Health and the British Medical Association on how long to keep the information found in your medical records. This is called a 'retention period'.

We might also keep some information that doesn't identify you to help improve our business and our services that we offer.

In some circumstances, we might keep data longer if required by the law

Your information How long we keep it (its 'retention period')
GP records: This includes medical records, consultations with GPs and monitor health at home modules interactions We keep your GP records for 10 years after your death or after you've permanently left the country. We may keep your records longer if there are genetic implications for your family. We work on the advice from clinicians in this situation. Electronic patient records can't be destroyed or deleted for the foreseeable future
Video consultations If we keep your video consultations, they are kept in the same way as your GP records (although that period of time could change if our product changes).
Voice (or audio) consultations We keep your voice consultations in the same way as your GP records (although that period of time could change if our product changes).
Communications with support teams, including phone calls, emails and live chats 1 year after you leave the CheckUp Health service.
Maternity records We keep your records for 25 years after the birth of your last child.
Records on any treatment for a mental disorder (as described in mental health legislation) We keep your records for 20 years after the date of your last consultation. Or 10 years after your death if that is sooner.

If you want to see any of this information while we have it (in its 'retention period'), you can ask for it by emailing us at: Support [email protected]

Data from other sources

We might also receive some data about you and your health from other organisations we are contracted with, apps, devices and services.

This will only happen if you've agreed to sharing that data with us. For example, if you decided to share information collected from a health monitoring device that linked to our app.

Credit and debit card information

If you make a payment on the app, your credit and debit card details are processed by a third-party payment provider.

We don't store any of your credit or debit card information and we only keep details of the transactions on our secure servers.

Technical information and analytics

When you use our app, or visit our website, we may collect the following data, where this is allowed by your device or browser settings:

  • The IP address used to connect your mobile phone or other device to the internet
  • Your browser information, such as Google Chrome or Apple Safari
  • Login and operating system
  • The make and model of your device
  • Resettable device identifiers
  • Time zone, language and location settings
  • Your mobile network provider and your location (based on your IP address)
  • Information about your visit to our website or use of our app, for example when you first visited the site or how many times you've visited
  • Information about the products or services you viewed or used
  • App response times and updates
  • Information about your interactions, like what notifications you opened
  • Any phone number used to call our customer service number
  • We work with other companies that provide us with analytics and advertising services
  • This is to:
    • Help us understand how people interact with our services
    • Provide the adverts for our services on the internet
    • Measure the performance of our services and our adverts
    • Your health information is not used for these advertising services

Source of Personal Data and Who we may Share it with

Other healthcare providers

If it's needed for your treatment or care, we will share your data with your other health and social care providers. These include:

  • Our clinical partners (including our NHS partners) who we work jointly or in connection with to provide you a service
  • Accident and emergency services, Hospitals
  • Diagnosis centres chosen by you for things like X-rays and other imaging
  • Other health and care bodies
  • Your NHS GP
  • Pharmacists
  • Specialist referral services
  • Therapists
  • Testing service providers

By law, we may need to share information with these services to safeguard either you or others, or conduct a public task (in the case of our NHS services). We may need your consent, or to rely on our legitimate interests to provide you with healthcare before we can share this information.

Overseas Transfers

The Company may transfer the information you provide to us to countries outside the European Economic Area (‘EEA’) for the purposes of providing you with optimum uptime services.We work with third parties servers which may be hosted outside UK to deliver efficient services.We take steps to ensure adequate protections are in place to ensure the security of your information. The EEA comprises the EU member states plus Norway, Iceland and Liechtenstein. This will always be in line with applicable data protection lawful mechanisms (such as appropriate contractual terms) and subject to strict safeguards.

For further information on how we protect your data if we transfer it outside of the EEA, contact us by email at: [email protected]

Protecting public health

We might process your data to protect public health. Your data could be vital to help research, monitor, track and manage public health emergencies, like pandemics. and in cases where such an activity is a legal requirement.

In a public health emergency, your information may be shared in a way that is appropriate and lawful with organisations such as:

  • GPs
  • Local authorities
  • Health organisations
  • NHS England
  • NHS England and Improvement
  • Public Health England

We will limit the use or sharing of data to the period of the emergency and will only share data to the extent necessary.

Aggregated or anonymous data

In situations where we may need to show on our website or share with our commercial partners data that does not personally identify you, which shows general trends. This is 'aggregated' data and is not personal data may be shared.

This might include, for example, the number of visitors to our websites, number of App downloads, users of our service or trends in a particular location.

Statistical data in the public's interest

We may also use data that does not identify you personally as part of statistics that we collect on certain types of illness, symptoms and conditions. This might include us contributing medical data and participating in such schemes from time to time. These schemes may be project-related or government-related schemes.

We may show these summarised statistics to our partners. They will always be anonymised. This is so we can improve our medical knowledge on how we support you in service delivery and help our members and the general public.

You can contact us directly if you do not want your data to be used in this way by email at: [email protected]

Your rights

Please be aware that you have the following data protection rights and you are in control of your records:

  • The right to be informed about the personal data the Company processes on you
  • The right of access to the personal data the Company processes on you
  • The right to rectification of your personal data
  • The right to the erasure of your personal data in certain circumstances;
  • The right to restrict processing of your personal data
  • The right to data portability in certain circumstances
  • The right to object to the processing of your personal data that was based on a public or legitimate interest
  • The right not to be subjected to automated decision making and profiling; and
  • The right to withdraw consent at any time

Making changes within your App

Remove or change your consent at any time, if we are using your data in a certain way based on it. You can do this by:

Going to the the website, under Privacy Policy, Under Your consent and use the given email address to advise us of your choices, you can:

Ask for a copy of the personal data we hold about you. Your data is stored securely on a server database with 256-bit encryption in line with our legal and medical obligations. User data is encrypted using SSL between the device and external host storage. Ask us to correct information that's wrong, delete it, or ask that we only use it for certain purposes. There might be times when we're not able to help, like if the law or our medical obligations say we can't.

Ask us to restrict any automated (computer-made) decisions made with your data.

Ask for your data to be provided in a portable format that allows you to move, copy or transfer it. Or ask us to send it in this format to someone else.

Where you have consented to the Company processing your [personal data/[and]sensitive personal data] you have the right to withdraw that consent at any time by contacting us using the methods below.

Email [email protected]

Write to us: Data Protection officer.

The Flame Lily HQ.

CheckUp Health

144 Penn Road,



We'll ask you for a proof of identity. Data protection laws give us one month to get back to you.

We're regulated by the Information Commissioner's Office (ICO). If you're not happy with any aspect of our data handling, you can complain to the ICO directly. You can contact them at:

Information Commissioner's Office

Wycliffe House

Water Lane




Phone: 0303 123 1113

Please note that if you withdraw your consent to further processing that does not affect any processing done prior to the withdrawal of that consent, or which is done according to another legal basis.

There may be circumstances where the Company will still need to process your data for legal or official reasons. Where this is the case, we will tell you and we will restrict the data to only what is necessary for those specific reasons.

If you believe that any of your data that the Company processes is incorrect or incomplete, please contact us using the details above and we will take reasonable steps to check its accuracy and correct it where necessary.

You can also contact us using the above details if you want us to restrict the type or amount of data we process for you, access your personal data or exercise any of the other rights listed above.


We may obtain data about you from cookies. These are small text files that are placed on your computer by websites that you visit. They are widely used in order to make websites work, or work more efficiently, as well as to provide information to the owners of the site. Cookies also enable us to deliver more personalised content.

Cookies and Other Technologies

The Flame Lily and our third-party service providers use a variety of technologies to assess how our sites or mobile applications are used, to personalize your experience and to deliver you marketing, including online content, tailored to your interests. Some technologies we may use include the following:


A cookie is a small file placed on your device when you visit a site that can be understood by the site that issued the cookie. We use the information collected by cookies to remember who you are to log you in and your preferences, to provide you with advertisements, offers or other content tailored to your interests and to assess how our sites are used. You can accept or decline cookies through your browser settings. To learn more, please look at the cookie settings available in your specific web browser(s). Please note, however, that without cookies, you may not be able to use all of the features of our Sites or other websites and online services.

We use cookies and other technologies to collect information when you visit our sites, view our online advertisements or promotions, or use our mobile applications or other services. The following are examples of information we may collect with these technologies:

  • Information about your device browser and operating system.
  • IP address
  • Web pages you view
  • Links you click
  • The Flame Lily/CheckUp Health emails you open

Other Technologies

We may use third-party web analytics services on our Sites, such as those of Google Analytics. These service providers help us analyse how visitors use the Sites. The information obtained for this purpose (including your IP address and other information collected by automated means) will be disclosed to or collected directly by these service providers. To learn more about Google Analytics and how to opt-out, please click here.

The providers of third-party plug-ins and widgets on our Sites, such as embedded videos and social media sharing tools, may use automated means to collect information regarding your use of the Sites and your interactions with the plug-ins and widgets. We may also receive information you have made available to those third-party services, including the geographic location of your mobile device and other information about you (such as name, email address, gender, locale, time zone, languages, social media profile URL, personal website URL, biographical information, birthday, photo, list of devices, education history, work history, hometown, interests, current city, political views, favourite athlete and teams, relationship status and information, religion, name of significant other, and certain security settings information) and your contacts on those services. This information is subject to the privacy policies or notices of the third-party providers of the plug-ins and widgets.

Links to external websites

The Company’s website may contains links to other external websites. Please be aware that the Company is not responsible for the privacy practices of such other sites. When you leave our site we encourage you to read the privacy statements of each and every website that collects personally identifiable information. This privacy statement applies solely to information collected by the Company’s website.

Sale of business

If the Company’s business is sold or integrated with another business your details may be disclosed to our advisers and any prospective purchasers and their advisers and will be passed on to the new owners of the business.

Data Security

The Company takes every precaution to protect our users’ information.The company uses security measures in relation to the personal data processed, e.g. firewalls, browser certification technology, encryption, limited access, use of passwords.Only users who need the information to perform a specific task (for example, consultations, our clinical team) are granted access to your information.

The Company uses all reasonable efforts to safeguard your personal information. However, you should be aware that the use of email/ the Internet is not entirely secure and for this reason the Company cannot guarantee the security or integrity of any personal information which is transferred from you or to you via email/ the Internet.

If you share a device with others we recommend that you do not select the “remember my details” function when that option is offered.

If you have any questions about the security at our website, you can email [email protected]

Changes to this privacy statement

We will update this privacy statement from time to time. We will post any changes on the statement with revision dates. If we make any material changes, we will notify you and give you a chance to review them.If you agree to the changes, you don't need to do anything. Just keep using our services as when and you need them with the updated policy and we'll assume you are happy with the way we use your data.

If you don't agree to the changes, then you can stop using our services at any time.

Complaints or queries

If you wish to complain about this privacy notice or any of the procedures set out in it please contact:

Email: [email protected]

Write to us: Complaints department, Dr Serena Jones, Clinical Safety Officer, The Flame Lily HQ. CheckUp Health 144 Penn Road WV3 0EE

  • REO logo
  • NHS logo
  • Innovate logo
  • Digital logo
  • Orcha logo
  • QMS logo
  • ISO 20000 1 2018 It Management
  • ISO 20000 1 2018 badge white
  • ISO 9001 2015
  • Signature Rx logo
  • nqa-iso27001-ukas
  • Cyber Essential Logo