Data Retention Policy
This policy explains how long ScanBook retains personal data and the lawful basis for doing so, in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Overview
ScanBook (operated by The Connective UK Ltd) is committed to only retaining personal data for as long as necessary for the purposes for which it was collected, or as required by applicable law. We review our data holdings regularly and securely delete or anonymise data that is no longer required.
This policy applies to all personal data processed by ScanBook, including patient data, clinic partner data, and operational data. Our full privacy practices are set out in our Privacy Policy.
Last updated: 3 June 2026
Retention periods
The table below sets out our standard retention periods by data category:
| Category | Data held | Retention period | Legal basis |
|---|---|---|---|
| Patient account data | Name, email, date of birth, address, phone | 7 years after last booking | Legal obligation (NHS/medical records standards), contract |
| Booking records | Booking details, scan type, appointment date, payment reference | 7 years from date of appointment | Legal obligation (financial records), legitimate interests |
| Medical/safety questionnaire data | Safety questionnaire answers, implant disclosures, health information | 7 years from date of appointment | Legal obligation (health & safety), UK GDPR Art. 9(2)(h) |
| Payment data | Transaction reference, amount paid — card details held by Stripe only | 7 years (financial records) | Legal obligation (HMRC/accounting) |
| Scan reports | Radiologist report link, report metadata | 7 years from date of appointment | Legal obligation, legitimate interests |
| Communications | Emails sent/received (booking confirmations, reminders) | 3 years | Legitimate interests |
| Marketing consent | Record of consent / opt-out | 3 years from withdrawal of consent | Legal obligation (ICO guidance) |
| Website analytics | Anonymised traffic data (Google Analytics) | 26 months (Google default) | Legitimate interests |
| Cookie consent | Record of cookie preferences | 12 months | Legal obligation (PECR) |
| Partner/clinic applications | Application details, contact information | 3 years from rejection; indefinitely for approved partners | Legitimate interests, contract |
| Admin logs | System access and action logs | 12 months | Security, legitimate interests |
Special category (health) data
Medical information collected during the booking process — including safety questionnaire answers, implant disclosures, and contraindications — constitutes special category data under UK GDPR Article 9. We retain this data for 7 years from the date of the appointment, in line with NHS and private medical practice guidelines for clinical record-keeping.
Access to special category data is restricted to authorised staff on a strict need-to-know basis, and is never used for marketing purposes.
Deletion and anonymisation
At the end of a retention period, personal data is either securely deleted or irreversibly anonymised so that it can no longer be linked to an individual. Anonymised data may be retained indefinitely for aggregate statistical purposes.
Patients and clinic partners may request early deletion of their data. Where deletion is not possible due to legal obligations (e.g., financial records required for 7 years), we will restrict processing of that data to the minimum necessary.
Your rights
- Right of access — request a copy of all personal data we hold about you
- Right to erasure — request deletion of your data (subject to legal obligations)
- Right to restriction — request that we limit how we use your data
- Right to portability — receive your data in a structured, machine-readable format
- Right to object — object to processing based on legitimate interests
To exercise any of these rights, email hello@scanbook.uk. We will respond within 30 days.
Contact and complaints
Our Data Protection contact is reachable at hello@scanbook.uk.
You have the right to lodge a complaint with the Information Commissioner's Office (ICO) if you believe your data has been handled unlawfully. Visit ico.org.uk or call 0303 123 1113.
