“Patient Billing” (referred to in this policy as “we”, “us” and “our”) is:

Patient Billing Limited
Unit 9 KD Tower
Cotterells
Hemel Hempstead
HP1 1FW

ICO Registration Number:            ZA313603

We have appointed a Data Protection Officer (DPO) who can be contacted in the following ways should you have any questions or feedback about the way your data is processed:

email  dpo@patientbilling.co.uk

Postal address
Data Protection Officer
Patient Billing Limited
Unit 9 KD Tower
Cotterells
Hemel Hempstead
HP1 1FW

We collect, use, store and process the following information, which we have categorised and grouped together as follows:

PROVIDING AND IMPROVING OUR PRODUCTS AND SERVICES

We collect or use the following information to provide and improve our products and services:

• Names and contact details (address, telephone number or email address)
• Information relating to compliments and complaints
• Usage data (how you interact with and use our website, products and services)
• Transaction data (details about payments and details of products and services)
• Website user account information and access
• Website user journeys and experiences

DEALING WITH QUERIES AND COMPLAINTS

We collect or use the following personal information for dealing with queries, complaints or claims:

• Names and contact details (address, telephone number or email address)
• Account information
• Purchase or service history
• Relevant information from previous investigations or reviews
• Accounts and records
• Financial transaction information
• Correspondence
• Any other personal data relevant to the query, complaint or claim.

PREVENTION OR DETECTION OF CRIME

We collect or use the following information for the prevention, detection, investigation and prosecution of crimes (e.g. fraud):

• Names and contact details (address, telephone number or email address)
• Account information
• Relevant information from previous investigations or reviews
• Policyholder accounts and records
• Financial transaction information
• Correspondence
• Any other personal data relevant to the prevention or detection of crime.

MARKETING AND RESEARCH

We collect or use the following personal information for information updates or marketing and research purposes:

• Name and contact details (address, telephone number or email address)
• Marketing preferences
• Profile information
• Survey responses
• Feedback questionnaires

RECRUITMENT

We collect or use the following personal information for recruitment purposes:

• Names and contact details (address, telephone number or email address)
• Curriculum Vitae (CV)
• Employment history (e.g. job application and employment references)
• Education history (e.g. qualifications)
• Right to Work Information

WHEN VISITING OUR OFFICES

We collect or use the following personal information for physical security purposes, when you visit our offices:

• Names and contact details (e.g. name, car registration, contact number etc.)

Under UK data protection law, we must have a “lawful basis” for collecting and using your personal infoy rmation. The majority of the time for processing invoices, we will be acting as a Data Processor and the Data Controller will be responsible for the lawful basis.

Providing and improving our products and services

• Performance of a contract
• Legal/regulatory obligation
• Legitimate interests
  • To ensure the security of our website and systems
  • To improve and enhance our products and services
  • To provide a personalised service
  • To understand the usage of our website and services

Dealing with queries, complaints and claims

• Performance of a contract
• Legal/regulatory obligation
• Legitimate interests
  • To improve and enhance our products and services

Marketing and research

• Consent
• Legitimate interests
  • To improve and enhance our products and services
  • To promote our products and services via direct marketing
  • To determine the effrectiveness of promotional campaigns

Recruitment

• Performance of a contract
• Legal/regulatory obligation

Physical visits

• Legal/regulatory obligation
• Legitimate interests
  • For the safety and security of our people, visitors and assets

The lawful basis we rely on may affect your data protection rights which are in brief set out below. You can find out more about your data protection rights and the exemptions which may apply on the ICO’s website.

• Your right of access – You have the right to ask us for copies of your personal information. You can request other information such as details about where we get personal information from and who we share personal information with. There are some exemptions which means you may not receive all the information you ask for. You can read more about this right here.

• Your right to rectification – You have the right to ask us to correct or delete personal information you think is inaccurate or incomplete. You can read more about this right here.

• Your right to erasure – You have the right to ask us to delete your personal information. You can read more about this right here.

• Your right to restriction of processing – You have the right to ask us to limit how we can use your personal information. You can read more about this right here.

• Your right to object to processing – You have the right to object to the processing of your personal data. You can read more about this right here.

• Your right to data portability – You have the right to ask that we transfer the personal information you gave us to another organisation, or to you. You can read more about this right here.

• Your right to withdraw consent – When we use consent as our lawful basis you have the right to withdraw your consent at any time. You can read more about this right here.

If you make a request, we must respond to you without undue delay and in any event within one month.

To make a data protection rights request, please contact us using the contact details at the top of this privacy notice.

Profiling and Automated Decision Making

We may use profiling to enable us to give you the best service across the organisation, so that we can produce more relevant and tailored communications by having a deeper understanding of your interests and personal preferences.

You have the right not to be subject to a decision based solely on automated processing, which has legal effects for you or affects you in any other significant way. We ensure that there are simple ways for you to request human intervention or challenge an automated decision. We also carry out regular checks to ensure that our systems and processes are working as intended.

We will share personal data with a limited number of third parties in the following circumstances for them to perform specific services for us:

• To provide our services.
• To verify your identity and check your details.
• To handle complaints and improve customer service.
• To provide marketing activities.
• To perform our regulatory responsibilities.
• To provide us with professional advice and specialist services. This includes but is not limited to: auditors, actuaries, banking, legal, insurance and accounting services.
• To provide us with IT support and maintenance. Service providers and partners who provide IT and system administration services, support services and commissioned services.
• IT systems and cloud hosting providers (e.g. Cloud CRM providers and cloud backups).

We’ll never make your personal data available to anyone outside Patient Billing Limited for them to use for their own marketing purposes without your prior consent.

We may process your data outside the UK and EU.

Should we transfer personal data overseas, we will ensure that we comply with UK data protection legislation, ensuring appropriate safeguards are in place.

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way.

We are ISO 27001 and Cyber Essentials Plus certified and in addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instruction, and they are subject to a duty of confidentiality.

External Links

Please remember that if you use a link to go from our websites to another website, or you request a service from a third party, this privacy notice will no longer apply once you have left this website. Please note, your activity and interaction on any other website is subject to that website’s own rules and policies.

We will only retain your personal data for as long as is necessary to fulfil the purposes for which it is collected. When assessing what retention period is appropriate for your personal data, we take into consideration:

• Any statutory or legal obligations.
• The requirements of the business.
• The purposes for which we originally collected the personal data.
• The lawful grounds on which we based our processing.
• The types of personal data we have collected.
• The amount and categories of your personal data; and
• Whether the purpose of the processing could reasonably be fulfilled by other means.

After such time, we will securely delete or destroy your personal data. A default principle is that the majority of company records are retained for a minimum period of six years from which they are created.

Please note, we will be acting as a Data Processor for the provision of our services and the Data Controller will be responsible for retention period.

Please let us know if you are unhappy with how we have used your personal data by contacting the Data Protection Officer (details can be found in section 2).

You also have a right to complain to the Information Commissioner’s Office.  You can find their contact details at www.ico.org.uk.  We would be grateful for the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

If you would like this privacy notice in another format (for example: audio, large print or braille) please contact us (see the ’How to contact us’ section above).

This statement is reviewed periodically to ensure it remains accurate and appropriate.

Last reviewed: & updated May 2026