BCS

Privacy Notice

How BCS handles your data.

Bespoke Clinical Services Ltd ("BCS", "we", "us") is the data controller for personal data submitted through this website. This notice explains what we collect, why, how long we keep it, and your rights under the UK GDPR and Data Protection Act 2018.
BCS privacy and data protection

Who we are

Controller and contact.

Bespoke Clinical Services Ltd is a company registered in England & Wales, operating from our London Hub (x+why, Chiswick Works, 100 Bollo Lane, London, W4 5LX) and Halifax Hub (Suite 1, Nursery Lane Health Centre, Halifax, HX3 5TE).

For any data protection query, contact our Data Protection lead at admin@bespokeclinicalservices.co.uk or call +44 1274 036971.

What we collect

Personal data we process via this website.

When you contact us, book a call or submit an enquiry form, we collect only what is necessary to respond:

  • Name
  • Organisation (PCN, practice or employer) — where provided
  • Email address
  • Phone number — where provided
  • The content of your message
  • The page you submitted the form from
  • Technical metadata: a salted, hashed IP address and user agent string, used solely for spam prevention and abuse review
  • Date and time of your consent, and the exact consent wording you agreed to

Why we use it

Purpose and lawful basis.

We process your data under Article 6(1)(a) UK GDPR — consent (when you tick the consent box on a contact form) and Article 6(1)(f) — legitimate interests (to operate, secure and improve our website and to respond to business enquiries from NHS organisations).

  • To respond to your enquiry or booking request
  • To send a confirmation email acknowledging receipt
  • To notify the BCS admin team of new enquiries
  • To prevent spam, abuse and automated form submissions
  • To maintain an auditable record of consent given

Patient data

We do not process patient data through this website.

Where BCS pharmacists deliver clinical services to Primary Care Networks, patient identifiable data is processed under a separate Data Processing Agreement and Data Protection Impact Assessment (DPIA) with the contracting PCN, using NHS-approved systems (EMIS, SystmOne) over our HSCN network. None of that data ever flows through this public website.

  • BCS-issued, encrypted laptops only — personal devices are not permitted
  • Cyber Essentials certified
  • NHS Data Security and Protection Toolkit (DSPT) compliant — all standards met
  • Health & Social Care Network (HSCN) for clinical system access
  • DPIA provided with every PCN contract
  • Live monitoring of IT systems

Sharing

Who we share data with.

We never sell your data. We share it only with carefully selected processors who help us run this website and respond to you:

  • Our hosting and infrastructure provider (Cloudflare, EU/UK regions where possible)
  • Our database and authentication provider (Supabase, EU region)
  • Our transactional email provider, to deliver your confirmation and our admin notification
  • Law enforcement or regulators, only where we are legally required to do so

Retention

How long we keep your data.

  • Contact form enquiries: up to 24 months from the date of your last interaction, then deleted or anonymised
  • Email send logs: 12 months, for deliverability and audit purposes
  • Unsubscribe and suppression records: retained indefinitely so we honour your opt-out
  • Hashed IP / user agent metadata: 6 months, for security and abuse review

Your rights

What you can ask us to do.

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Have inaccurate data corrected
  • Have your data erased (the right to be forgotten)
  • Restrict or object to our processing
  • Withdraw consent at any time — this does not affect processing done before withdrawal
  • Receive a portable copy of data you provided to us
  • Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk

Cookies

Cookies and analytics.

This site uses only strictly necessary cookies required to operate the website and remember your form state. We use a privacy-respecting, first-party analytics setup that records aggregate page views and crawler activity — it does not set advertising cookies, does not track you across other sites, and does not require a consent banner under PECR.

If we ever introduce non-essential cookies, we will ask for your consent before they are set.

Changes & contact

Updates to this notice.

We review this notice periodically and will publish any material changes on this page. To exercise any of your rights, or to ask a question about how BCS handles your data, email admin@bespokeclinicalservices.co.uk.

Last updated: 16 June 2026.

Questions about how we handle your data?

Email admin@bespokeclinicalservices.co.uk and our Data Protection lead will respond within 5 working days.

Contact BCS