NOSE.
Book

Privacy Policy

NOSE LONDON LTD | Company Number: 16001813 | ICO Registration: [TBC]

Last updated: 23 March 2026

1. Who We Are

NOSE LONDON LTD (“we”, “us”, “our”) is a private medical practice specialising in rhinoplasty and nasal surgery, led by Mr David Whitehead BSc MBBS MSc FRCS(ORL-HNS), Consultant ENT and Facial Plastic Surgeon.

  • Registered office: 9 Harley Street, London W1G 9QY
  • Consultation locations: 9 Harley Street and 25 Harley Street, London
  • Surgical facility: Weymouth Street Hospital, London (Phoenix Hospital Group), rated “Good” by the Care Quality Commission (June 2024)
  • Contact: enquiries@nose.london | 020 7183 0220
  • Data Protection Officer: Mr David Whitehead — dpo@nose.london

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, NOSE LONDON LTD is the Data Controller for personal data we collect and hold independently.

When you attend for surgery at Weymouth Street Hospital, Phoenix Hospital Group acts as a joint Data Controller for data collected during your hospital admission. Their privacy policy is available at phoenixhospitalgroup.com/privacy-policy.

2. What This Policy Covers

This policy explains how we collect, use, store, and protect your personal data when you:

  • Visit our website (nose.london)
  • Submit an enquiry via our contact form
  • Book or attend a consultation
  • Undergo surgery or treatment under our care
  • Communicate with us by phone, email, or other means

3. How We Collect Your Data

We collect personal data through:

SourceExamples
Our websiteContact form submissions, cookie data, analytics
Booking systemName, email, phone number via Cal.com
ConsultationsMedical history, examination findings, clinical photographs, AI-assisted transcription via Heidi Health
Surgery and treatmentOperative notes, anaesthetic records, discharge summaries (held by Weymouth Street Hospital)
CorrespondenceEmails, letters, phone calls
Third partiesGP referral letters, insurance authorisations, hospital records

4. Data We Collect

4a. Website Visitors

When you visit nose.london, we automatically collect:

  • Usage data: Pages visited, time on site, referring URL, browser type, device type
  • Technical data: IP address (anonymised where possible), operating system
  • Cookie data: See our Cookie Policy for full details

This data is collected via Google Analytics and Microsoft Clarity. It is used to understand how visitors use our website and to improve the user experience. It does not identify you personally.

4b. Enquiry and Booking Data

When you contact us or book an appointment, we collect:

  • Full name
  • Email address
  • Telephone number
  • Your message or enquiry details
  • Appointment date and time preferences

Contact form submissions are sent directly to our email (enquiries@nose.london) and are not stored in a website database. Booking data is processed via Cal.com.

4c. Patient Clinical Data (Special Category Data)

When you become a patient, we collect and process special category data as defined under Article 9 of the UK GDPR, including:

  • Medical history, medications, and allergies
  • Examination findings and clinical measurements
  • Clinical photographs and video recordings
  • Operative notes and surgical records
  • Anaesthetic records
  • Pathology and test results
  • Mental health information relevant to treatment decisions
  • Referral correspondence with your GP and other specialists
  • AI-generated consultation transcripts (via Heidi Health — see Section 6)

This data is essential for providing safe, effective medical care and is processed under the lawful bases set out in Section 5.

4d. Children and Young People

We treat patients under the age of 18 with parental or guardian consent, in accordance with GMC guidance (0–18 Years: Guidance for All Doctors) and the Royal College of Surgeons Professional Standards for Cosmetic Surgery.

For patients under 18:

  • Parental or guardian consent is obtained for all consultations and treatments
  • We assess whether the young person has capacity to be involved in decision-making
  • All data relating to children is retained until the patient's 25th birthday (or 26th if they were 17 at the end of treatment), in line with NHS Records Management Code of Practice 2021
  • We do not target marketing activities at children or young people, in accordance with GMC guidance (paragraph 35)

4e. Financial Data

We collect payment information (bank details, card details) solely for the purpose of processing consultation fees, surgical deposits, and treatment payments. We do not store card details on our systems. Payments are processed via secure third-party payment providers.

5. Why We Process Your Data and Our Lawful Basis

Under the UK GDPR, we must have a lawful basis for processing your personal data. The tables below set out each purpose and the corresponding legal basis.

Standard Personal Data (Article 6)

PurposeLawful BasisGDPR Article
Responding to enquiries via contact form or phoneLegitimate interest (responding to prospective patients)Art. 6(1)(f)
Booking and managing appointmentsContract performanceArt. 6(1)(b)
Sending appointment confirmations and remindersContract performanceArt. 6(1)(b)
Processing payments and invoicingContract performanceArt. 6(1)(b)
Complying with legal, regulatory, and tax obligationsLegal obligationArt. 6(1)(c)
Website analytics (Google Analytics, Microsoft Clarity)Legitimate interest (improving our services)Art. 6(1)(f)
Defending or pursuing legal claimsLegitimate interestArt. 6(1)(f)
Notifying your GP of treatment (with your permission)Consent or legitimate interestArt. 6(1)(a) or (f)

Special Category Data — Health Data (Article 9)

PurposeLawful BasisGDPR Article
Providing medical consultations and treatmentHealthcare provision by a health professionalArt. 9(2)(h)
Recording clinical notes and operative recordsHealthcare provisionArt. 9(2)(h)
AI-assisted consultation transcription (Heidi Health)Healthcare provision + explicit consentArt. 9(2)(h) + Art. 9(2)(a)
Clinical photography for your medical recordHealthcare provisionArt. 9(2)(h)
Clinical photography for education, publications, or marketingExplicit consentArt. 9(2)(a)
Sharing records with your GP or referring clinicianHealthcare provisionArt. 9(2)(h)
Sharing records with anaesthetists and hospital staffHealthcare provisionArt. 9(2)(h)
Insurance claim processingContract performance + healthcare provisionArt. 6(1)(b) + Art. 9(2)(h)
Clinical audit and quality improvement (anonymised)Public interest in public healthArt. 9(2)(i)
Defending or pursuing legal claimsEstablishment, exercise, or defence of legal claimsArt. 9(2)(f)

6. AI-Assisted Tools

Heidi Health — AI Medical Scribe

We use Heidi Health, an AI-powered medical transcription system, to assist with documenting your consultation. Heidi is used in every consultation by default.

How it works:

  • Heidi listens to the consultation and generates a written transcript and clinical summary
  • The transcript is reviewed, verified, and approved by Mr Whitehead before being saved to your medical record
  • Audio is not stored. Audio data is temporarily processed for transcription and is deleted once the transcript is finalised
  • Only the verified written transcript is retained

Compliance and security:

  • Heidi Health is NHS-approved and meets UK healthcare data standards
  • Certifications: ISO 27001, SOC 2 Type II, Cyber Essentials Plus
  • NHS compliance: Data Security and Protection Toolkit (DSPT), Digital Clinical Safety (DCB0129), Digital Technology Assessment Criteria (DTAC)
  • All data is hosted within the United Kingdom
  • Heidi acts as a Data Processor; NOSE LONDON LTD remains the Data Controller

Your right to opt out:

If you prefer that Heidi is not used during your consultation, please inform Mr Whitehead at the start of the appointment. It will not be activated, and your care will not be affected in any way. Manual notes will be taken instead.

7. Clinical Photography and Imaging

Clinical photographs are an essential part of rhinoplasty practice. We use a tiered consent model for the use of your photographs and images:

TierPurposeConsent Required
1. Clinical recordPart of your medical notes for treatment planning, surgical reference, and follow-upHealthcare necessity (Art. 9(2)(h)) — no additional consent needed
2. Education and trainingTeaching, clinical presentations, and professional trainingExplicit written consent
3. Scientific publicationsPublished in peer-reviewed medical journals or textbooksExplicit written consent
4. Prospective patient consultationsShown to other patients during consultations to illustrate potential outcomesExplicit written consent
5. Website, social media, and marketingPublished on nose.london, Instagram, or other platforms, or shared with review sites (Doctify, RealSelf)Explicit written consent

Important:

  • You may consent to some tiers and not others
  • You may withdraw consent for Tiers 2–5 at any time by contacting us
  • All images used for Tiers 2–5 are anonymised where possible (eyes obscured or cropped)
  • Withdrawal of consent does not affect images already published in print or distributed prior to withdrawal, but we will remove them from our website and social media within a reasonable timeframe
  • Consent for Tier 1 (clinical record) cannot be withdrawn as these images form part of your medical record and are necessary for safe clinical care

8. Third-Party Data Processors

We share your data with the following third parties, all of whom act as Data Processors under contract with us:

ProcessorPurposeData SharedLocation
Heidi HealthAI consultation transcriptionConsultation audio (temporary), transcriptUK
SemblePractice management, patient records, billingPatient identity, contact, clinical, financial dataUK (ICO registered)
Google AnalyticsWebsite analyticsAnonymised usage data, IP addressEU/US (Standard Contractual Clauses)
Microsoft ClarityWebsite heatmaps and session recordingAnonymised usage data, clicks, scrollsEU/US (Standard Contractual Clauses)
Cal.comAppointment bookingName, email, phone, appointment detailsEU
VercelWebsite hostingServer logs, IP addressEU/US
DoctifyPatient review platform (widget on website)Public review dataUK
Google FontsWebsite typographyIP address (minimal)US

Other Recipients (Not Processors)

We may also share your data with:

  • Your GP — with your consent, or where clinically necessary in your vital interests
  • Referring clinicians — where you have been referred by another doctor
  • Anaesthetists and hospital staff — at Weymouth Street Hospital for your surgical care
  • Health insurance providers — where you are claiming on a policy, with your consent
  • Professional regulators — the GMC, if required by law or regulation
  • Legal and financial advisors — where necessary for legal claims, tax compliance, or audit
  • Law enforcement — only where required by law or court order

9. International Data Transfers

Some of our third-party processors (Google, Microsoft, Vercel) may transfer data outside the United Kingdom. Where this occurs, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the ICO
  • UK International Data Transfer Agreement (IDTA) where applicable
  • Adequacy decisions — transfers to countries deemed adequate by the UK Government

Your clinical data (held in Semble and Heidi Health) is stored and processed within the United Kingdom.

10. Data Retention

We retain your data for the following periods, in line with the NHS Records Management Code of Practice 2021 and HMRC requirements:

Data TypeRetention Period
Adult clinical records8 years after last contact
Children's clinical recordsUntil the patient's 25th birthday (or 26th if aged 17 at end of treatment)
Clinical photographs (Tier 1)Same as clinical record
Consent formsSame as the clinical record to which they relate
Complaint files10 years from closure of complaint (held separately from clinical notes)
Financial and billing records6 years (HMRC requirement)
Website analytics data26 months (Google Analytics default)
Contact form enquiries2 years, unless you become a patient (then retained as part of clinical record)
Booking data (Cal.com)12 months
AI transcripts (Heidi Health)Transferred to clinical record and retained per clinical retention schedule above

After the relevant retention period, data is securely deleted or anonymised.

11. Your Rights Under UK GDPR

You have the following rights in relation to your personal data:

RightWhat It Means
AccessYou can request a copy of the personal data we hold about you (a Subject Access Request). See our Subject Access Request page.
RectificationYou can ask us to correct any inaccurate or incomplete data.
ErasureYou can ask us to delete your data in certain circumstances. Note: we cannot delete clinical records where retention is required by law or professional guidance.
RestrictionYou can ask us to restrict how we process your data while a concern is being resolved.
Data portabilityYou can request your data in a structured, machine-readable format for transfer to another provider.
ObjectionYou can object to processing based on legitimate interest. We will stop unless we have compelling grounds.
Withdraw consentWhere processing is based on consent (e.g. photography Tiers 2–5, marketing), you can withdraw consent at any time.
Automated decision-makingYou have the right not to be subject to decisions based solely on automated processing. We do not currently use automated decision-making.

To exercise any of these rights, contact us at dpo@nose.london or write to us at 9 Harley Street, London W1G 9QY.

We will respond within one calendar month. In complex cases, this may be extended by a further two months, and we will inform you if this is necessary.

12. Data Security

We take the security of your data seriously and implement appropriate technical and organisational measures, including:

  • Encrypted storage and transmission of clinical data
  • Access controls limiting data access to authorised personnel
  • Secure, NHS-compliant systems (Semble, Heidi Health)
  • Regular review of data processing activities
  • Staff training on data protection (where applicable)
  • Secure disposal of data at end of retention period

13. GP Involvement

In accordance with GMC and RCS guidance, we consider it good practice to inform your GP about any cosmetic surgery or treatment you undergo with us. This is particularly important for your ongoing medical care.

  • We will seek your permission before contacting your GP
  • If you prefer your GP is not informed, we will respect your decision and record this in your notes
  • In rare circumstances where there is a serious risk to your health, we may need to contact your GP in your vital interests, even without your explicit consent

14. How to Complain

If you are unhappy with how we have handled your personal data:

  1. Contact us first — dpo@nose.london — and we will try to resolve your concern
  2. If you remain dissatisfied, you have the right to lodge a complaint with the Information Commissioner's Office:
    ICO: ico.org.uk | 0303 123 1113 | Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

15. Changes to This Policy

We may update this policy from time to time. The “last updated” date at the top of this page will always reflect the most recent version. We will not make significant changes to how we process your data without informing you.

16. Contact Us

NOSE LONDON LTD
9 Harley Street, London W1G 9QY
Company Number: 16001813
ICO Registration: [TBC]

Data Protection Officer: Mr David Whitehead
Email: dpo@nose.london
Phone: 020 7183 0220
Website: nose.london

This policy is drafted in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, GMC Guidance for Doctors Who Offer Cosmetic Interventions (2016), and the Royal College of Surgeons Professional Standards for Cosmetic Surgery (2016).

Content authored by Mr David Whitehead BSc MBBS MSc FRCS(ORL-HNS) | GMC: 4372358 | RCS Board Certified Cosmetic Surgeon