Privacy statement

At Inuvi we take data protection seriously and are committed to safeguarding all data in our possession and ensuring the privacy of our customers.

About us

At Inuvi (now referred to as Inuvi, ‘we’ or ‘us’) we take data protection seriously and are committed to safeguarding all data in our possession and ensuring the privacy of our customers. We will only use information provided to us for specified and lawful purposes as provided under the UK General Data Protection Regulation and will handle this information both respectfully and responsibility.

We are an independent medical screening and clinical laboratory provider. We provide specialist medical screening and laboratory testing services using a mixture of in-house personnel, self-employed contractors and third-party partnership organisations to ensure that you are being supported by the leading specialists in their field.

This privacy notice provides details about how your personal information is collected, shared and used by us. To learn more about Inuvi, visit If you have any questions about this privacy notice or the practices described herein, you may contact [email protected].


Our Privacy Notice complies with the UK GDPR (now referred to as ‘GDPR’) and Data Protection Act 2018 ensuring that all individuals whose personal information we process have been informed of why we need it, how it is used, what their rights are, who the information is disclosed to and what safeguarding measures are in place to protect their information.

The GDPR imposes strict guidelines to secure a data subject’s right to privacy with regard to their personal information. Under the GDPR’s data protection principles, organisations must be able to demonstrate that any personal data they handle is:

• Processed lawfully, fairly and transparently

• Collected for specified, explicit and legitimate purposes

• Adequate, relevant and limited to what is necessary

• Accurate and, where necessary, kept up to date

• Kept for no longer than is necessary where data subjects are identifiable

• Processed securely and protected against accidental loss, destruction or damage

Who this policy applies to

Customers of Inuvi from whom we collect medical evidence in the form of answers to a medical questionnaire or examination, the results from tests performed at our clinical laboratory, as well as visitors to our website.

Definitions under GDPR

Data Subject – means an individual about whom personal data is processed.

Data Controller – A person who (either alone or jointly or in common with other persons) determines the purposes for which, and the manner in which, any personal data is, or is to be, processed.

Data Processor – In relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller.

Personal Data – Any information relating to any person that can be used to identify them either directly or indirectly, such as their name, identification number, address, web browsing data or other factors specific to physical, psychological, genetic, mental, economic, cultural or social identity of that person.

Processing – Any operation or set of operations which is performed on Personal Data or on personal sets of data, whether or not by automated means

Sensitive Personal Data – Information on racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, health, sex life and sexual orientation, and genetic or biometric data.

Lawful grounds for processing

Inuvi may process personal data lawfully for a number of reasons, including in order to:

  • Carry out a task as instructed by the data controller, as necessary for the performance of a contract
  • Respond, with your consent, to a message you have sent us through the website
  • Comply with a legal obligation
  • Carry out a task in the public interest, or in exercising official authority vested in Inuvi
  • Protect the legitimate interests of Inuvi or a third party, except where this is overridden by your own interests or rights.

Data Controller for medical evidence collection or clinical laboratory services

The data controller is the organisation that you engaged with to provide a service to you. It may be an insurance company providing life insurance, a clinician or hospital, but equally could be any organisation that requires medical information about you in order to provide you with a service. The contact details of the controller will vary depending on the organisation you are using to provide you with the service. From herein, the data controller will be referred to as your service provider.

Data Processor for medical evidence collection and clinical laboratory services and Controller for the website

In terms of the collection of medical evidence from you, the data processor is:


Unit 10 Millars Brook Business Park

Molly Millars Lane


RG41 2AD

Phone: +44 118 467 0555


E-mail: [email protected]

The website is owned and operated by Inuvi and we are therefore the designated data controller for it. You can contact Inuvi via post, a contact form on our website, by telephone or email.

Data Protection Officer

The data protection officer can be contacted at:


Unit 10 Millars Brook Business Park

Molly Millars Lane


RG41 2AD

Phone: +44 118 467 0555

E-Mail: [email protected]

You may at any time contact our data protection officer directly with all questions and suggestions regarding this policy and data protection in general at Inuvi.

Medical evidence collection – what information we may collect about you and how it will be used

As a Data Processor, Inuvi keeps and processes information about you if we are instructed by your service provider to perform a medical examination on you, for example, if you have applied for life insurance. The information that we hold and process will be shared with your service provider who is the Data Controller. You should review your service providers’ own privacy policy for a description of how they use this information.

If you choose not to provide the information that is asked of you during your medical examination then we may in some circumstances be unable to comply with our obligations to the data controller. Your service provider will inform you of the implications of that decision.

The sort of information we hold may include, but not be limited to; your name, postal address, E-Mail address, telephone contact numbers, GP details, the answers to medical questions, the results of medical examinations and blood tests, and correspondence including emails and phone call recordings with you or where you are discussed.

Personal and sensitive data

Personal data is any information relating to any person who can be identified either directly or indirectly, such as their name, or an identification number, a location, online data or through factors specific to physical, psychological, genetic, mental, economic, cultural or social identity of that person.

Under GDPR, it is legitimate to process sensitive personal data where necessary. For example – if you have applied for a life insurance policy and consented to your medical information being used for the purposes of an underwriting decision. What counts as sensitive personal data remains broadly the same as that under the Data Protection Act. In terms of your relationship with Inuvi, we will collect sensitive personal information relating to your health only as directed by your service provider.

Sharing and transferring personal data

Inuvi will only disclose information about you to third parties if we are legally obliged to do so. Where we need to comply with our contractual duties to the service provider, sub-processors will be used. For example, a laboratory when a lab test is required, or a nurse or doctor to undertake the medical examination. Otherwise, we do not pass any of your information to a third party.

If there is a requirement in the future to process your data for a purpose other than for which it was collected, your consent will be required. You will be provided with notice, the information on that purpose and any other relevant information.

Record keeping and data retention periods

We will maintain clear and accessible records of all data processing activities.

Data will only be kept for as long as is required through our contractual obligations to the service provider. If you request for your personal data to be erased through your service provider, we will comply with their requests when certain circumstances are met. You should review the service provider’s privacy policy for information on their data retention policies.

Clinical laboratory services – what information we may collect about you and how it will be used

Typically, the information about data subjects that is processed by Inuvi comes from clinicians that you visit for healthcare purposes, but it may also be collected via email, over the phone or any other means of communication. They send us personal information in addition to pathology samples (body fluids or tissues) and request tests are carried out upon those samples.

The information provided to Inuvi may include:

  • your name, date of birth, gender, address, e-mail address and in some cases phone number and card payment details, and medical history;
  • practice details of the requesting clinician such as address, specialities and secretary information;
  • information that is necessary to process invoices including patient demographics, financial, bank and credit card information, medical and insurer specific information such as insurer name and policy/identification details.

To carry out our obligations arising from any contracts entered into between your clinician and Inuvi and to provide them with the information, products and services request from Inuvi such as:

  • the provision of pathology services, and associated processing of bills for payment;
  • providing test requesting and results delivery management tools
  • to process invoices on behalf of various parties, such as clinicians, hospitals and insurers;
  • for process management and improvement;
  • to notify you or your clinician about changes to Inuvi’s products and services and to otherwise manage Inuvi’s communications with you.

Phone call recording

Inuvi may record telephone calls with you to:

  • Establish facts and check for mistakes relating to you and the medical examination to be completed with you
  • Provide evidence of communication with you for your service provider
  • Assist in quality monitoring and training of staff
  • Investigate and resolve a complaint

We may be asked to share a call recording with your service provider in order for them to respond to a request or a complaint. You may request that your call isn’t recorded. In this situation, you’ll normally be advised to contact us either in writing or by email.

Data relating to phone call recordings are stored securely for 3 months, at which point they are securely destroyed.

Inuvi website – what information we may collect about you and how it will be used

The use of the pages on the Inuvi website is possible without any indication of personal data other than the public IP address that you are browsing from; however, if you want to send Inuvi a message, processing of personal data will become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we will obtain consent from you.

Inuvi has implemented numerous technical and organisational measures to ensure the most complete protection of personal data processed through this website. However, you are free to transfer personal data to us via alternative means, e.g. by telephone.

Inuvi acts as both the data controller and processor in respect to the data received through our website. No information is passed on to third parties or sub-processors unless additional consent is collected first, for example, during a job application that results in the offer of employment from Inuvi.


The Inuvi website uses cookies. Cookies are text files that are stored in a computer system via an Internet browser.

Many Internet sites and servers use cookies. Many cookies contain a so-called cookie ID. A cookie ID is a unique identifier of the cookie. It consists of a character string through which Internet pages and servers can be assigned to the specific Internet browser in which the cookie was stored. This allows visited Internet sites and servers to differentiate the individual browser of the visitor from other Internet browsers that contain other cookies. A specific Internet browser can be recognised and identified using the unique cookie ID.

The most common reason cookies are being used would be for tracking, e.g. Google analytics which measures web traffic and browsing from different sources, however this is not currently installed on the site. The technology used as the basis of the Inuvi website creates cookies, but the cookie itself is not used for any purpose whatsoever.

You may, at any time, prevent the creation of cookies through our website by means of a corresponding setting of the Internet browser used, and may thus permanently deny the setting of cookies. Furthermore, already set cookies may be deleted at any time via an Internet browser or other software programs. This is possible in all popular Internet browsers. If you deactivate the setting of cookies in your web browser, all functions of our website will continue to be usable.

Collection of general data and information

The website of Inuvi collects a series of general data and information, when a data subject or an automated system calls up the website. This general data and information is stored in the log files of the server. Collected data may be (1) the browser types and versions used, (2) the operating system used by the accessing system, (3) the date and time of access to the website, (4) an Internet protocol address (IP address), (5) the Internet service provider of the accessing system and (6) any other similar data and information that may be used in the event of attacks on our information technology systems.

When using this general data and information, Inuvi does not draw any conclusions about the data subject. Rather, this information is needed to (1) deliver the content of our website correctly, (2) optimize the content of our website as well as its advertisement, (3) ensure the long-term viability of our information technology systems and the technology of our website, and (4) provide the law enforcement authorities with the information necessary for criminal prosecution in case of a cyber-attack. Therefore, Inuvi analyses these anonymously collected data and information, on one hand, statistically and besides with the aim of increasing the data protection and data security of our enterprise and, ultimately, to ensure an optimal level of protection for the personal data processed by us. The anonymous data of the server log files are stored separately from all personal data provided by a data subject..

The General Data and Information collected (as outlined above) is stored for a period of one year..

Quick contact and sending an e-mail (e.g. Contact Us and Work with Us sections)

It is possible to send a message using a built-in form on the website (as well as through a standard E-Mail application) with the provisions of personal data. The personal data transmitted to us is determined by the information you entered but at a minimum will include your full name and email address. The personal data is collected and stored exclusively for internal use and specifically for responding to the message and its contents.

By using the contact form, your external IP address and the date / time of when the message was sent is also stored. The storage of this data is a security measure that takes place as a way to prevent the misuse of our services and, if necessary, to make it possible to investigate committed offenses. This data is not passed on to third parties, unless there is a statutory obligation to pass on the data to serve the aim of a criminal prosecution.

We use the data collected when a message is sent to us for responding to the message and its contents. You are free to request a change of the personal data specified within the form at any time, or to have the data completely deleted from our systems.

The information collected as part of our correspondence with the data subject is only stored for as long as it is required to complete the correspondence and satisfy the query.

Disclosure of your information

Inuvi may share your information with selected third parties including:

  • Any member of its group, which means its subsidiaries, ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006;
  • Business partners, referral laboratories, suppliers, insurers, logistics companies, debt management agencies, and sub-contractors required for the performance of any contract Inuvi enters into with them, you or your clinician.
  • For the purpose of investigating any potential legal claims against Inuvi, your information may be shared with our insurers in order to obtain insurance advice and services
  • National screening or public health monitoring schemes such as Public Health England;
  • Information about your interactions with our websites may be shared with organisations that assist Inuvi in the improvement and optimisation of websites.

When Inuvi shares such information, it will ensure that it is only sharing as much information as is required to fulfil the purpose for which it is sharing it.

Inuvi may also disclose your information to third parties if we are under a duty to disclose or share your information in order to comply with any legal obligation, or in order to enforce or apply Inuvi terms and conditions and other agreements; or to protect the rights, property, or safety of Inuvi, its customers, employees, or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection and credit risk reduction.

Where we store your information

Unless specific consent is sought and received, or another of the conditions for transferring data outside the EEA under GDPR is satisfied (such as the inclusion of model contractual clauses in our contract with the supplier/ third party, the need to refer samples to specialist providers) we will not transfer your information outside of the EEA. The policy of your Data Controller, which could be your hospital, clinician, insurer etc. may be different to this so you should check carefully the relevant privacy policies in order to fully understand their implications.

Your rights

Under the General Data Protection Regulation (GDPR) you have a number of rights with regards to your personal data. In summary, these are:

  • Right to be informed about the processing of your personal data.
  • Right to rectification if your personal data is inaccurate or incomplete (requests to amend data will normally have to be processed within 1 month).
  • Right of access to your personal data and supplementary information, and the right to confirmation that your personal data is being processed.
  • Right to be forgotten by having your personal data deleted or removed on request where there is no compelling reason for an organisation to continue to process it again (Inuvi has to respond without undue delay or and within 1 month of the request).
  • Right to restrict processing of your personal data, for example, if you consider that processing is unlawful or the data is inaccurate.
  • Right to data portability of your own personal data for your own purposes (you will be allowed to obtain and reuse your data).
  • Right to object to the processing of your personal data for direct marketing, scientific or historical research, or statistical purposes.

Where Inuvi are acting as a Data Processor providing medical evidence collection or clinical laboratory services, the above rights should be requested through your service provider. Inuvi will support the service provider in implementing the requests.

Where Inuvi is acting as a Data Controller for data provided through the website, you have the right to request from us access to and rectification of your data as well as for it to be erased and to restrict processing of your data in certain circumstances.

Inuvi will take reasonable steps to create an accurate record of any personal data submitted to us and created by us. Should any factual data held be noted to be incorrect, and Inuvi are notified of this, we will take appropriate steps to rectify this information without undue delay.

If you have provided consent for the processing of your data you have the right to withdraw that consent at any time which will not affect the lawfulness of the processing before your consent has been withdrawn.

You have the right to access all information held about you and/or to request partial or total erasure of your data in accordance with the General Data Protection Regulations. Where Inuvi are holding data related to provision of medical evidence, this data may also be requested through your service provider as outlined above. You can make a request in writing to [email protected] or via the postal address in the processors section above. We may require valid forms of identification in order to action your request.

You also have the right to lodge a complaint with the information Commissioners Office (ICO) if you feel that we have not complied with GDPR requirements regarding your personal data.


Under GDPR, the current methods of requesting consent to collect and process your data have been reviewed. In certain situations, consent is not required (for example, if there is a legal obligation or we are performing a contract). However, for most other scenarios, data will not be collected or processed without your consent. We always ask for your consent when processing personal data that we have received through our website.

Data security breaches

As outlined above, Inuvi takes management of your personal data seriously and takes all reasonable steps to appropriately secure your data. In the event that a data security breach occurs, it is the responsibility of the Data Controller to notify you without undue delay if there is likely to be a high risk to your rights and freedoms.

For website collection issues, the responsibility would lie with Inuvi. Information will be provided regarding the nature of the breach and action being taken. Concurrently to this, Inuvi will notify relevant parties such as the ICO and/or law enforcement agencies to ensure appropriate action is taken, unless the personal data breach is unlikely to result in a risk to your rights and freedoms.

For medical evidence collection issues, this responsibility would lie with your service provider.


This policy may be updated as required to ensure its compliance with data protection legislation and to exercise best practice. We recommend regular review of this policy to ensure you are happy and in agreement with our policy and associated practices.