PEP Health Ltd Privacy Notice
Last updated: 22 June 2026
1. Who We Are
Data controller
PEP Health Ltd
66 Paul Street
London
EC2A 4NA
United Kingdom
Data Protection Officer (DPO)
Michael Doyle
You can contact us or our DPO at:
Email: enquiries@pephealth.ai
For US-region processing, Pep Health Inc. may act as a separate controller for data relating to US healthcare providers. US contact address: Mailbox #11, 400 S. 4th St., Suite 401, Minneapolis, MN 55415, United States.
2. Introduction
This Privacy Notice explains how PEP Health Ltd (“we”, “us”, “our”) collects, uses, stores, shares, and protects personal data when you use our website and services, in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 (as amended by the Data (Use and Access) Act 2025), and, where applicable, the EU GDPR.
We are committed to being transparent about our processing and to handling personal data lawfully, fairly, and securely.
3. What Personal Data We Collect
3.1 Publicly available feedback data
We collect publicly available online feedback about healthcare providers from review sites and social media. This may include:
- The text of comments about healthcare providers
- The date comments were posted
- Self-chosen usernames or display names used on the source platform
- Other information made publicly available on the source platform
We do not seek to collect additional personal data beyond what users have chosen to make public. Where comments contain identifiable information, that information was already published by the individual or account holder on the source platform.
3.2 Information you provide directly
When you download reports, request information, or contact us through our website, we may collect:
- Your name
- Your job title
- Your organisation
- Your email address
- Any message or enquiry you send us
- Your marketing preferences, where you opt in
This helps us respond to your request, understand interest in our services, and follow up where appropriate.
3.3 Technical and usage data
When you visit our website, we may automatically collect limited technical information such as IP address, browser type, device information, and pages visited. Non-essential analytics cookies are used only where you have given consent.
4. How We Collect Information
- From publicly accessible review sites and social media sources
- Directly from you when you voluntarily submit details through our website or otherwise contact us
- Through cookies and similar technologies, where permitted
5. Lawful Bases for Processing
We process personal data only where we have a lawful basis under UK GDPR Article 6.
5.1 Legitimate interests (Article 6(1)(f))
We rely on legitimate interests to process publicly available feedback data where necessary to:
- Monitor and analyse healthcare provider performance
- Identify trends, strengths, and areas for improvement
- Communicate insights to healthcare organisations, regulators, commissioners, insurers, and other stakeholders
We have assessed that these interests are not overridden by the rights and freedoms of individuals, taking into account that the data is already publicly available and is processed for healthcare insight and quality improvement purposes. You have the right to object to this processing (see Section 9).
5.2 Consent (Article 6(1)(a))
We rely on consent for non-essential cookies and analytics tools, and for direct marketing communications where required. You may withdraw consent at any time.
5.3 Contract and pre-contract steps (Article 6(1)(b))
Where you request reports, demonstrations, or other services, we may process your contact details as necessary to respond to your request or take steps at your request before entering into a contract.
6. How We Use Personal Data
We use personal data to:
- Analyse and track healthcare provider performance
- Identify themes and aspects of care mentioned in feedback
- Assess whether comments relate to care quality or patient experience
- Provide insights to healthcare providers, regulators, commissioners, and insurers
- Respond to enquiries and manage our relationship with you
- Improve our website, products, and services
- Comply with legal and regulatory obligations
We may include individual comments in our analysis and reporting where relevant to the purposes above.
We do not sell personal data.
7. Who We Share Data With
We may share personal data with:
- Healthcare providers, commissioners, regulators, insurers, and other clients receiving our analysis
- Service providers who support our operations (for example, hosting, authentication, analytics, and IT support), under appropriate contractual safeguards
- Professional advisers or authorities where required by law
UK personal data is not transferred outside the UK or European Economic Area except as described in Section 10. US-region data is processed exclusively within the United States.
8. How We Store and Protect Your Information
Data is stored securely in region-appropriate systems:
- UK data is stored in an EU-based database located in Ireland
- US data is stored in a US-based database
Encrypted backups are maintained. Access is restricted to personnel who need it for legitimate business purposes and who are subject to confidentiality obligations.
9. Data Retention
We retain personal data only for as long as necessary for the purposes for which it was collected, unless a longer retention period is required by law.
- Publicly available review data: retained as part of our ongoing monitoring and analysis of healthcare performance
- Contact and enquiry information: retained while there is an active business need, and otherwise deleted or anonymised in line with our retention schedule
- Cookie and analytics data: retained in accordance with the relevant tool settings and your consent choices
10. International Transfers
- UK personal data is processed within the UK and EU and is not transferred outside those regions unless adequate safeguards are in place
- US personal data is processed solely within the United States under the control of Pep Health Inc.
11. Your Data Protection Rights
Under UK data protection law, you may have the right to:
- Access your personal data
- Rectify inaccurate or incomplete data
- Request erasure of your personal data, subject to applicable exceptions (this does not generally extend to general public review content that is not personal to you, or to data we are required to retain)
- Restrict processing in certain circumstances
- Object to processing based on legitimate interests
- Request data portability, where applicable
- Withdraw consent at any time, where processing is based on consent
To exercise these rights, contact us at enquiries@pephealth.ai. We will respond within one month, unless an extension is permitted by law.
If we refuse to act on a request, we will explain why and tell you about your right to complain to us and to the Information Commissioner’s Office (ICO).
12. How to Complain
If you are concerned about how we handle your personal data, please contact us first at enquiries@pephealth.ai. We will acknowledge your complaint within 30 days and explain the outcome of our review.
If you remain dissatisfied, you have the right to lodge a complaint with the UK supervisory authority:
Information Commissioner’s Office (ICO)
https://ico.org.uk
13. Cookies
13.1 Essential cookies
These are necessary for core website functionality, including session management and authentication via AWS Cognito. They do not require consent under UK PECR.
13.2 Non-essential cookies (consent required)
These are activated only after you provide explicit consent through our cookie banner. They may include:
- Google Analytics – to understand website usage
- Microsoft Clarity and Microsoft Advertising – for behavioural insights, heatmaps, and session replay
You may withdraw consent at any time through our cookie settings or your browser settings. Declining non-essential cookies does not affect essential website functionality.
14. Changes to This Notice
We may update this Privacy Notice from time to time. The latest version will always be published on our website with a revised “Last updated” date. Where changes materially affect how we process your personal data, we will take appropriate steps to inform you.
PEP Health Ltd
66 Paul Street
London
EC2A 4NA
United Kingdom





