Privacy Notice
How we collect, use, and protect your personal data — written in plain English.
Last updated: July 2026
Who we are
The data controller for the personal information described in this notice is:
- Trading name: Victoria Park Clinic
- Legal entity: GS Medical Services Ltd
- Company number: 09690128
- ICO registration number: CSN2913723
- Address: 18 Victoria Park Square, Bethnal Green, London E2 9PB
- Contact: drgohar@victoriaparkclinic.co.uk
As data controller, GS Medical Services Ltd determines the purposes and means of processing your personal data and is responsible for handling it in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
What data we collect and why
Website enquiry form
When you submit an enquiry through our website contact form, we collect:
- Your name
- Your email address
- Your mobile number
- The text of your enquiry
We use this information solely to respond to your enquiry. If you have expressed interest in a treatment or service, we may follow up on that specific enquiry. We do not add you to any marketing list without your explicit consent, and we do not use your enquiry data for any purpose unrelated to your contact with us.
Lawful basis: legitimate interests (Article 6(1)(f) UK GDPR) — specifically, our legitimate interest in responding to your contact and discussing our services with prospective patients who have chosen to reach out to us.
Booking and appointment data
If you proceed to book a consultation or treatment, we collect your name and contact details as part of the booking process. Where payment is taken, this is handled through our payment processor, Stripe (see Section 3).
Lawful basis: performance of a contract, or steps taken prior to entering a contract at your request (Article 6(1)(b) UK GDPR).
Analytics, advertising, and cookies
We use three tools on this website that set cookies or collect behavioural data. All three only run if you explicitly accept via the cookie banner — none is active by default.
- Google Analytics (via Google Tag Manager) — standard website analytics that tells us which pages are visited, how visitors arrived at the site, and broadly how they navigate it. No personally identifiable information is sent to Google Analytics.
- Microsoft Clarity — a behaviour analytics tool that includes session recording and replay: it records how visitors navigate and interact with pages (mouse movements, clicks, and scrolling patterns). This helps us identify usability issues and improve the site. Session recordings do not capture form field contents. Data is processed by Microsoft under their own privacy policy.
- Google Ads conversion tracking (via Google Tag Manager) — we use Google Ads to advertise our services. Conversion tracking sets an advertising cookie that tells us when a visitor books a consultation after clicking one of our ads; this helps us understand whether our advertising is working. We do not use personalised or remarketing ads — the advertising cookie is used only for conversion measurement, and the personalisation signal (
ad_personalization) is always kept denied, even when you accept all cookies.
You can change or withdraw your consent at any time by clicking the Cookie settings link in the footer of any page on this site.
Lawful basis: consent (Article 6(1)(a) UK GDPR and, where cookies are used to store or access information on your device, the Privacy and Electronic Communications Regulations 2003 (PECR)).
Health data and special-category information
Some information we hold in the course of providing or considering treatment is health data — for example, your reason for attending, treatment details, clinical notes, and anything else that reveals information about your physical health or condition. Under UK GDPR, health data is "special-category" personal data (Article 9) and attracts stronger legal protection than ordinary personal data.
As a healthcare provider, we may process health data in the following circumstances:
- Health concerns, treatment goals, or relevant medical history you share when enquiring or booking
- Clinical notes, consultation records, and treatment details recorded by Dr Shah in the course of providing care
- Appointment and patient records held in Pabau (see Section 5) that relate to your health or treatment
Article 6 lawful basis: primarily, performance of a contract — we need this information to provide the treatment or clinical service you have requested (Article 6(1)(b) UK GDPR). Legitimate interests (Article 6(1)(f)) may apply in addition where we process information to protect patient safety or to improve our services.
Article 9 condition: We rely on Article 9(2)(h) UK GDPR — processing necessary for the purposes of preventive or occupational medicine, the provision of health care or treatment, or the management of health care systems, carried out by or under the responsibility of a health professional subject to a legal obligation of confidentiality. Dr Gohar Shah is a registered medical practitioner (GMC registration number: 6127983) and is bound by the GMC's duty of confidentiality. This processing is carried out subject to the professional confidentiality requirements referred to in Article 9(3) UK GDPR.
Where Article 9(2)(h) does not apply to a particular processing activity — for example, where health information is shared by you before any clinical relationship has been established and is processed purely on the basis of your instruction — we will instead rely on explicit consent as the Article 9 condition (Article 9(2)(a) UK GDPR). You may withdraw that consent at any time by contacting us. Withdrawal does not affect the lawfulness of any processing carried out before the withdrawal.
Payment records are kept entirely separate from clinical records and described in generic terms (for example, "consultation fee" or "treatment course instalment"), so that payment data does not itself reveal any health information. This is described further in Section 3.
Payment processing (Stripe)
We use Stripe, Inc. to process card payments. When you pay — whether online or in the clinic — your card details are entered directly into Stripe's secure payment environment. We do not receive, handle, or store your card number, expiry date, or CVV at any point.
We receive a payment confirmation, transaction reference, and the amount paid. No full card details are transmitted to us.
Payment records are held entirely separately from clinical records. Payment descriptions are kept generic — for example, "consultation fee" or "treatment course instalment" — so that payment data does not reveal or identify any specific health information or treatment detail. This is deliberate practice to prevent payment records from constituting or implying special-category health data under UK GDPR Article 9.
Stripe acts as a data processor when processing transactions on our behalf, and as an independent data controller for certain purposes under their own terms. Their privacy policy is available at stripe.com/gb/privacy.
How long we keep data
We only keep your personal data for as long as is necessary for the purposes for which it was collected, or as required by law.
- Clinical and patient records (consultation notes, consent forms, treatment records, and clinical photographs): 8 years from the date of your last treatment or contact with the clinic, in line with national records-management guidance for adult health records.
- Financial and payment records (invoices and transaction references): 6 years from the end of the financial year to which they relate, as required by HMRC.
- Enquiry-form data where no booking or clinical relationship follows: 12 months from our last contact with you, after which it is deleted.
- Consent and preference records (including cookie and marketing consent): for as long as the consent remains active, and deleted or suppressed when you withdraw it.
- Where a complaint, claim, or legal matter is ongoing, we may retain the relevant records until the matter is concluded.
Once the applicable retention period has passed, we securely delete or anonymise your personal data so that it can no longer be linked to you.
Who else we share data with
We do not sell your personal data to any third party. We share your information only in the following limited circumstances:
- Stripe: for payment processing (see Section 3 above). Payment descriptions shared with Stripe are kept generic and do not identify health or treatment information.
- Pabau (booking and practice management): we use Pabau, a clinic practice-management platform, to manage appointments, patient records, and payments. Information you provide when booking or attending the clinic is stored within Pabau on our behalf. Pabau acts as our data processor and processes data in accordance with our instructions and a data processing agreement. Pabau stores data within the UK and EU. You can read Pabau's privacy policy at pabau.com/privacy-policy.
- IT and software providers: our website hosting provider and other technical service providers may process your data as data processors acting under contract and our instruction.
- Professional advisers: where necessary, we may share data with our legal advisers, accountants, or insurers, strictly for those professional purposes and subject to confidentiality obligations.
- Regulatory and law-enforcement bodies: where we are under a legal obligation to disclose information, for example to the ICO, HMRC, or law enforcement.
We do not share your personal data with third parties for their own marketing purposes.
International transfers
Stripe operates globally, including in the United States. Stripe uses standard contractual clauses approved by the ICO and participates in the UK Extension to the EU–US Data Privacy Framework, providing appropriate safeguards for any transfer of your data outside the UK.
We do not otherwise routinely transfer your personal data outside the United Kingdom. Where any such transfer does occur, we ensure that appropriate safeguards are in place in accordance with UK GDPR Chapter V.
Your rights
Under UK GDPR, you have the following rights in relation to the personal data we hold about you:
- Right of access — you can request a copy of the personal data we hold about you (a Subject Access Request).
- Right to rectification — you can ask us to correct inaccurate or incomplete personal data.
- Right to erasure — you can ask us to delete your personal data where it is no longer necessary for the purpose for which it was collected, or where you have withdrawn consent and there is no other lawful basis for processing.
- Right to restrict processing — you can ask us to pause use of your data, for example while a dispute is being resolved.
- Right to object — you can object to processing carried out on the basis of legitimate interests. We will honour this unless we can demonstrate compelling legitimate grounds that override your interests.
- Right to data portability — where processing is based on consent or contract and carried out by automated means, you can request your data in a structured, commonly used, machine-readable format.
- Rights related to automated decision-making — we do not make decisions about you using solely automated processing that produces legal or similarly significant effects.
To exercise any of these rights, please contact us at: drgohar@victoriaparkclinic.co.uk
We will respond to all valid requests within one calendar month. We may ask you to verify your identity before acting on a request. There is no charge for making a request unless it is manifestly unfounded or excessive.
Complaints
If you have a concern about how we handle your personal data, please contact us in the first instance at drgohar@victoriaparkclinic.co.uk so that we have the opportunity to resolve it.
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at any time:
- Website: ico.org.uk
- Phone: 0303 123 1113
- Post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF