Privacy Policy

1. Introduction

OH Specialists Hub (“we”, “us”, or “our”) is committed to protecting your personal information and your right to privacy. This Privacy Policy explains how we collect, use, store, and safeguard your information when you use our occupational health services, clinical platform, AI-assisted tools, and the OH Advisor Pro subscription service.

This policy applies to all information collected through our services, including:

• The OH Specialists Hub clinical platform at clinic.ohspecialistshub.co.uk
• The OH Advisor Pro subscription product at ohadvisor.pro
• The OH Advisor AI assistant (embedded in both the clinical platform and OH Advisor Pro)
• Our marketing website at ohspecialistshub.co.uk
• Any related services, communications, or events

2. Data Controller and Data Protection Officer

Craig Page RGN DipOH
OH Specialists Hub
4 Haughton Road, Darlington, DL1 1SS
Email: dpa@ohspecialistshub.co.uk
ICO Registration: ZC115930 (registered 5 April 2026, expires 4 April 2027)

3. Legal Basis for Processing

We process personal data under the following legal bases as defined by UK GDPR:

• Consent — you have given clear consent for us to process your personal data for a specific purpose
• Contract — processing is necessary to fulfil a contract with you or to take steps before entering into one
• Legal obligation — processing is necessary to comply with a legal requirement
• Legitimate interests — processing is necessary for our legitimate interests, where those interests are not overridden by your rights

For health data and other special category data, we rely on the following additional conditions under Article 9 UK GDPR:

• Article 9(2)(b) — processing necessary for obligations in the field of employment, social security, and social protection
• Article 9(2)(a) — explicit consent obtained directly from the individual prior to assessment (digitally recorded with timestamp and IP address)
• Article 9(2)(f) — processing necessary for legal claims

4. Information We Collect

4.1 Clinical Platform — Employee / Patient Data

When an employer refers an employee for occupational health assessment, we collect identity, contact, employment, health data (Special Category — Article 9), consent records, and technical data for audit logging.

4.2 Clinical Platform — Manager / HR Portal Data

When an employer organisation registers and uses the clinical platform, we collect account data, organisation profile, DPA acceptance records, referral data, and a Stripe customer ID only (no card data held on our servers).

4.3 OH Advisor Pro — Subscriber Data

OH Advisor Pro is a standalone subscription product at ohadvisor.pro. When you create a subscriber account, we collect account data, subscription tier and status, usage data (session count for free tier enforcement), DPA acceptance timestamp, affiliate referral code (if applicable), and technical data for security and audit purposes. Subscribers have no access to the clinical referral system or any clinical data.

4.4 OH Advisor AI — Query Processing

The OH Advisor processes anonymised queries only. Users must not enter personal identifiers into OH Advisor HR. The OH Advisor Clinical tool processes Special Category health data under Article 9(2)(b) and Article 9(2)(a) for report drafting by the treating clinician only. No query content is stored on our servers beyond the active session.

4.5 Affiliate Programme Data

For affiliate partners we collect name, email, affiliate code, bank details (for commission payments), and conversion records. For subscribers referred via affiliate links, we store only the short affiliate code slug against their account for commission attribution purposes.

Legal basis: Contract (affiliate agreement) and legitimate interests (accurate commission attribution and payment).

5. How We Use Your Information

• Delivering occupational health services: assessments, OH reports, pre-employment screening, fitness-for-work advice
• Service administration: appointments, diary, consent, secure communications
• AI-assisted report drafting: clinical judgement remains with the clinician at all times
• OH Advisor Pro subscription management: account creation, usage limit enforcement, subscription upgrades via Stripe
• Affiliate programme administration: recording conversions, calculating and paying commissions
• Payment processing via Stripe
• Legal and regulatory compliance
• Security and audit logging
• Anonymous, aggregated platform improvement — no identifiable health data used

We will only use your health data for the purposes of providing occupational health services and will not share it without your explicit consent, except where required by law.

6. Third-Party Data Processors and Sub-processors

• DigitalOcean LLC (UK, LON1) — UK cloud hosting for all platform and subscriber data. All data remains on UK servers.
• Brevo SA (France / EU) — Transactional email only. No clinical data in any email. UK IDTA / SCCs in place.
• Stripe, Inc. (UK / EEA) — Payment processing for clinical platform service fees and OH Advisor Pro subscriptions. No health data shared. PCI DSS Level 1. UK Addendum to EU SCCs.
• Anthropic, PBC (United States) — AI language model API. Data transmitted over TLS 1.3. Anthropic does not use API data to train models under our data processing agreement. UK IDTA / SCCs in place.

We will never sell your personal information to any third party.

7. International Data Transfers

All clinical data, OH reports, and subscriber account data are stored exclusively on UK infrastructure (DigitalOcean LON1, London). Where transactional data is processed by sub-processors outside the UK (Brevo, Anthropic), appropriate safeguards are in place including UK IDTAs and Standard Contractual Clauses.

8. Data Retention

• Occupational health records, clinical notes, OH reports: 8 years from date of assessment (BMA guidance)
• Pre-employment health records: 8 years from date of assessment
• Health surveillance records: up to 40 years where required by regulation
• Access audit logs: 8 years — may not be deleted early
• DPA acceptance records: duration of business relationship plus 8 years
• Payment records: as required by HMRC (typically 7 years)
• OH Advisor session queries: not stored beyond the active session
• OH Advisor Pro subscriber accounts: 2 years after account closure
• Affiliate records and conversion data: 7 years for financial record-keeping

9. Your Rights Under UK GDPR

• Right of access (Art. 15): request a copy of the personal data we hold about you
• Right to rectification (Art. 16): request correction of inaccurate or incomplete data
• Right to erasure (Art. 17): request deletion — assessed against the 8-year legal retention obligation for clinical records
• Right to restriction (Art. 18): request that we limit how we process your data
• Right to data portability (Art. 20): request transfer of your data to another provider
• Right to object (Art. 21): object to processing based on legitimate interests
• Rights related to automated decision-making (Art. 22)

To exercise any of these rights, contact the Data Protection Officer at dpa@ohspecialistshub.co.uk.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ico.org.uk · 0303 123 1113).

10. Security of Your Information

• Encryption at rest: AES-256-GCM for all clinical notes, OH reports, and health questionnaire data
• Encryption in transit: TLS 1.3 enforced for all connections
• Data location: all personal data stored exclusively on UK infrastructure — zero replication outside UK
• Access control: role-based access control (RBAC) per product and user type
• Authentication: JWT-based with 24-hour token expiry; passwords hashed using bcrypt (cost factor 12)
• Audit logging: every data access logged with timestamp, user ID, IP address, and action type — retained 8 years

11. OH Advisor AI — Specific Notice

11.1 OH Advisor HR (Manager and HR Subscriber-facing)

Processes anonymised queries only. Users must not enter employee names, dates of birth, NI numbers, or other personal identifiers. No query content stored beyond the active session. AI responses are informational only and do not constitute clinical advice.

11.2 OH Advisor Clinical (Clinician-facing)

Used exclusively by the treating clinician for OH report drafting. Processes Special Category health data under Article 9(2)(b) and Article 9(2)(a). Employee consent for AI-assisted drafting is captured as part of the standard clinical consent process. Clinical judgement remains with the clinician at all times. Data sent to Anthropic is not used for model training under our data processing agreement.

11.3 Query Limits and Usage Tracking (OH Advisor Pro Free Tier)

Free tier subscribers are permitted 10 chatbot sessions per calendar month. Session count and monthly reset date are recorded solely for limit enforcement. This data is not used for profiling or any other purpose. Paid tier subscribers are not subject to session limits and no usage count is maintained for their accounts.

12. Children’s Privacy

Our services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children under 16 without verified parental or guardian consent. Where a pre-employment medical is conducted for an individual aged 16 or 17, additional consent safeguards apply.

13. Cookies and Tracking Technologies

The clinical platform (clinic.ohspecialistshub.co.uk) uses session-based authentication tokens only. No advertising cookies or third-party tracking technologies are used within the clinical platform.

The OH Advisor Pro product (ohadvisor.pro) uses the ohsh_affiliate cookie — a 30-day cookie set when you arrive via an affiliate referral link, storing only the affiliate reference code for commission attribution on upgrade. See our Cookie Policy for full details.

The marketing website (ohspecialistshub.co.uk) may use analytics cookies. See our Cookie Policy for full details.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify registered users of any material changes by email and by posting notice within the platform no less than 14 days before changes take effect. The “Last Updated” date at the top of this policy indicates when it was most recently revised.

15. Contact Us

Data Protection Officer: Craig Page RGN DipOH
OH Specialists Hub · 4 Haughton Road, Darlington, DL1 1SS
dpa@ohspecialistshub.co.uk · ICO Registration: ZC115930