GDPR & data protection

Clinics are data controllers for their patients. Halo is a data processorwhen handling patient data on a clinic's instructions under a data processing agreement (DPA).

Clinics typically rely on existing patient relationships and legitimate interests to send a single service-related follow-up. Halo does not provide legal advice. Clinics should document their basis and privacy notices.

Patients may have rights to access, rectify, erase, restrict, or object to processing. Clinics handle requests first; Halo assists clinics where needed.

Every Halo SMS includes opt-out handling (e.g. STOP). Patients who opt out are suppressed from future automated messages for that clinic.

• Encrypted transport (HTTPS/TLS) for web flows
• Access controls and logging for clinic dashboards
• UK/EU-aligned hosting where applicable for processor subprocessors

If subprocessors process data outside the UK, we use appropriate safeguards (e.g. UK IDTA / SCCs) as required. Details are listed in our DPA and sub-processor schedule.

Clinic customers receive a DPA covering processing scope, security measures, breach notification, and deletion on termination. Request copies via haloreviewsuk@gmail.com.

We will notify affected clinic customers without undue delay if we become aware of a personal data breach affecting their patients, so clinics can meet their own reporting duties to the ICO and patients where required.