Privacy Policy
1. Who we are and how the group works
HealthBridge UK (“we”, “us”, “our”) is an operating company within the Bridge Group architecture. We act as a compliance gateway for UK market entry and related service pathways.
1.1 Data controller for this policy
For most interactions covered by this Privacy Policy, HealthBridge UK is the “data controller” (meaning we decide how and why your personal data is processed).
Data Controller: HealthBridge UK (a trading name of Bridspan Holdings UK)
Registered address: 48B Newbold Road, Chesterfield, UK
Company number:
Email: michael.bartholomew@healthbridgeuk.com]
1.2 Contracting entity and “clean contracting lines”
Bridge Group is designed so that operating companies contract with customers, while group-level governance and shared services are delivered under formal, written intercompany agreements.
That means:
The entity you contract with (e.g., shown on your order form, MSA, SOW, platform terms, invoice, or onboarding email) is typically the primary controller for that service.
HealthBridge UK may use group shared services and “gate” entities where necessary to deliver and assure the service (for example: governance operations, diagnostics workflows, fulfilment orchestration, and evidence/validation services).
Where another Bridge Group operating company is involved, it will generally act as either:
a processor (processing data on behalf of the contracting controller), or
an independent controller for the part of processing it determines (e.g., where it must maintain its own operational/audit records).
1.3 Group shared services and intra-group governance
Certain governance, security, quality, and operational shared services may be provided by **HoldingBridge Ltd (“HoldCo”) under written intercompany agreements. Intra-group data access and data flows are controlled through contractual terms, including a Data Processing & Data Sharing Addendum (DPA/DSA) where relevant, which sets out:
UK GDPR roles (controller/processor boundaries)
security requirements and annexes
audit rights
cross-border transfer controls (where applicable)
1.4 Privacy contact
If you have questions, requests, or concerns about your personal data, contact us at:
michael.bartholomew@healthbridgeuk.com
2. Collected Personal Data
HealthBridge UK collects the following categories of personal data, depending on how you interact with us (website visitor, customer, partner, supplier, practitioner, or support request):
2.1 Identity and contact data
Full name
Email address
Telephone number
Postal address (including delivery/returns address where relevant)
Organisation/company name, role/job title (for B2B/partner contexts)
2.2 Account and profile data
Account identifiers (e.g., username, account ID)
Profile settings and preferences
Authentication data (passwords are stored securely using hashing; we do not store passwords in plain text)
2.3 Communications and support data
Messages you send us (email, forms, chat, support tickets)
Call notes where applicable
Feedback, survey responses, and community/forum posts (if offered)
2.4 Transaction and commercial data
Purchase history (products/services, plan level, invoices)
Billing details (excluding full payment card details if handled by a payment provider)
Refunds, disputes/chargebacks, and related correspondence
2.5 Delivery and fulfilment data (if we arrange fulfilment/returns)
Delivery address, delivery instructions
Returns information, replacement requests
Dispatch/receipt timestamps and logistics references (e.g., tracking IDs)
2.6 Compliance and market-entry data (where HealthBridge UK acts as a “compliance gateway”)
Because HealthBridge UK operates as a UK compliance and claims discipline function for health-market entry, we may collect and process:
Business contact details for manufacturers, brand owners, distributors, and agents
Product/service submission details provided by you or your organisation (including supporting documentation that may contain personal data, such as named contacts, signatures, correspondence trails)
Compliance workflow records (e.g., review outcomes, approvals, exceptions, audit notes)
2.7 Diagnostics and health-related data (special category data — only if you provide it or enable a diagnostic workflow)
Where a service involves diagnostics workflows (for example, kit routing, lab onboarding, results normalisation, practitioner portal operations), data may include:
Unique identifiers associated with a diagnostic workflow (e.g., kit ID, sample ID, reference numbers)
Test results and associated metadata
Health and wellbeing information you submit (symptoms, goals, outcomes, self-reported measures)
Practitioner-facing notes you provide for service delivery
We treat health data as special category data and apply enhanced safeguards (see “Special Category Data” and “Security”).
2.8 Technical, device, and usage data
IP address, device type, operating system, browser type/version
Approximate location (derived from IP), time zone
Website/app usage data (pages viewed, clicks, session duration, referral source)
Security logs (to detect and prevent fraud, abuse, or unauthorised access)
2.9 Marketing and preferences data
Newsletter subscription status and marketing preferences
Engagement metrics (email opens/clicks where enabled)
Content preferences and inferred interests (where permitted)
2.10 Images, audio, and video (only if you choose to provide them)
If you upload files or participate in calls/events that are recorded with notice, we may process associated media.
2.11 Children
Our services are intended for adults unless we explicitly state otherwise. If we learn we have collected personal data from a child without appropriate consent, we will delete it.
3. Purpose of collecting data
HealthBridge UK collects and uses personal data for the purposes below. Which purposes apply depends on whether you are a visitor, customer, partner, supplier, or practitioner.
3.1 To provide and operate our services (core delivery)
Create and manage user accounts
Deliver products and services you request
Provide customer support and handle enquiries
Manage subscriptions, access control, and service communications
3.2 To run the “Claims Gate” / compliance gateway function (UK market-entry discipline)
Because HealthBridge UK acts as a compliance gateway in the UK market-entry pathway, we process data to:
Manage submission and review workflows (including audit trails)
Apply claims/labelling discipline and readiness checks
Document classification and risk decisions (operational governance records)
Coordinate with approved service providers where needed (e.g., fulfilment, diagnostics operations) under appropriate agreements
3.3 To run the “Data Gate” (data governance, interoperability, and controlled access)
Where services involve diagnostics workflows, portals, or cross-party operations, we use data to:
Administer workflow routing, onboarding, and interoperability processes
Maintain access controls, authentication, and audit trails
Improve data quality (normalisation, validation, error correction)
Provide authorised access to relevant parties (e.g., you, your practitioner, or your organisation) as configured
3.4 To run the “Fulfilment Gate” (delivery quality, returns, and service reliability)
Where we arrange or support fulfilment/returns, we process data to:
Dispatch products/services and coordinate returns/replacements
Operate QA, exception handling, and service-level performance monitoring
Reduce chargebacks/refunds and resolve delivery disputes
3.5 To run the “Evidence Gate” (evidence files, registries, outcomes capture)
Where you participate in outcomes capture, validation, or evidence-building workflows, we process data to:
Maintain evidence files for products/assays/workflows (including substantiation packs where appropriate)
Operate registries and outcomes capture (preferably in aggregated or de-identified form)
Support partner studies/validation initiatives (where you have been informed and the appropriate legal basis applies)
3.6 Payments, billing, and administration
Process payments (via payment providers)
Produce invoices, manage refunds, prevent fraud
Maintain accurate business records and comply with tax/accounting requirements
3.7 Communications and relationship management
Respond to messages, provide notices, and manage service updates
Maintain records of communications for quality assurance and dispute resolution
3.8 Security, fraud prevention, and platform integrity
Detect and prevent unauthorised access, abuse, and fraud
Protect accounts, systems, and data
Maintain logs for incident response and forensic traceability
3.9 Service improvement, analytics, and performance
Understand usage patterns and improve user experience
Debug, test, develop, and improve features and reliability
Measure service performance and operational KPIs
Where possible, we use aggregated/de-identified data.
3.10 Marketing (where permitted)
Send newsletters and updates where you have opted in or where otherwise permitted
Measure campaign effectiveness and manage preferences
You can opt out at any time.
3.11 Legal and regulatory obligations
Comply with applicable laws and respond to lawful requests
Protect legal rights, manage disputes, and enforce terms
4. Who we share personal data with
We share personal data only where it is necessary to deliver services, operate safely, meet compliance obligations, and maintain auditability. Operating companies contract with customers, and group-level governance/shared services are provided under written intercompany agreements.
4.1 Sharing within Bridge Group (service delivery + governance)
Depending on the service pathway you are using, HealthBridge UK may share limited personal data with other Bridge Group operating entities that provide specific “gate” functions or shared services. These flows are designed to reduce risk, increase reliability, and keep regulated exposure cleanly separated.
We may share data with:
HoldingBridge Ltd (HoldCo / GovernanceOps / Shared Services): to provide group governance, security standards, reporting, shared tools, and operational oversight under formal intercompany agreements (including shared services and data-sharing addenda).
DiagnosticsBridge Ltd (Data Gate): where your pathway involves diagnostics operations, interoperability, kit routing, results normalisation, portal access, or audited access controls.
FulfilmentBridge Ltd (Fulfilment Gate): where fulfilment orchestration is required (3PL management, dispatch QA, returns, replacements, incident handling, and SLA performance).
Research&ValidationBridge Ltd (Evidence Gate): where you participate in evidence file creation, registries, outcomes capture, substantiation deliverables, or post-market surveillance activities (preferably using aggregated or de-identified data where feasible).
TecSystemsBridge Ltd: where automation supports acquisition, onboarding, and customer support workflows (and not clinical triage unless governed, validated, and contractually scoped).
NutriWorldsBridge Ltd: where the pathway involves distribution/resale operations, and where claims/label controls are routed through HealthBridge UK and governance functions.
Transformational Future: where you engage with education/community content and opt into communications; in those cases we may share limited marketing preference data necessary to deliver newsletters or content you requested.
How these intra-group shares are governed:
Sharing inside the group is controlled via a minimum set of intercompany agreements, including a Shared Services Master Agreement and a Data Processing & Data Sharing Addendum that defines roles, security requirements, audit rights, and—where relevant—cross-border transfer controls.
4.2 External service providers (processors)
We also share personal data with carefully selected third-party providers who help us operate the service, such as:
Hosting and infrastructure providers
Payment processors (we do not store full card details where a processor is used)
Email/SMS delivery and customer communications tools
Customer support platforms (ticketing/chat)
Analytics and performance monitoring tools
Identity, security, and fraud-prevention services
Video/meeting and scheduling tools (if used)
These providers act on our instructions, under contract, and are required to implement appropriate security measures.
4.3 Delivery partners, labs, and operational counterparties (as required by the pathway)
Where the service requires it, we may share relevant data with operational counterparties such as:
Third-party logistics providers (delivery, returns, replacements) where fulfilment is part of your service pathway
Laboratories and diagnostics operational partners where diagnostics rails/data workflows are part of your pathway
Professional or organisational customers/partners (B2B) where you are acting as an authorised user under an organisational contract (we share only what is necessary and consistent with access controls and audit trails)
4.4 Professional advisers
We may share data with our professional advisers (legal, accounting, insurance, compliance) where necessary for governance, risk management, or dispute handling.
4.5 Legal, regulatory, and safety disclosures
We may disclose personal data where required to comply with law, respond to lawful requests, enforce our terms, or protect rights, safety, and the integrity of our systems.
4.6 Business transfers
If we restructure, merge, or transfer assets, personal data may be shared with relevant parties (e.g., advisers and prospective buyers) subject to confidentiality and appropriate safeguards.
International data transfers
We are based in the UK, but some of our technology suppliers and (where relevant) operational counterparties may process or support data from locations outside the UK.
5. When international transfers may occur
International transfers can occur where, for example:
a cloud hosting provider stores data in data centres outside the UK, or provides “follow-the-sun” support
an email/SMS, analytics, security, payment, or customer-support platform operates globally
a service pathway involves cross-border operations (e.g., distribution, fulfilment orchestration, or diagnostics workflows that require international support teams)
5.1 Transfer safeguards we use
Where personal data is transferred outside the UK, we implement appropriate safeguards, such as:
transfers to countries recognised by the UK as providing adequate protection
the UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses (as applicable)
additional technical and organisational measures where appropriate (e.g., encryption, access controls, logging, and contractual limits on onward transfers)
5.2 Bridge Group controls for cross-border processing
Where transfers occur within Bridge Group or via Bridge Group delivery pathways, cross-border transfer governance is addressed through written intercompany controls and (where relevant) a DPA/DSA that includes:
role clarity (controller/processor allocation)
security annexes (minimum standards)
audit and assurance rights
transfer mechanisms and restrictions on onward transfers
5.3 How to request more information
You can request details of applicable safeguards for your data by contacting:
michael.bartholomew@healthbridgeuk.com
We will not transfer your personal data internationally unless we have a lawful basis and appropriate safeguards in place.