Privacy Policy
Last Updated May 29th, 2025
Contact Details
Email: support@varalign.co.uk
What information we collect, use, and why
We collect or use the following personal information to schedule and manage appointments on the Varalign platform:
- Name, address and contact details
- Date of birth
- Addresses
- Appointment details
- Preferred communication methods
- Calendar data generated and managed on the Varalign Platform
- User login credentials
We also collect the following information to schedule and manage appointments on the Varalign platform:
- Biometric information (where used to identify someone)
We collect or use the following information to facilitate users in organising and managing appointments for themselves and their relatives:
- Name, address and contact details
- Date of birth
- Addresses
- Appointment details
- Preferred communication methods
- Calendar data generated and managed on the Varalign Platform
- User login credentials
We also collect the following information to facilitate users in organising and managing appointments for themselves and their relatives:
- Biometric information (where used to identify someone)
We collect or use the following information to send appointment reminders and updates via the users’ preferred communication channel:
- Name, address and contact details
- Date of birth
- Addresses
- Appointment details
- Preferred communication methods
- Calendar data generated and managed on the Varalign Platform
- User login credentials
We also collect the following information to send appointment reminders and updates via the users’ preferred communication channel:
- Biometric information (where used to identify someone)
We collect or use the following information to provide information based on their location and surrounding services:
- Name, address and contact details
- Date of birth
- Addresses
- Appointment details
- Preferred communication methods
- Calendar data generated and managed on the Varalign Platform
- User login credentials
We also collect the following information to provide information based on their location and surrounding services:
· Biometric information (where used to identify someone)
We collect or use the following information to personalise interactions and communications with users and their relatives:
- Name, address and contact details
- Date of birth
- Addresses
- Appointment details
- Preferred communication methods
- Calendar data generated and managed on the Varalign Platform
- User login credentials
We also collect the following information to personalise interactions and communications with users and their relatives:
- Biometric information (where used to identify someone)
Lawful bases and data protection rights
Under UK data protection law, we must have a “lawful basis” for collecting and using your personal information. There is a list of possible lawful bases in the UK GDPR. You can find out more about lawful bases on the ICO’s website.
Which lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website:
- Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.
- Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.
- Your right to erasure – You have the right to ask us to delete your personal information. You can read more about this right here.
- Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. You can read more about this right here.
- Your right to object to processing – You have the right to object to the processing of your personal data. You can read more about this right here.
- Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.
- Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.
If you make a request, we must respond to you without undue delay and in any event within one month.
To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.
Our lawful bases for the collection and use of your data
Our lawful bases for collecting or using personal information to schedule and manage appointments on the Varalign platform are:
- Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Our lawful bases for collecting or using personal information to facilitate users in organising and managing appointments for themselves and their relatives are:
- Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Our lawful bases for collecting or using personal information to send appointment reminders and updates via the users’ preferred communication channel are:
- Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Our lawful bases for collecting or using personal information to provide information based on their location and surrounding services are:
- Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Our lawful bases for collecting or using personal information to personalise interactions and communications with users and their relatives are:
- Consent – we have permission from you after we gave you all the relevant information. All of your data protection rights may apply, except the right to object. To be clear, you do have the right to withdraw your consent at any time.
Where we get personal information from
- Directly from you
- Family members or carers
- Other health and care providers
- Varalign employees and authorised personnel who collect or manage personal information as part of providing our services
How long we keep information
We retain your personal information only for as long as necessary to provide our services, fulfil legal obligations, or support our legitimate business interests. Specifically:
Retention Periods
- Personal details (name, address, contact details, date of birth):
Retained for the duration of your account’s active status. After account closure or deletion, this data will be securely deleted within 3 months unless required for dispute resolution.
2. Appointment details and calendar data:
Stored for as long as your account is active. For inactive accounts, data will be retained for up to 5 years. After this period, you will receive a warning, and the data will be securely deleted unless otherwise required for dispute resolution or business purposes.
3. Preferred communication methods:
Retained as long as your account is active and deleted within 3 months of account closure or deletion.
4. User login credentials:
Retained until your account is closed or deleted. After account closure, credentials will be securely deleted within 3 months.
5. Biometric information:
Stored only while your account is active. Once your account is closed or deleted, biometric data will be securely deleted within 3 months.
6. Inactive accounts:
If your account is inactive for 5 years, we will notify you before securely deleting your data.
Customer Service and Dispute Resolution
Certain data (such as appointment details or communications history) may be retained for up to 6 years after account closure to support customer service and dispute resolution, in line with our legitimate business interests.
Data Deletion Process
After the retention period, your data will either be securely deleted or anonymised to protect your privacy.
Who we share information with
Data processors
OVH Hosting
This data processor does the following activities for us: Cloud hosting services for storing and managing Varalign platform and website data
Twilio
This data processor does the following activities for us: SMS services for sending appointment reminders and notifications
Mailgun
This data processor does the following activities for us: Email services for sending appointment notifications and reminders
Cloudflare
This data processor does the following activities for us: Content delivery network (CDN) and security services, including DDoS protection
Others we share personal information with
- Other health providers (e.g. GPs and consultants)
- Care providers
- Organisations we need to share information with for safeguarding reasons
- Organisations we’re legally obliged to share personal information with
We are subject to a common law duty of confidentiality. However, there are circumstances where we will share relevant health and care information. These are where:
- you’ve provided us with your consent (we have taken it as implied to provide you with care, or you have given it explicitly for other uses);
- we have a legal requirement (including court orders) to collect, share or use the data;
- on a case-by-case basis, the public interest to collect, share and use the data overrides the public interest served by protecting the duty of confidentiality (for example sharing information with the police to support the detection or prevention of serious crime);
- If in England or Wales – the requirements of The Health Service (Control of Patient Information) Regulations 2002 are satisfied; or
- If in Scotland – we have the authority to share provided by the Chief Medical Officer for Scotland, the Chief Executive of NHS Scotland, the Public Benefit and Privacy Panel for Health and Social Care or other similar governance and scrutiny process.
Sharing information outside the UK
Where necessary, our data processors may share personal information outside of the UK. When doing so, they comply with the UK GDPR, making sure appropriate safeguards are in place.
For further information or to obtain a copy of the appropriate safeguard for any of the transfers below, please contact us using the contact information provided above.
Organisation name: Cloudflare
Category of recipient: Network and Security Provider
Country the personal information is sent to: Globally
How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs) and Encryption Protocols
Organisation name: Mailgun
Category of recipient: Cloud Communications and Email Delivery Provider
Country the personal information is sent to: United States
How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)
Organisation name: Twilio
Category of recipient: Information Technology Provider
Country the personal information is sent to: United States
How the transfer complies with UK data protection law: Addendum to the EU Standard Contractual Clauses (SCCs)
How to complain
If you have any concerns about our use of your personal data, you can make a complaint to us using the contact details at the top of this privacy notice.
If you remain unhappy with how we’ve used your data after raising a complaint with us, you can also complain to the ICO.
The ICO’s address:
Information Commissioner’s Office
Wycliffe House
Water Lane
Wilmslow
Cheshire
SK9 5AF
Helpline number: 0303 123 1113