Last updated: March 2026
World Medical Concierge Ltd (“WMC”, “we”, “us” or “our”) is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, store and protect your personal data when you use our services or visit our website at www.worldmedicalconcierge.com.
We are registered in England and Wales with our principal offices at Harley Street, London W1G. For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, WMC is the data controller.
Given the nature of our medical concierge services, we handle sensitive personal data, including health information, with the utmost care and in strict compliance with all applicable data protection legislation.
We may collect and process the following categories of personal data:
Full name, title, date of birth, gender, nationality, passport or identification details, postal address, email address, telephone numbers and emergency contact information.
Medical history, current conditions, symptoms, diagnoses, treatment records, prescription information, diagnostic results (including imaging and laboratory reports), specialist consultation notes, referral letters, hospital discharge summaries and any other health-related information you or your healthcare providers share with us in connection with our services.
Billing address, payment method details, insurance policy information and transaction records related to our services and those of Partner Providers.
Travel itineraries, visa details, accommodation preferences, dietary requirements, accessibility needs and companion or family member details where relevant to your care coordination.
IP address, browser type and version, operating system, device information, pages visited on our website, time and duration of visits, referral sources and other analytical data collected through cookies and similar technologies. For more information, please see our Cookie Policy.
We collect personal data through the following means:
Direct interactions: When you reach the concierge team by telephone, email, through the website contact forms or in person at the offices; when you register for our services; and when you provide information during the course of our service delivery.
Third parties: From Partner Providers (hospitals, clinics, specialists) who share medical records and treatment information with your consent; from referring physicians; from your personal assistant or authorised representative acting on your behalf; and from insurance providers.
Automated technologies: Through cookies, server logs and similar tracking technologies when you interact with our website.
We process your personal data on the following lawful bases under the UK GDPR:
Contract performance (Article 6(1)(b)): Processing necessary for the performance of our contract with you, including coordinating appointments, arranging referrals, managing your care plan and processing payments.
Explicit consent (Article 9(2)(a)): For the processing of special category health data, we rely on your explicit consent, which you provide when engaging our services. You may withdraw consent at any time, though this may affect our ability to provide certain services.
Legitimate interests (Article 6(1)(f)): For purposes such as improving our services, maintaining security, fraud prevention and internal administration, where such interests are not overridden by your rights and freedoms.
Legal obligation (Article 6(1)(c)): Where we are required to process data to comply with legal or regulatory obligations, including healthcare regulations and reporting requirements.
We use your personal data for the following purposes:
(a) To deliver our medical concierge and coordination services, including arranging specialist consultations, diagnostic appointments, treatment planning and ongoing care management.
(b) To share relevant medical information with Partner Providers (hospitals, clinics, specialists) as necessary to facilitate your care, always with your knowledge and consent.
(c) To coordinate travel, accommodation and logistics for patients travelling to the UK or internationally for medical treatment.
(d) To process payments, manage invoicing and liaise with insurance providers on your behalf.
(e) To communicate with you regarding your care, appointments and service updates.
(f) To maintain internal records and improve the quality of our services.
(g) To comply with legal, regulatory and professional obligations.
We may share your personal data with the following categories of recipients, strictly on a need-to-know basis and in accordance with data protection law:
Partner clinics, hospitals and specialists: We share relevant medical and personal information with healthcare providers within our network to facilitate consultations, diagnostics, treatment and follow-up care. This sharing is essential to the delivery of our services and is conducted with your explicit consent.
Referring physicians and healthcare professionals: Where you have been referred to us by a GP or specialist, we may share relevant information back with the referring practitioner to ensure continuity of care.
Insurance providers: Where you have authorised us to liaise with your insurer regarding pre-authorisation, claims or payment for treatment.
Travel and accommodation providers: Limited personal data (name, contact details, accessibility requirements) may be shared with hotels, transport companies and visa processing services as necessary to coordinate your travel arrangements.
Professional advisors: Including legal counsel, accountants and auditors where necessary for the operation of our business.
Regulatory and legal authorities: Where required by law, regulation, legal process or governmental request.
As a global medical concierge service, we may need to transfer your personal data, including health data, to countries outside the United Kingdom in connection with the coordination of overseas medical treatment, remote consultations with international specialists or arrangements with our partner clinics and hospitals abroad.
Where we transfer personal data to countries not covered by a UK adequacy decision, we ensure that appropriate safeguards are in place, including:
(a) The use of the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses with our international partners.
(b) Ensuring that receiving organisations maintain appropriate technical and organisational security measures for the protection of personal data.
(c) Obtaining your explicit consent for specific transfers where this is the most appropriate safeguard, particularly in relation to health data being shared with treating clinicians overseas.
You may request further details of the safeguards applied to international transfers of your data by contacting our Data Protection Officer.
We take the security of your personal data extremely seriously. We have implemented robust technical and organisational measures to protect your data against unauthorised access, alteration, disclosure or destruction, including:
(a) Encryption of personal data in transit and at rest using industry-standard protocols.
(b) Strict access controls ensuring that only authorised personnel who require access for the performance of their duties may access your data.
(c) Regular security assessments and penetration testing of our systems.
(d) Staff training on data protection, confidentiality and information security.
(e) Secure disposal procedures for records no longer required.
(f) Incident response procedures to promptly address any data breach in accordance with UK GDPR notification requirements.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected or as required by law. Our retention periods are guided by the following principles:
Medical coordination records: Retained for a minimum of eight years from the date of the last service engagement, in line with NHS and professional medical record-keeping guidance or longer where clinically appropriate.
Financial and billing records: Retained for seven years in compliance with HMRC requirements.
Website usage data: Retained for a maximum of 26 months.
When personal data is no longer required, it is securely deleted or anonymised in accordance with our data disposal procedures.
Under the UK GDPR, you have the following rights in relation to your personal data:
Right of access: You have the right to request a copy of the personal data we hold about you (a Subject Access Request).
Right to rectification: You have the right to request correction of any inaccurate or incomplete personal data.
Right to erasure: You have the right to request deletion of your personal data in certain circumstances, subject to legal and regulatory retention obligations.
Right to restrict processing: You have the right to request that we limit how we use your data in certain circumstances.
Right to data portability: You have the right to receive your data in a structured, commonly used, machine-readable format.
Right to object: You have the right to object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: Where processing is based on consent, you may withdraw that consent at any time without affecting the lawfulness of processing carried out prior to withdrawal.
To exercise any of these rights, please contact our Data Protection Officer using the details provided below. We will respond to your request within one month, as required by the UK GDPR. There is no fee for exercising your rights, although we may charge a reasonable fee for unfounded or excessive requests.
Given the sensitive nature of health data, we apply additional protections and controls:
(a) Medical data is stored separately from general personal data with enhanced access controls and encryption.
(b) Access to medical data is restricted to senior clinical coordinators and authorised medical staff on a strict need-to-know basis.
(c) All sharing of medical data with Partner Providers is documented and auditable.
(d) We maintain a Caldicott-aligned approach to the handling of patient-identifiable health information, ensuring that information is shared only when necessary and in the minimum amount required.
(e) Where we engage data processors to handle medical data on our behalf, we ensure appropriate data processing agreements are in place in compliance with Article 28 of the UK GDPR.
Where we provide medical concierge services for minors (persons under 18), we collect and process their personal and medical data with the explicit consent of a parent or legal guardian. We apply the same rigorous data protection standards to children’s data as to adult data, with additional care taken to ensure age-appropriate data handling in compliance with the UK GDPR and the Children’s Code.
Our website uses cookies and similar tracking technologies to improve your browsing experience and to analyse website usage. For detailed information about the cookies we use and how to manage your preferences, please refer to our Cookie Policy.
If you are dissatisfied with how we handle your personal data, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:
Information Commissioner’s Office
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements or regulatory guidance. Any changes will be posted on this page with an updated revision date. Where changes are significant, we will endeavour to notify you directly. We encourage you to review this policy periodically.
For any questions regarding this Privacy Policy or to exercise your data protection rights, please contact:
Data Protection Officer
World Medical Concierge Ltd
Harley Street, London W1G
Email: privacy@worldmedicalconcierge.com
Website: www.worldmedicalconcierge.com
