Support
center
Privacy Policy
Last updated: 03/06/2026
Pinhole Clinic is a trading name of Rad Eye Ltd. This Privacy Policy explains how Rad Eye Ltd collects, uses, stores and protects personal information when you use this website, send an enquiry, or receive care through our private practice.
This policy is written to comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018 and the Privacy and Electronic Communications Regulations (PECR). If you have any questions about it, please contact us using the details in the section below.
Who we are
Pinhole Clinic is the trading name of Rad Eye Ltd, a private limited company registered in England and Wales.
Data Controller: Rad Eye Ltd
Company number: 14560905
Registered office: C/O Genko Ltd, 6th Floor, 120 Bark Street, Bolton, Lancashire, United Kingdom, BL1 2AX
ICO registration reference: ZC037656
ICO registration expires: 7 November 2026
Email: info@pinholeclinic.co.uk
Practice location: Hertfordshire Private Healthcare at the Lister Hospital, Coreys Mill Lane, Stevenage, SG1 4AB
Rad Eye Ltd is the sole data controller for personal information processed through this website, for enquiries and consultation bookings, for billing, and for the clinical records generated by the private practice of Dr Marawan El Farargy.
Dr Marawan El Farargy (GMC number 7476465) provides clinical services through Rad Eye Ltd. His professional and ethical duties as a registered medical practitioner are governed separately by the General Medical Council and are not affected by the data protection controller structure above.
Data Protection Lead.
Rad Eye Ltd is not legally required to appoint a Data Protection Officer under Article 37 UK GDPR. Dr Marawan El Farargy acts as the Data Protection Lead and is the named contact for any questions about how your personal information is handled and for any data rights requests. You can contact him at info@pinholeclinic.co.uk.
Hospital-held records. Where you receive care at the Lister Hospital, your hospital record is held by East and North Hertfordshire NHS Trust. The Trust is a separate data controller for that record. If you would like to access or correct hospital-held information, you can contact the Trust directly using the details at https://www.enherts-tr.nhs.uk.
How we use your information
We use your information to:
Respond to your enquiry and arrange a consultation.
Provide private medical care, including diagnosis, treatment, follow-up and clinical correspondence.
Coordinate care with your referring specialist, GP or other healthcare professionals involved in your treatment.
Issue invoices and process payment, either directly or through your medical insurer.
Keep accurate clinical and business records as required by professional and legal obligations.
Send service-related communications about your appointment, treatment or account.
Improve the website and the information we provide.
Meet legal, regulatory and professional obligations, including those of the General Medical Council and the Care Quality Commission.
We do not send marketing emails or build a marketing database. If this changes in the future, we will update this policy and ask for your specific consent before contacting you for marketing purposes.
Information we collect
We collect and process the following categories of personal information:
Contact details, including your name, email address, telephone number, postcode and preferred method of contact.
Information you provide through enquiry forms or emails.
Information about your health, symptoms, medical history and the reason for your enquiry. This is special category data under Article 9 UK GDPR.
Insurance information, including the name of your insurer, your membership number and authorisation reference where applicable.
Identification information needed for billing and clinical record-keeping, such as your date of birth and address.
Technical information, including your IP address, browser type, device type and the pages you visit on this website.
Cookie and analytics data, as described in the Cookies section below.
We only collect health information that you choose to provide. You do not need to share clinical details to ask a general question about the service.
Lawful basis for processing
We process personal information under the following lawful bases under Article 6 UK GDPR:
Performance of a contract or steps taken at your request before entering a contract. This applies to handling your enquiry, arranging your consultation and providing care.
Legitimate interests. This applies to the day-to-day administration of the practice, to website analytics on an aggregated level and to keeping records of correspondence. Our legitimate interest is running a small private medical practice efficiently and safely.
Compliance with legal obligations. This applies to record-keeping required by HMRC, by Companies House, by the General Medical Council and by the courts.
Consent. This applies to non-essential cookies and to any future marketing communications.
Where we process information about your health, we rely on the following additional conditions under Article 9 UK GDPR:
Article 9(2)(h) UK GDPR. This covers processing necessary for the provision of health care and treatment by, or under the responsibility of, a health professional bound by a duty of confidentiality. Dr El Farargy is bound by the GMC duty of confidentiality.
Article 9(2)(a) UK GDPR. This covers your explicit consent, where you choose to share health information with us in an enquiry before becoming a patient.
Lawful basis matrix:
Responding to an enquiry: performance of a contract or pre-contractual steps; explicit consent for any health information you choose to share.
Providing clinical care: performance of a contract and Article 9(2)(h) UK GDPR.
Billing and insurance processing: performance of a contract (Article 6(1)(b)) and, where health data is shared with your insurer, Article 9(2)(h) UK GDPR.Keeping clinical and accounting records: legal obligation.
Service-related communication: performance of a contract.
Website analytics through non-essential cookies: consent.
Advertising pixels and tags: consent.
International transfers of your information
Some of our service providers are based outside the United Kingdom or process data on servers outside the United Kingdom. When this happens, your information is transferred internationally.
Countries where transfers may occur and the safeguards in place:
United States. Framer Inc., Microsoft Corporation (where Microsoft 365 routes data outside the UK or EEA), Meta Platforms Inc., Google LLC and Namecheap Inc. These transfers rely on the UK Extension to the EU-US Data Privacy Framework, where the provider is certified, and on the International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses where it is not.
European Economic Area. Microsoft Ireland Operations Ltd, Meta Platforms Ireland Ltd and Google Ireland Ltd. The UK has recognised the EEA as providing an adequate level of data protection.
If you would like a copy of the safeguards we rely on for any specific transfer, please contact us at info@pinholeclinic.co.uk.
Cookies and analytics
A cookie is a small text file that is placed on your device when you visit a website. Cookies are used to make websites work, to remember your preferences and to understand how the site is used. We only use cookies in line with the Privacy and Electronic Communications Regulations and the ICO’s 2023 cookie guidance. Strictly necessary cookies are set automatically. Functional, analytics and marketing cookies are only set after you give consent through our cookie banner. You can change your preferences at any time using the Cookie Settings link in the website footer.
Cookie consent. Non-essential cookies are blocked until you provide consent through the cookie banner. You can withdraw or change your consent at any time using the Cookie Settings link in the website footer. If you set your browser to refuse cookies, parts of the site may not work as expected.
Cookie retention periods are listed in the cookie table in the Cookies and analytics section below.
Sharing your information
We only share your information where it is necessary to provide care, to run the practice or to meet a legal obligation. We do not sell personal information.
Healthcare partners who may receive your information when relevant to your care:
Your referring specialist (for example, your gynaecologist or vascular surgeon).
Your GP, where this is part of standard clinical correspondence.
Other consultants and members of the multidisciplinary team involved in your treatment.
Hospitals and imaging providers, including Hertfordshire Private Healthcare at the Lister Hospital, where your procedure or scan takes place.
Insurers we are recognised by and may share information with, where you ask us to handle your claim:
Allianz
Aviva
AXA Health
Bupa
Healix
Vitality
WPA
Service providers (data processors) acting on our written instructions:
Framer Inc. Website hosting.
Microsoft Ireland Operations Ltd (Microsoft 365). Business email and the enquiry log we maintain while the practice is being set up.
Healthcode Ltd. Invoice clearing and electronic billing to insurers.
Meta Platforms Ireland Ltd. Meta Pixel and Conversions API for advertising measurement, only where you have consented to analytics and marketing cookies.
Google Ireland Ltd. Google Analytics 4, Google Tag Manager and Google Ads conversion tracking, only where you have consented to analytics and marketing cookies.
Namecheap Inc. Domain name registrar. No patient data is shared with Namecheap.
Regulatory, professional and legal bodies, where we are required by law or by our professional duties:
The General Medical Council.
The Care Quality Commission, acting through the hospital provider where care was delivered.
The Information Commissioner’s Office.
HMRC and Companies House for tax and corporate record-keeping.
The Medical Defence Union, where we need to seek professional advice on a clinical matter.
The police, courts or other public authorities where required by law or court order.
Your rights
Under UK GDPR you have the following rights in relation to your personal information:
The right to be informed about how we use your information. This is set out in this policy.
The right of access to a copy of your information.
The right to have inaccurate information corrected.
The right to have your information deleted in certain circumstances.
The right to restrict our processing of your information in certain circumstances.
The right to data portability, which lets you receive a copy of the information you provided to us in a structured, commonly used format.
The right to object to processing based on legitimate interests.
The right to withdraw consent at any time, where consent is the lawful basis we rely on.
The right to lodge a complaint with the Information Commissioner’s Office (see Complaints below).
Some of these rights are not absolute and there are exceptions for clinical records, for example to protect the rights of others or to meet a legal obligation.
How to exercise your rights: email info@pinholeclinic.co.uk with the subject line “Data rights request”. We will normally respond within one calendar month.
How to withdraw consent: email info@pinholeclinic.co.uk and tell us what you would like to withdraw consent for. For cookies, you can also change your preferences through the Cookie Settings link in the website footer.
Data retention
Data security
Data breaches
Automated decision-making and profiling
Children’s data
Changes to this policy
Accessibility
Complaints about how we use your information
