Our Privacy Policy

Last updated: 15 June 2026  |  Version 2.0

Who is responsible for managing my information?

At Peach, maintaining your privacy and confidentiality is a top priority for us. Peach (“The Company”) are committed to protecting your Personal Information. When you use our website, web portal, mobile apps we recognise that when you choose to provide us with information about yourself, you trust us to treat it in a responsible manner.

Peach Health Ltd is the data controller responsible for your personal information. We are registered in England and Wales (company number 14928956), with our registered office at 37 Elsley Road, London, England, SW11 5LJ. We are registered with the Information Commissioner's Office (ICO), the UK's data protection regulator, under registration number 00010609839. 

The Company uses all Personal Information that you provide to us or that we collect from you in accordance with all applicable laws, including those concerning the protection of Personal Information such as the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR).

The purpose of this Data Privacy Policy is to inform you about how the Company may use your Personal Information. In order to optimise the provision of our services to you and to facilitate some of our marketing efforts, we collect certain specific information about you.

This Data Privacy Policy explains the following:

  • What information we may collect about you;

  • How we will use information we collect about you;

  • Whether the Company will disclose your details to anyone else;

  • Where we might send your information;

  • The use of cookies on the Company’s websites; and

  • How you can reject cookies.

The UK General Data Protection Regulation (“UK GDPR”)

is the United Kingdom’s data protection law, which sits alongside the Data Protection Act 2018. It gives individuals control over their personal data and sets out the obligations of organisations that process it.

Data Protection Law

All legislation and regulations in force from time to time regulating the use of personal data and the privacy of electronic communications including, but not limited to, the UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations (PECR), and any successor legislation.

Encryption or Encrypted Data

The most effective way to achieve data security. To read an encrypted file, you must have access to a secret key or password that enables you to decrypt it. Unencrypted data is called plain text.

Information Commissioner’s Office (ICO)

The supervisory authority for data protection in the UK.

Personal Data

Any information relating to an identifiable person who can be directly or indirectly identified from that information, for example, a person’s name, identification number, location, online identifier. It can also include pseudonymised data. The terms Personal Data and Personal Information are used interchangeably within this policy.

Personal Data Breach

A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Special Categories of Personal Data

This data needs more protection because it is sensitive. It includes data which relates to an individual’s health, sexual orientation, race, ethnic origin, political opinion, religion, and trade union membership. It also includes genetic and biometric data (where used for ID purposes).

Data Storage

Client information is stored securely in Google Workspace, our business cloud platform, under Google's data processing terms. Data is encrypted in transit and at rest, and access is restricted to authorised staff on a need-to-know basis using individual accounts and two-step verification.

We hold this information in identifiable form so that your practitioner can provide your care, and we keep it confidential and secure.

The measures we use to protect your information include:

  • Encryption of data in transit (TLS/SSL) and at rest

  • Access restricted to authorised staff on a need-to-know basis, using individual accounts and multi-factor authentication

  • Confidentiality obligations and data protection training for staff and contractors

  • Procedures to detect, report and investigate any personal data breach

Third Party Integrations

Peach uses a variety of third-party service providers to help us provide services related to the Peach website and platform. Examples include: taking bookings, sending communications, and processing payments. Peach does not own or control these Third Party Partners and when you interact with them, you may be providing information directly to the Third Party Partner, Peach, or both. These Third Party Partners will have their own rules about the collection, use, and disclosure of information.

Our website also uses cookies and similar technologies, including for advertising. We ask for your consent before setting non-essential cookies. Please see our separate Cookie Policy for full details and to manage your choices.

What information do we collect?

When you use our services, we will ask for and collect the following personal information about you. This information is necessary to allow us to comply with our legal obligations. Without it, we may not be able to provide you with the requested service.

  • Account Information - When you sign up for a Peach Account, we require certain information such as your: name, email address, password (stored as irreversible "hash" in our database), PIN number (encrypted in our database), date of birth, gender, contact number, address information and your marketing preferences.

  • Payment Information - To use certain features (such as booking an appointment or paying for a service), we may require you to provide certain financial information (card number, expiry date, CVC) in order to facilitate the processing of payments. These details are stored on both Calendly and Stripe to keep the information secure.

  • Personal Information - Due to the nature of our services we may need to collect certain personal information about you in order to provide you with the best possible service. The level of information stored is therapy dependent, but a medical history may be required. All Information you choose to give us will be processed based on our legitimate interest or when applicable, your consent (and, because health information is special category data, an additional condition under Article 9 of the UK GDPR — see “How do we use your information?” below).

Personal data held is as follows:

  • Name (and sometimes the name of a legal guardian)

  • Company name (where applicable)

  • Job title (where applicable)

  • Postal address

  • Contact telephone number(s)

  • Email address

  • Copies of correspondence (in some cases)

  • Additionally for patients we may also store: date of birth; sex; clinical details; referring clinician’s details for laboratory test requests; health screening information; test results (as generated by laboratories and as received from third-party referral).

  • Usage Information - We collect information about your interactions with Peach such as the pages or content you view, bookings you have made, and other actions.

  • Log Data and Device Information - We automatically collect log data and device information when you access and use Peach. That information includes, among other things: details about how you’ve used Peach, IP address, access dates and times, hardware and software information, device information, device event information, unique identifiers, crash data and cookie data.

How do we use your information?

We always have a lawful basis for using your information. For most purposes this is the performance of our contract with you or our legitimate interests. Because some of the information we hold concerns your health (“special category data”), we also rely on an additional condition under Article 9 of the UK GDPR - the provision of health or social care under Article 9(2)(h). For optional uses such as marketing and research we rely on your explicit consent, which you can withdraw at any time.

The information you provide may be used in a number of ways, for example:

  • Enable us to make informed decisions regarding the appropriate service for your needs and to manage your customer service queries. The legal basis on which we process an individual’s personal data in these circumstances is our respective legitimate interests in dealing with client service requests, responding to communications and solving client issues.

  • Collate anonymised data for research purposes to ensure the benefits of our therapies can become more widely recognised.

  • For statistical purposes when we evaluate our range of services.

  • For marketing purposes: Where individuals have expressly opted in to receive marketing communications from us, we will process their personal data to provide such individuals with marketing communications in line with the preferences they have provided. An individual is not under any obligation to provide us with their personal data for marketing purposes, and individuals can withdraw their consent at any time by contacting us.

  • To make our website better: We may process an individual’s personal data in order to provide a more tailored user experience, including making sure our website is displayed in the most effective way for the device being used.

  • For website security and internal operations, including troubleshooting, data analysis, testing, research, statistical and survey purposes. The legal basis here is our legitimate interest to provide the best customer experience we can, keep our website updated, relevant and secure.

Who will we share your information with?

In order to provide you with our services, we may share your information with the following:

  • Your practitioner(s) in order that they can provide you with our service.

  • Carefully selected third party referral pathology laboratories to conduct requested biomedical tests on patient samples. These referral laboratories only use the data provided to identify samples and report results back to Peach. Some of our suppliers are part of international groups. Where your information is processed only within the UK it remains subject to UK data protection law. Where any processing or access takes place outside the UK, we ensure an appropriate safeguard is in place.

  • Our administration staff, for example reception staff and book keepers, who will have access to basic information but do not have access to your medical history or sensitive personal information.

  • Occasionally we may want to make a referral to other professionals, for example specialist medical consultants. In which case, we will ask for written consent to share that data.

  • We also use trusted third-party providers who host our website and mobile app, store information on our behalf, and help us deliver our service (for example, appointment note-taking tools). These providers act only on our instructions, under written data processing agreements, and are not permitted to use your information for their own purposes. Some are based outside the UK; where that is the case, we ensure an appropriate safeguard is in place.

  • Protection of Us and Others: We release accounts and other personal information when we believe release is appropriate to comply with the law, enforce or apply our terms and other agreements, or protect the rights, property, or security of Peach, our clients, or others.

  • Appointment reminders will be sent to your chosen email address prior to your booked appointment. Please let us know if you wish to opt out from this system.

  • If you wish to unsubscribe or adjust your communication preferences at any time, this can be done by accessing the Client Portal.

When can we contact you in the future?

We will only contact you in the future for the following reasons:

  • Follow up on your progress.

  • To advise you of any updates to our privacy policy.

  • Marketing communications - only for individuals who have expressly opted in, or where you are an existing client and the message relates to similar services (the “soft opt-in”). Every message includes an easy way to unsubscribe.

How long will we hold your data for?

We have a system of retention periods in place to ensure that your information is only stored whilst it is required for the relevant purposes or to meet legal requirements. Where your information is no longer required, we will ensure it is disposed of in a secure manner.

Our standard retention periods are: 

  • Clinical / health records - 8 years after your last appointment for adults; for under-18s, until age 25

  • Payment and financial records - 6 years, to meet tax and accounting law.

  • Account and contact details - for the duration of your relationship with us and for 8 years afterwards

  • Marketing preferences - until you withdraw consent or object.

How can you access, update and control your information?

You will always have the right to request a copy of the information that we hold about you. If you would like a copy of some or all of your personal information, please email or write to us. We want to make sure that your personal information is accurate and up to date. You may ask us to correct or remove information you think is inaccurate.

In addition, under UK data protection law you have the right to erasure in certain circumstances, the right to restrict or object to our processing, the right to data portability, and the right to withdraw consent at any time where we rely on it. To exercise any of these rights, email hello@peach.health and we will respond within one month.

You also have the right to complain to the ICO: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; helpline 0303 123 1113; ico.org.uk. We would, however, appreciate the chance to address your concerns first.

We are continuously implementing and updating administrative, technical, and physical security measures to help protect your information against unauthorised access, loss, destruction, or alteration. Some of the safeguards we use are firewalls, data encryption and information access controls. If you know or have reason to believe that your Account credentials have been lost, stolen, misappropriated, or otherwise compromised, please contact us following the instructions in the Contact section below.

How do we update this privacy policy?

The Company will review this privacy policy on a regular basis to ensure that it is up-to-date with our use of your Personal Information, and compliant with Data Protection Law.

The Company reserves the right, at our discretion, to revise this Website Privacy Policy at any time. The updated policy will be posted on our website and you are encouraged to review this from time to time. This privacy policy was last updated:  15 June 2026.

We will process your Personal Data in accordance with this Policy and the lawful bases set out above.

Who can you contact if you have queries about this privacy policy?

Please contact us if you have any questions about our privacy policy or information we hold about you by emailing hello@peach.health