Thisprivacy notice for GetScanned Ltd, trading as CoreVitals and GetScanned(“we”, “us”, or “our”), explains how and why we collect,store, use and share (“process”) personal information when you use ourservices (“Services”), including when you:
● Visit our websites athttps://uk.getscanned.me/ or https://www.corevitals.me, or any website of ours that links tothis privacy notice;
● Book scans or blood tests,attend consultations, or access results via our Platform; or
● Engage with us in otherrelated ways, including sales, marketing, or events.
Thisprivacy notice is intended to describe our processing under United Kingdom dataprotection laws, including the UK GDPR and the Data Protection Act 2018 (eachas amended from time to time, including by the Data (Use and Access) Act 2025),the Privacy and Electronic Communications Regulations 2003 (as amended), andother related legislation
Summary of Key Points
Questions or concerns?
Ifyou do not agree with our policies and practices, please do not use ourServices. If you have questions or concerns, please contact us at support@getscanned.me.
What personal information do we process? We processpersonal information depending on how you interact with the Services and whatyou choose to book or use.
Do we process any sensitive personal information? Yes. Wherenecessary to provide the Services, we process health information(special category personal data) and (where relevant) payment information.
Do we collect any information from third parties? Yes.Depending on the Service you use, we may receive information from our clinicaland operational partners (for example, scan centres, radiologists, diagnosticlaboratories, and phlebotomy providers) to deliver Services and provideresults.
How do we process your information? We processpersonal information to provide and administer the Services, communicate withyou, provide access to results and consultations, keep systems secure, preventfraud, and comply with legal obligations.
Do you transfer or allow access to information internationally? We areUK-based. Some members of our operations and development team are located inIndia and may access personal information strictly on a need-to-know basis withappropriate safeguards. Details are set out in Section 6.
How do we keep your information safe? We applyappropriate technical and organisational measures. However, no system can beguaranteed to be 100% secure.
What are your rights? Depending onyour location (including the UK/EEA/Switzerland), you may have rights toaccess, correct, delete, restrict or object to processing, and other rightsexplained in Section 12.
TABLE OF CONTENTS
1. WHAT INFORMATION DO WECOLLECT?
2. HOW DO WE PROCESS YOURINFORMATION?
3. WHAT LEGAL BASES DO WE RELY ONTO PROCESS YOUR PERSONAL INFORMATION?
4. AUTOMATED PROCESSING
5. WHEN AND WITH WHOM DO WE SHAREYOUR PERSONAL INFORMATION?
6. CROSS-BORDER TRANSFERS
7. DO WE USE COOKIES AND OTHERTRACKING TECHNOLOGIES?
8. HOW LONG DO WE KEEP YOURINFORMATION?
9. HOW DO WE KEEP YOURINFORMATION SAFE?
10. SERVICES USED BY CHILDREN /MINORS
11. ANONYMISED AND AGGREGATED DATA
12. WHAT ARE YOUR PRIVACY RIGHTS?
13. CONTROLS FOR DO-NOT-TRACKFEATURES
14. DO WE MAKE UPDATES TO THISNOTICE?
15. HOW TO MAKE A PRIVACYCOMPLAINT
16. HOW CAN YOU REVIEW, UPDATE, ORDELETE THE DATA WE COLLECT FROM YOU?
ANNEXURE A — Clinical and Operational Partners
ANNEXURE B — List of Sub-processors
1. WHAT INFORMATION DO WE COLLECT?
1.1. Personal information you disclose to us
Wecollect personal information you provide to us.
Forexample, we collect personal information you voluntarily provide when youcreate an account, book Services, attend consultations, request support, orotherwise contact us.
Personalinformation may include (depending on the Service):
● Names
● Phone number
● Email address
● Mailing address
● Contact preferences
● Account / authentication data
● Billing address and paymentdetails (where applicable)
● Date of birth
● Insurance information (whereapplicable)
● Service details (e.g., scantype; appointment preferences)
Wherea parent or legal guardian books Services for a child, we may also collectpersonal information about the child as necessary to deliver the Services.
1.2. Sensitive information (special category personal data)
Wherenecessary to provide the Services, and where permitted by applicable law, weprocess:
● Health information (e.g., biomarkers, results,reports, referrals, clinical notes, imaging and related metadata); and
● Financial information (e.g., payment details) whereapplicable.
1.3. Information automatically collected
Someinformation is collected automatically when you use our Services.
Weautomatically collect certain technical information when you visit, use, ornavigate the Services (for example: IP address, device/browser characteristics,operating system, language preferences, referring URLs, country/location, andusage information). This information helps maintain security and operation ofour Services, and supports analytics and reporting.
Automaticdata may include:
● Log and Usage Data (e.g., timestamps, pagesviewed, actions taken, error reports)
● Device Data (e.g., device identifiers,browser type, ISP/mobile carrier, OS)
● Location Data (precise or imprecisedepending on your device/settings; you can disable location sharing, but somefeatures may be affected)
2. HOW DO WE PROCESS YOUR INFORMATION?
Weprocess personal information to provide and administer Services, communicatewith you, keep systems secure, and comply with law.
Weprocess personal information for purposes that include:
● To deliver and facilitatedelivery of Services (including bookings, scheduling, results access, and consultations).
● To respond to enquiries andprovide support.
● To send administrativeinformation(service messages, changes to terms/policies, operational updates).
● To fulfil and manage ordersand payments(where applicable).
● To maintain platform security,prevent fraud, and troubleshoot.
● To address urgent outcomes andprotect vital interests where necessary (for example, urgent clinical resultsrequiring immediate contact and follow-up).
● To comply with legalobligationsand to establish, exercise or defend legal claims.
3. WHAT LEGAL BASES DO WE RELY ON TO PROCESS YOUR INFORMATION?
Weprocess personal information only where we have a lawful basis under UK DataProtection Laws. Where we process health information, we also rely on a specialcategory condition.
3.1. Lawful basis for personalinformation (UK GDPR Article 6)
Where we rely on legitimate interests as our lawful basis, we will carry out aLegitimate Interests Assessment (LIA) to ensure that our interests are notoverridden by your rights and interests.
For certain processing activities, in particular, maintaining the security andintegrity of our Platform and systems, and preventing fraud and misuse, we mayadditionally rely on 'recognised legitimate interests' under the Data (Use andAccess) Act 2025. Processing for these purposes does not require a separatebalancing test, but we continue to apply appropriate safeguards and to processonly the minimum information necessary.
Activities where we may rely on recognised legitimate interests include:
● Keeping our systems andnetworks secure and detecting, preventing, and investigating misuse or fraud;
● Logging and monitoring accessto systems that hold sensitive personal information; and
● Ensuring the integrity andavailability of the Platform.
3.2. Health information (specialcategory data – UK GDPR Article 9)
Where we process health information, including biomarker results, HL7 reports, scan images, scan reports, referrals, and clinical notes, we do so primarily on the basis of Article9(2)(h) UK GDPR, as processing necessary for the purposes of preventive medicine, medical diagnosis, the provision of health care or treatment, and the management of health care systems and services, carried out under the responsibility of GetReal Health Limited, a CQC-registered provider, and thehealth professionals it engages (Schedule 1, paragraph 2, Data Protection Act2018). GetScanned Ltd operates under contractual obligations of confidentialityto GetReal Health Limited in respect of all health information processed inthis context..
Dependingon the context, we may additionally or alternatively rely on one or more of the following conditions, as set out in the table below.
Explicit consent (Article 9(2)(a))
Although GetScanned's primary Article 9 condition is Article 9(2)(h), we may in somecircumstances additionally seek your explicit consent — for example, where aspecific use of your health information falls outside the scope of the healthcare services you have booked, or where we consider it appropriate to do so asa matter of good practice. Where we rely on explicit consent, you can withdrawit at any time by contacting us. Withdrawal of consent does not affect thelawfulness of any processing already carried out on that basis, and does notaffect our ability to continue processing under Article 9(2)(h) or any otherapplicable condition.
Professional confidentiality obligations
Article9(2)(h) requires that processing be carried out subject to obligations of professional secrecy. The health professionals engaged in delivering theServices are subject to professional and regulatory confidentiality obligationsunder applicable law and their respective regulatory frameworks. GetScanned Ltdis contractually bound to equivalent obligations of confidentiality by virtueof its arrangements with GetReal Health Limited. Strictly need to know
We onlyprocess health information where necessary for the Services you have requested,and we restrict access to health information on a strict need-to-know basis,including within our own organisation and across our clinical and operationalpartners.
Processornote (business customers)
Wherewe act as a processor for a business customer, the customer is responsible foridentifying and communicating the applicable Article 6 lawful basis and Article9 condition(s) for their processing. We process personal information inaccordance with the customer's documented instructions and the terms of theapplicable Data Processing Agreement.
4. AUTOMATED PROCESSING
We dont make decisions about you that are based solely on automated processing andthat produce legal or similarly significant effects on you.
Our platform provides an interactive visual representation of your blood test results as uploaded by you or our laboratory partners. This display function,including any visual indicators such as out-of-range markers, is a presentation tool only. It does not constitute a clinical decision, medical advice, or adiagnosis, and is not intended to be relied upon as such. All clinicalinterpretation is carried out by qualified healthcare professionals as part ofthe Services you have booked with such healthcare professionals. For moreinformation, read our General Terms and Conditions.
5. WHEN AND WITH WHOM DO WE SHARE YOUR PERSONAL INFORMATION?
Weshare personal information only as needed to deliver Services, operate ourPlatform, and meet legal and safety obligations. We may share personalinformation with:
5.1. Scan centres and radiologyproviders (imaging services)
Whereyou book a scan, we may share the necessary information with the scan centre(and their radiologists) to arrange appointments, complete safety checks,perform the scan, and generate scan reports. We may receive scan images andreports back from the scan centre (typically via secure clinical transfer toolsused in healthcare settings).
Whereyou book a blood test, we may share the necessary information with relevantproviders to arrange kits, appointments, nurse visits (if applicable), sampleprocessing and results reporting. We may receive results back (including HL7reports) for display in our systems and to enable clinical review.
5.3. Clinicians (GPs andnutritionists)
Wemay make relevant information available to the clinician(s) involved in yourconsultation(s) so they can provide consultations, explain results, and makerecommendations. Access is granted on a strict need-to-know basis.
5.4. Platform and support providers(sub-processors)
Weuse vendors who support hosting, communications, customer support, security,analytics, collaboration tools and other operational functions. These providersprocess personal information only on our instructions and subject tocontractual safeguards. A list of key providers is set out in Annexure “B”.
5.5. Corporate transactions and legalrequirements
Wemay share personal information where required for a merger or acquisition, tocomply with law, respond to lawful requests, or to protect rights, property andsafety.
6. CROSS-BORDER TRANSFERS
Weare based in the United Kingdom. However, some of our operations anddevelopment team are located in India and may access personal information on acontrolled basis.
6.1. Where information is accessedfrom
Personalinformation we process may be accessed from the United Kingdom and, whererequired for operational support or product development, from India.
6.2. India-based team members are ouremployees
OurIndia-based team members are employees of GetScanned Ltd (notthird-party providers). They access personal information only where requiredfor their role and only through controlled systems.
6.3. Safeguards we apply
Weapply appropriate technical and organisational measures to protect personalinformation accessed from India, including (as applicable):
● secure development andchange-management practices.
6.4. Other cross-border transfers
Someservice providers listed in Annexure B may process personal informationoutside the UK.
Whentransferring personal information outside the United Kingdom, we comply withapplicable UK data protection law, including the requirements introduced by theData (Use and Access) Act 2025. In particular:
● Where the Secretary of Statehas made an adequacy regulation determining that a third country, territory, orinternational organisation ensures a level of protection for personalinformation that is not materially lower than that provided under UK data protectionlaw, we may transfer personal information to that destination on that basis.
● Where no such adequacyregulation applies, we use appropriate safeguards, including the UKInternational Data Transfer Agreement (UK IDTA) or the UK Addendum to the EUStandard Contractual Clauses (UK Addendum to SCCs), as approved by theInformation Commission, to ensure personal information transferred outside theUK receives an equivalent level of protection.
Youmay request more information about the applicable transfer mechanism bycontacting us
Wherewe provide Services to a business customer and act as a processor, thecustomer’s principal agreement will address the relevant internationalaccess/transfers position. Where required for restricted transfer elements, wewill enter an appropriate UK transfer mechanism with the customer (for example,the UK IDTA or the UK Addendum to the EU SCCs), together withappropriate technical and organisational controls.
7. DO WE USE COOKIES AND OTHER TRACKING TECHNOLOGIES?
Wemay use cookies and similar technologies.
Weuse analytics cookies (including Google Analytics) to understand how ourServices are used, monitor performance, and improve user experience. Under theData (Use and Access) Act 2025, analytics cookies that are low-risk and do notinvolve tracking across third-party sites may be used without your priorconsent, provided we make it easy for you to opt out.
Youcan opt out of Google Analytics tracking at any time by visiting:https://tools.google.com/dlpage/gaoptout
Formore information on the privacy practices of Google, please visit the GooglePrivacy & Terms.
8. HOW LONG DO WE KEEP YOUR INFORMATION?
Wekeep personal information for as long as necessary for the purposes described,unless a longer period is required or permitted by law.
Weretain personal information only for as long as necessary to fulfil thepurposes set out in this notice, unless a longer retention period is requiredor permitted by law (e.g., tax/accounting, regulatory, or legal requirements).Where deletion is not immediately possible (e.g., backups), we will securelystore and isolate the data until deletion is possible.
9. HOW DO WE KEEP YOUR INFORMATION SAFE?
Weapply organisational and technical measures to protect personal information.
Weuse appropriate and reasonable technical and organisational security measuresdesigned to protect personal information. We may publish and update certainsecurity-related information availableon our website from time to time.
However,no electronic transmission or storage can be guaranteed to be 100% secure. Youuse the Services at your own risk and should access them from a secureenvironment.
10. SERVICES USED BY CHILDREN / MINORS
Our Services are primarily designed for use by adults. However, a parent or legalguardian may book certain Services for a child.
10.1 Our approach to children'sprivacy
Werecognise that children merit specific protection when their personalinformation — including health information — is processed, given that they maybe less aware of the risks involved and of their rights. In accordance with theData (Use and Access) Act 2025 and UK GDPR, we take the following approach whendesigning and operating Services that may involve children:
● We apply privacy-by-designprinciples to limit data collection to what is strictly necessary to deliverthe booked Service;
● Access to children's personalinformation (including health information) is restricted on a strictneed-to-know basis;
● We do not use children'spersonal information for marketing or profiling purposes; and
● We apply additional safeguardswhen processing children's health information, including audit logging andaccess approvals.
10.2 Bookings by parents and legalguardians
Wherea parent or legal guardian books Services for a child, we may collect andprocess:
● The parent/legal guardian'scontact and account details; and
● The child's informationnecessary to deliver the Services (which may include health information such asscan results or biomarker data).
Bybooking Services for a child, the parent or legal guardian confirms that they:
● Are the child's parent orlegal guardian (or otherwise have authority to make the booking); and
● Have authority to provide thechild's personal information to us and to the relevant clinical and operationalpartners involved in delivering the Services.
10.3 If we become aware of a problem
Ifwe become aware that a child's personal information has been provided to uswithout appropriate parental or legal guardian authority, we will takereasonable steps to investigate and, where appropriate, delete or restrictaccess to the information. To raise a concern, contact support@getscanned.me.
11. ANONYMISED AND AGGREGATED DATA
Wemay permanently transform health information into an anonymised form so it canno longer be used to identify you. We use anonymised and aggregated insights toimprove our Services.
“Anonymised”means information has been processed so that it can no longer identify you,and we do not attempt to re-identify you. Where information remains capable ofbeing linked back to you (for example, via a key), it is not anonymised andcontinues to be treated as personal information.
Onceinformation has been genuinely anonymised in accordance with the standarddescribed above, it is no longer personal information and falls outside thescope of UK data protection law, including the UK GDPR and the Data (Use andAccess) Act 2025. We apply this standard consistently and do not treatpseudonymised data (where a key could link information back to you) asanonymised.
Wherewe use anonymised or aggregated information for research or analyticalpurposes, this may include commercial research and product developmentpurposes. In all cases, we apply safeguards to minimise the risk ofre-identification, including data minimisation, access controls, andrestricting outputs to aggregated or statistical formats. We do not attempt tore-identify anonymised information.
12. WHAT ARE YOUR PRIVACY RIGHTS?
Ifyou are located in the UK/EEA/Switzerland, you may have rights under applicabledata protection laws, which may include:
● access to your personalinformation;
● rectification;
● erasure;
● restriction;
● objection;
● data portability (whereapplicable); and
● withdraw your consent (whereapplicable).
Youcan exercise your rights by contacting us using the details in Section 16. Youalso have the right to lodge a complaint with the Information Commission(formerly the Information Commissioner's Office / ICO) at www.ico.org.uk if youbelieve we are unlawfully processing your personal information.
Marketing opt-out: You can opt out of marketing emails at any time (unsubscribelink or contact us). We may still send service-related communications.
13. CONTROLS FOR DO-NOT-TRACK FEATURES
Wecurrently do not respond to Do-Not-Track signals because no uniform standardhas been adopted. If a standard is adopted that we must follow, we will updatethis notice.
14. DO WE MAKE UPDATES TO THIS NOTICE?
Wemay update this notice from time to time. The updated version will be indicatedby an updated “Last Updated” date. If we make material changes, we may notifyyou via the Services, by email or by other appropriate means.
15. HOW TO MAKE A PRIVACY COMPLAINT (Internal ComplaintsProcedure)
Wetake privacy complaints seriously and are committed to resolving them promptlyand fairly.
How to submit a complaint
If youhave a concern about how we have handled your personal information, pleasecontact us in writing:
● Email: support@getscanned.me
● Post: GetScanned Ltd
Jactin House
24 Hood Street
Ancoats M4 6WX
Pleaseinclude your name, contact details, a description of your concern, and (ifapplicable) what outcome you are seeking.
What happens next
We willacknowledge receipt of your complaint within 30 days of receiving it. We willthen investigate your complaint and aim to provide a substantive response asquickly as reasonably practicable.
If you remain dissatisfied
If youare not satisfied with our response, or if we fail to respond within areasonable period, you have the right to escalate your complaint to theInformation Commission (formerly the ICO) at any time:
● Post: Information Commission, WycliffeHouse, Water Lane, Wilmslow, Cheshire SK9 5AF
Makinga complaint to us does not affect your right to complain directly to theInformation Commission at any time.
Ifyou are a resident in the United Kingdom, we are the 'data controller’ of yourpersonal information. We have appointed Adil Mohammed to be our representativein the UK.
Youcan contact our representative directly regarding our processing of yourinformation, by email or post, using the same contact details above.
16. HOW CAN YOU REVIEW, UPDATE, OR DELETE THE DATA WE COLLECTFROM YOU?
Dependingon applicable law and your location, you may have the right to:
● Request access to the personalinformation we hold about you (a 'Subject Access Request' or SAR);
● Request correction ofinaccurate or incomplete personal information;
● Request deletion orrestriction of your personal information; or
● Exercise any other right setout in Section 12.
Howto make a request
Tomake a request, please contact us at:
● Email: support@getscanned.me
● Post: GetScanned Ltd
Jactin House
24 Hood Street
Ancoats M4 6WX
Pleaseinclude your full name, contact details, and a clear description of what youare requesting so we can locate the relevant information and respondeffectively.
Howwe respond
Wewill respond to your request within one calendar month of receiving it. Whereyour request is complex or we receive a high volume of requests, we may extendthis period by up to a further two months; if so, we will notify you within thefirst month.
Wherewe need clarification or additional information from you to process yourrequest, we may pause the response period until we receive what we need. Wewill contact you promptly to explain what information is required.
Wewill search for your personal information in a reasonable and proportionatemanner, having regard to the nature and scope of your request.
Verification
Toprotect your privacy, we may need to verify your identity before processingyour request. We will ask for the minimum information necessary to do so.
Nofee
We donot usually charge a fee for subject access requests. However, we reserve theright to charge a reasonable administrative fee, or to decline a request, whereit is manifestly unfounded or excessive.
