Hear with Ish - Privacy Policy
Effective date: 17 November 2025
1) Who we are (data controller)
Hear with Ish (“we”, “us”, “our”) is an independent audiology clinic based at 36 Princess Road West, Leicester, LE1 6TQ, United Kingdom.
Email: contact@hearwithish.com Telephone: 07349269037
We are the data controller for personal data collected via our website, by phone/email, and in clinic. For privacy queries, contact our Data Protection Lead at the email above.
2) What this notice covers
This notice explains what personal data we collect, why and how we use it, who we share it with, how long we keep it, our lawful bases, international transfers and security, your rights, and how to contact the UK Information Commissioner’s Office (ICO).
3) The personal data we collect
3.1 Data you provide
Identity & contact: name, date of birth, address, phone, email, next‑of‑kin/emergency contact.
Clinical information (special category): hearing/medical history, audiometry results, otoscopy images/video, tinnitus history, red‑flag information, referrals, outcome measures, care plans.
Purchases & aftercare: device make/model/serial numbers, earmould impressions, repair history, warranty information, invoices and payments.
Preferences & consents: communication preferences and marketing consents.
Feedback/complaints: comments, surveys, complaint correspondence.
3.2 Data we generate or receive from others
Other clinicians/services (with your knowledge): GP/ENT letters, historic audiograms, referral information.
Manufacturers/labs/repair centres: device configuration, repair logistics, and limited diagnostics for remote support (when you enable the manufacturer’s app). Some manufacturer apps act as independent controllers of app/telemetry data—please read the app provider’s privacy notice.
Website & communications: basic technical/usage data (IP address, device/browser), and cookie/analytics data (see §11).
4) Why we use your data and our lawful bases
We process data under the UK GDPR and Data Protection Act 2018. Health information is special category data.
Our main lawful bases:
Provision of health care (special category condition): necessary for health or social care by/under a professional duty of confidentiality (UK GDPR Art. 9(2)(h)).
Contract: to enter into and perform our agreement with you (assessments, fittings, aftercare, repairs, payments).
Legal obligation: to meet legal/regulatory requirements (e.g., tax/VAT, clinical governance, product safety/recalls).
Legitimate interests: to run, secure and improve our services (e.g., appointment reminders, practice management, fraud prevention), balanced against your rights.
Consent: for direct marketing (email/SMS) and for non‑essential cookies/analytics—you can withdraw consent at any time.
Purposes include delivering hearing care; arranging referrals; booking and reminders; supplying devices, aftercare and repairs; managing payments; clinical audit and quality; responding to enquiries/complaints; sending essential service/safety notices; and (with consent) sending marketing updates.
5) Direct marketing & your choices
We will only send email/SMS marketing with your consent, or (where permitted) under the “soft opt‑in” for existing customers in line with PECR direct marketing rules. You can opt out at any time via the link in our messages or by emailing us.
6) Who we share information with
We share only what is necessary and put contracts/safeguards in place:
Healthcare professionals: your GP/ENT or other providers for continuity of care (normally with your knowledge).
Manufacturers, labs & repair centres: to fulfil orders, create earmoulds, process repairs and manage warranties.
Service providers (processors): secure practice‑management software, IT/cloud hosting, email/SMS, payments, website/analytics support.
Regulators/authorities: where required by law, court order or to protect vital interests and safety.
Business transfers: in a restructuring or sale, under confidentiality and only as permitted by law.
We do not sell your personal data.
7) International transfers
Some trusted providers may be located outside the UK. When we make restricted transfers, we use approved safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs. For certain US providers, we may rely on the UK‑US Data Bridge (the UK extension to the EU–US Data Privacy Framework) where the recipient is certified.
8) How long we keep your data (retention)
We keep data no longer than necessary and then securely delete or anonymise it.
Adult clinical records: typically 8 years from last contact.
Children/young people: until age 25 (or 26 if aged 17 at last contact).
Financial records: typically 6–7 years for tax/accounting.
These periods follow the NHS England Records Management Code of Practice, as applied to independent providers. If a complaint, legal claim or incident is ongoing we keep relevant data until resolved.
9) Security & personal‑data breaches
We apply appropriate technical and organisational measures (access controls, staff training, encryption in transit where practical, audit logging, data minimisation, secure disposal). No system is 100% secure; we monitor and improve our controls.
If a breach creates a risk to individuals, we follow ICO breach guidance and, where required, notify the ICO and affected individuals.
10) Your privacy rights
You have the right to:
Be informed (this notice).
Access your data and receive a copy.
Rectify inaccurate or incomplete data.
Erasure in certain circumstances.
Restrict processing in certain circumstances.
Object to processing based on legitimate interests and to object to direct marketing at any time.
Data portability (for data you provided, where processing is by consent or contract and automated).
Withdraw consent (e.g., marketing/cookies); this does not affect past lawful processing.
We respond within one month (extendable by two months for complex requests). We may request proof of identity and, where lawful, refuse or charge a reasonable fee (we will explain why).
11) Cookies, analytics & similar technologies
Our site uses cookies and similar technologies to make it work, measure performance and improve content. Categories may include strictly necessary, functional, analytics and advertising (e.g., social pixels).
Non‑essential cookies run only with your consent via our banner (you can change choices any time).
See our Cookie Policy (available on request or on our website) for details of providers, purposes and durations.
For the rules we follow, see PECR cookies guidance.
12) Children and vulnerable people
Where we see children or vulnerable adults, we work with parents/guardians and follow safeguarding duties. We use clear, age‑appropriate explanations and act in the person’s best interests.
13) If you choose not to provide data
If you decline information needed for clinical safety, we may be unable to provide some services. Where information is optional (e.g., marketing), choosing not to provide it will not affect your care.
14) Automated decision‑making & profiling
We do not make decisions with legal or similarly significant effects solely by automated means. We may use limited segmentation (e.g., by service type) to send relevant communications with your consent.
15) CCTV (if in operation)
If CCTV operates at our premises, signage is displayed. Footage is retained for a short period (typically up to 30 days) unless needed longer for incident investigations. Access is restricted. Ask us for our CCTV policy if applicable.
16) How to contact us or make a complaint
Questions, requests or complaints about this notice or your data:
Email: contact@hearwithish.com Post: Hear with Ish, 36 Princess Road West, Leicester, LE1 6TQ.
You also have the right to complain to the ICO. See how to make a complaint or contact the ICO at Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (Helpline 0303 123 1113).
17) Updates to this notice
We may update this notice to reflect changes in law or our services. The effective date above shows when it last changed. Where appropriate, we will flag material changes on our website or by email.