12 May 2026
Introduction
This is the privacy policy of Square Health Limited relating to the processing by Us of Your personal data.
Under Data Protection Law We have a legal duty to protect any information We collect from You and We are committed to protecting and respecting Your privacy. We use leading technologies and encryption software to safeguard personal data, and keep strict security standards to prevent any unauthorised access to it.
Questions, comments and requests regarding Our privacy policy are welcomed and should be addressed to our Data Protection Officer at Square Health Limited, Crown House, William Street, Windsor SL4 1AT OR by email to data.protection@squarehealth.com.
In this policy:
- Square Health refers to Square Health Limited, company number 7054181 of Crown House, William Street, Windsor SL4 1AT, and We, Us, Our, Ours and Ourselves also refer to Square Health;
- You, Your, Yours and Yourself refer to you;
- Data Protection Law refers to the DPA, the UK GDPR and all other laws and regulations relating to the collection and other processing of personal data;
- DPA refers to the Data Protection Act 2018;
- UK GDPR refers to the General Data Protection Regulation (EU Regulation 2016/679) as amended and in force in the UK;
- OH Services refers to the occupational healthcare services which are provided by Square Health to You, as an employee of a Square Health client and which includes (but is not limited to) carrying out the occupational health assessment, producing an occupational health report, and assisting Your employer in deciding which reasonable adjustments (if any) should be made for You and/or Your fitness for work;
- personal data refers to personal data as defined in the UK GDPR (including, if relevant, health data or any other special category personal data as defined in the DPA or UK GDPR);
- special category data is defined in the UK GDPR and includes race or ethnic origin, the processing of genetic data and data concerning health (amongst others)
- Square Health Practitioner refers to a Square Health panel doctor or healthcare practitioner, or pathology laboratory or other analysis service used by Square Health to provide a Square Health Service;
- Square Health OH Practitioner refers to an occupational health professional engaged by Square Health to provide the OH Services;
- Square Health Service refers to a medical or healthcare service (not OH Services) which is provided by Square Health – whether accessed or provided via one of our apps (a Square Health App) or otherwise;
- Square Health Screening Service refers to our health screening service that is provided to You through a Square Health client, such as an insurance company to which you have applied for insurance;
- Third Party Service refers to a service which is provided by a third party provider and, for Square Health Services, which is accessed via a Square Health App;
- Child refers to any child for whom You are the parent or legal guardian or for whom You are otherwise responsible and who is entitled to use a Square Health App (whether or not under Your supervision) in order to access a Square Health Service or a Third Party Service.
For the purposes of Data Protection Law, We are the data controller for personal data we collect, except in exceptional circumstances, such as when We provide Square Health Screening Services on behalf of a Square Health client. In those circumstances, the legal basis and purposes of processing will be determined by the client, who will be the data controller.
Under Data Protection Law, We must identify a lawful basis for processing personal data. These lawful bases are found in Article 6 UK GDPR:
- Consent (Article 6(1)(a) UK GDPR);
- Contract (Article 6(1)(b) UK GDPR);
- Legal obligation (Article 6(1)(c) UK GDPR);
- Vital interests (Article 6(1)(d) UK GDPR);
- Public interest task (Article 6(1)(e) UK GDPR; and
- Legitimate interest (Article 6(1)(ea) and (f) UK GDPR).
There are additional conditions in Article 9 UK GDPR We must identify when We process special category data – the most relevant for Us are:
- Explicit consent (Article 9(2)(a) UK GDPR);
- Social protection (Article 9(2)(b) UK GDPR);
- Exercise or defence of legal claims (Article 9(2)(f) UK GDPR);
- Medical diagnosis (Article 9(2)(h) UK GDPR); and
- Occupational health (Article 9(2)(h) UK GDPR).
Information We may collect and process about You
Square Health Practitioners/Square Health OH Practitioners
| Category of personal data | Purpose of Processing | Lawful basis of processing |
| Contact details (eg name, address, telephone number, personal address, business address, email address) | Due diligence
Payment processing Service reporting Appointment booking |
|
| Date of birth, professional registration numbers, CV/employment history | Due diligence |
|
| DBS check information to include criminal conviction data | Due diligence |
|
| Passport / Driving licence | Due diligence |
|
| Qualification/ accreditation certificates, indemnity insurance | Due diligence |
|
| Performance records/Service reporting | To review performance of the services |
|
| Bank details, VAT registration number, tax status | Payment processing |
|
| Photo | To include on ID badge – for ID verification |
|
| Audio / Video recording of consultation | To review performance of the Square Health Services, such as through internal audits or complaint handling |
|
Individuals that access Square Health Services
| Category of personal data | Purpose of Processing | Lawful basis of processing |
| Name, address, e-mail address and phone number, date of birth, gender and photograph | To provide the Square Health Services |
|
| Information relating to health including medical records, physical and mental performance, characteristics, any ailments, diseases, and disabilities | To provide the Square Health Services |
|
| Race and other special category information where it is relevant to the provision of the Square Health Services | To provide the Square Health Services |
|
| Audio / Video recording of consultation | To review performance of the Square Health Services, such as through internal audits or complaint handling |
|
| Audio recording of call with Square Health Operations assistants | To review performance of the Square Health Services, such as through internal audits or complaint handling |
|
Individuals that access Square Health Screening Services (where we are the data controller)
| Category of personal data | Purpose of Processing | Lawful basis of processing |
| Name, title, address and other contact details, date of birth, gender, information about Your work/education and lifestyle, marital status, Your GP details |
|
|
| Medical records, physical build (height/weight), medical history (including, but not limited to current and past history, psychological history, family history, medication, tests and investigation results), results of Your physical examination, test results |
|
|
Individuals that access OH Services
| Category of personal data | Purpose of Processing | Lawful basis of processing |
| Name, date of birth, job title, contact details | To provide the OH Services |
|
| Accessibility requirements | To provide the OH Services |
|
| Relevant information about how you carry out your work and any impact on your health condition | To provide the OH Services |
|
| Information about your lifestyle that is relevant to your health condition | To provide the OH Services |
|
| Information about your health condition provided pre- or during your assessment | To provide the OH Services |
|
| Any other relevant information that would assist in making an occupational health report | To provide the OH Services |
|
| Audio / Video recording of the occupational health assessment | To provide the OH Services |
|
Other individuals
You may directly or indirectly give Us personal data by entering information via Our website or through contact with members of Our customer service and marketing team, or automatically every time You use Our website (in respect of technical information). The information We collect which may identify You will typically include:
| Category of personal data | Purpose of Processing | Lawful basis of processing |
| Name, address, email address, telephone and other contact details, date of birth, information about Your employment/education and lifestyle, information about Your use of Our services or your image |
|
|
| Health or medical information | Where You voluntarily provide this information in order to clarify an enquiry or complaint sent through Our contact form on Our website |
|
| Technical information, including the internet protocol (IP) address used to connect your device to the internet, your login information, browser type and version, time zone setting, operating system and platform, and your location |
|
|
| Information about Your visit, including the date, time and length of Your visit, pages or service elements You viewed or used; response times, download errors, interaction information (such as scrolling and clicks), and any phone or other methods used to contact Us |
|
Cookies
Our cookie policy may be viewed here https://www.squarehealth.com/cookies
Much of the information which we may collect through the use of cookies is non-personal data for the purposes of Data Protection Law but We treat Internet Protocol (IP) addresses and similar identifiers as personal data. Where non-personal data is combined with personal data, We also treat the combined information as personal data for the purposes of this Privacy Policy.
Disclosure of Your information
Square Health Practitioners
We may share your personal information with other third parties where we have a legal obligation to do so or to assist with investigations carried out by law enforcement, government or regulatory bodies where it is fair and lawful. For example, where a regulatory body requests your information to carry out a task in the public interest.
We shall share your name with patients prior to a consultation taking place.
Individuals that access Square Health Services
We may share Your or Your Child’s personal data with the following parties for the following purposes:
| Party | Purpose |
| Square Health client, where access to a Square Health Service is linked to membership of a wider service of the relevant client |
To enable the relevant Square Health client to administer its service and (where appropriate) to facilitate access to benefits under that service |
| Square Health Practitioners | Where necessary in connection with the provision of any element of a Square Health Service |
| Providers of Third Party Services | Where necessary in connection with access to or provision of the relevant Third Party Service |
| Your NHS GP |
|
Individuals that access Square Health Screening Services (where we are the data controller)
We may disclose Your personal data to the following recipients where necessary:
- To the appropriate Square Health client (such as an insurance company or independent financial advisor to which You have applied for insurance)
- Medical examiners for the purpose of obtaining a medical report and arranging a home visit and an appointment
- Laboratories for the purpose of providing test results
- Diagnostics providers (for example hospitals) for the purpose arranging investigations
- Your GP and other medical practitioner
- To a third party provider approved by the applicable Square Health client
- Professional advisors e.g. auditors and legal advisors
- Taxation or other public authorities where required by law
We may also transfer Your personal data to people providing Us with support, administrative services and secure shredding services for the more efficient processing of Your health screening.
Individuals that access OH Services
| Party | Purpose | Lawful basis of processing |
| Your employer | Where necessary to keep them updated as to the progress of Your occupational health process |
|
| Square Health OH Practitioners | Where necessary for the provision of the OH Services |
|
| Square Health Technology Limited | Where necessary in connection with access to or provision of the OH Services |
|
All individuals
Disclosure of information to affiliated companies
We may share personal data relating to You, including any health or medical information or other special category data that You have agreed We may use, with any affiliated company which processes personal data on Our behalf. Our affiliated companies are Square Health Group Limited, Bodycare Clinics Limited and Doctors Chambers (UK) Limited and such other affiliated companies from time to time, as well as any of their respective holding companies and any subsidiaries of any of those holding companies, as well as our ultimate holding company and its subsidiaries. Holding company and subsidiary are defined in section 1159 of the UK Companies Act 2006.
Disclosure of information to other third parties
We may share personal data (but not special category data) with selected third parties including analytics and search engine providers that assist in the improvement and optimisation of Square Health Services and/or Square Health Apps.
We may disclose Your personal data to third parties:
- If all or substantially all of Our assets are acquired by a third party as part of a sale or transfer of our business, personal data held by Us about Our clients and users will be one of the transferred assets.
- If We are under a duty to disclose or share personal data in order to comply with any legal obligation or to assist with investigations carried out by law enforcement, government or regulatory bodies where it is fair and lawful, or
- To protect the rights, property, or safety of Us, Our clients and users, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.
Other than as above We will not share Your personal data with third parties without Your consent.
How we store your personal data
Square Health Practitioners and Square Health OH Practitioners
We use third party providers to store / host your personal data. These third parties act as our data processors (as defined in Data Protection Law). These data processers process your personal data within the UK and the EEA.
Individuals that access Square Health Services
Some personal data relating to You (and/or, if applicable, Your Child) may be held within a Square Health App used by You. All other personal data relating to You and/or (as applicable) Your Child will be stored on secure servers located in the UK or Ireland. This includes primary and secondary care information, medication information and diagnostic information. Usually, personal data relating to You (and/or, if applicable, Your Child) will be processed only within the UK or Ireland but there may be occasions where it is processed outside the UK or Ireland, for example where a Square Health Practitioner providing a consultation is located outside the UK or Ireland. Any such processing will be in full compliance with Data Protection Law .
Individuals that access OH Services
Personal data relating to You will be stored on secure servers located in the UK or Ireland. This includes your occupational health referral, supplementary information we may need to complete the assessment, the occupational health report (including any drafts) and any next steps relating to You.
Other individuals
All personal data relating to You and provided or collected via Our website will be stored on secure servers located in the UK or EEA.
Passwords and security
Where We need to send You personal data or any other confidential information – for example, when providing You with a copy of Your personal data – We will do so securely to protect the information while it is in transit. In accordance with Our obligations under Data Protection Law, such emails will be sent using encryption and be password protected. The password will be communicated to You separately. These measures are part of our commitment to implementing appropriate technical safeguards to protect Your
personal data against unauthorised access or disclosure.
Where We have given You (or where You have chosen) a password for any reason, You are responsible for keeping this password confidential. We ask You not to share a password with anyone.
We also encrypt data which are transmitted via Our website. However, the transmission of information via the internet can never be completely secure due to security threats outside Our control. For this reason, although We will do our best to protect Your personal data, We cannot guarantee the security of Your data transmitted via Our website. Once We have received your information, We will use strict procedures and security features to minimise the risk of unauthorised access.
Our website may contain links to and from third party applications or websites. If You follow a link to any of these applications or websites, please note that these applications or websites have their own privacy policies and that We do not accept any responsibility or liability for these policies. Please check these policies before You submit any personal data to these websites.
Location data
If You have switched on location sharing for a Square Health App on Your phone, we will collect Your location data and only use it if, during Your consultation, Your Square Health Practitioner believes they need to call emergency services to attend to You. If You don’t have location sharing switched on, there may be a delay in calling emergency services while the Square Health Practitioner determines Your location.
We will collect and use Your location data in accordance with Article 6(1)(d) UK GDPR (processing is necessary in order to protect the vital interests of the data subject or of another natural person) and regulation 16 of The Privacy and Electronic Communications (EC Directive) Regulations 2003 (Emergency calls).
Your location data will not be retained after Your consultation has ended. We will not use Your location data for any other purpose.
Retention of Your personal data
Personal data may be retained by Us in accordance with our retention policy for the period required to comply with Our obligations to insurance and financial providers or other third parties and/or other legal obligations, and/or where it is necessary for an identified business purpose. All personal data retained by Us will be held securely as described in this privacy policy.
Once the applicable retention period for Your personal data has expired, We will ensure that Your personal data is securely and permanently deleted using appropriate technical measures designed to prevent recovery or unauthorised access. These practices reflect our commitment to the data minimisation principle under Data Protection Law, which requires that personal data is not kept for longer than is necessary for the purposes for which it was collected.
Marketing and analytics
We may use Your personal data to send You marketing communications about Square Health Services. We will only send You direct marketing communications where We have a lawful basis to do so. In practice, this means We rely on one of the following:
· Your consent: where required, We will ask for Your consent before sending You marketing communications.
· “Soft opt-in”: where You are an existing customer or user of a Square Health App or Square Health Service – We may send You marketing communications about Our similar services without obtaining Your prior consent. This is sometimes referred to as the “soft opt-in” and is permitted under the Privacy and Electronic Communications Regulations (EC Directive) 2003.
We may also use Your personal data for analytics purposes. This involves analysing information about how You interact with a Square Health App or Square Health Service – such as the features You use, the frequency of Your visits, and Your engagement patterns, in order to better understand Your preferences, improve Our services, and inform Our marketing strategy. Where We do this, We rely on either Your consent or Our legitimate interests as the lawful basis for this processing.
If You have given Your consent for Us to use Your personal data for whatever reason, You have the right to withdraw Your consent, including for marketing purposes. If You have consented to receive marketing communications or We are relying on the “soft opt-in”, at any time subsequently You can ask not to receive marketing communications by emailing us at data.protection@squarehealth.com or by adjusting Your marketing preferences in a Square Health App.
Your rights
Data Protection Law gives You various rights including the:
– right to receive a copy of Your personal data
– right to ask Us to update or correct any inaccurate personal data
– right to request Us to delete Your personal data (‘right to be forgotten’) unless We have a contractual/legal requirement to keep it.
You can exercise Your data protection rights by writing to Our Data Protection Officer at Crown House, William Street, Windsor SL4 1AT OR by sending Your request to data.protection@squarehealth.com
If You have any concerns about Our use of Your personal data, You can make a complaint to Us using the above details. If You remain unhappy with how We’ve used Your data after raising a complaint with Us, Data Protection Law gives You the right to complain to Our supervisory authority, the Information Commission (www.ico.org.uk).
Changes to Our privacy policy
Any changes We may make to Our privacy policy in the future will be displayed on Our website or at Our discretion may be notified to You by email or SMS. New terms may be displayed on-screen and You may be required to read and accept them in order to continue to use Our website.