Privacy Policy

Bookable: Patient Privacy Notice — Version 1, January 2026

1. What is Bookable and who is Healthtech-1?

We're Healthtech 1 Limited ("we", "us", and "our") and we operate under the name Healthtech-1.

We're registered with the United Kingdom ('UK') data protection authority (the Information Commissioner's Office or 'ICO') under number ZB208155.

We make technology for the NHS. We're a group of NHS staff, doctors, operators, and engineers based in a GP practice in East London. GP practices pay for our technology and as of December 2025, we support 24% of England's GP practices.

We own and operate Bookable. It's a website where patients can find a GP to register with and/or book a new patient appointment. Bookable helps navigate patients to the best place for their care (like an appointment with a nurse or doctor at the GP practice, or recommend a visit to a local pharmacy or dentist). Using Bookable does not affect your rights to access NHS care.

This notice explains how and why we use your personal information when you use Bookable.

When you use Bookable:

  • Healthtech-1 acts as a data controller for operating the Bookable website, facilitating appointment booking and registering with a GP practice, and improving the service.
  • When you book an appointment or register with a GP practice, Healthtech-1 acts as a data processor on behalf of the relevant GP practice and/or NHS England, who are the data controllers for patient registration activities and the NHS England Register with a GP Surgery service respectively. The Privacy Policy for the NHS England Register with a GP Surgery service can be read here. The Privacy Policy for Healthtech-1's automation of new patient registrations for GP practices can be read here.

When you use Bookable you agree to the processing as described within this notice.

2. Getting in touch

If you have questions, you can contact us at [email protected]. Our team will be happy to direct your message to the best person, including our Data Protection Officer. Alternatively, you can write to us at Healthtech-1, 91 Belmont Hill, London, SE13 5AX.

If you would like to make a complaint about how we use your personal information, you should email us or write to us and we'll do our best to fix the problem.

If you're still not happy, you can refer your complaint to the Information Commissioner's Office (ICO), the UK regulator for data protection issues. For more details, visit their website.

3. Your rights

You have a right to:

  • access the personal data we hold about you, or to get a copy of it;
  • ask for a copy of your personal data in a portable (machine-readable) format or make us send it to someone else;
  • ask us to correct inaccurate data;
  • ask us to delete your data, though for legal reasons we might not always be able to do it;
  • object to us using your data for direct marketing and where your data is processed on the basis of 'legitimate interests', or for research and statistical reasons;
  • withdraw any consent you've given us at any time but this does not make prior processing based on consent invalid;
  • restrict processing of your data;
  • complain to the Information Commissioner's Office. We ask that you first contact us to give us an opportunity to address any concerns; and
  • ask us to review an automated decision.

To do any of these things, please get in touch using the details above. We will usually require you to confirm your identity (or evidence the right you have to access someone else's data) before disclosing personal data.

4. Changes to this notice

We'll update the privacy notice from time to time. The latest version will be accessible in the footer of Bookable.

If we make significant changes to how we use your personal information, we'll take appropriate steps to let you know.

5. The legal bits

Healthtech-1 collects information when you use Bookable.

Some of this information does not directly identify you, and some of it does. Even where information does not directly identify you, it may still be treated as personal data under data protection law, and we take steps to reduce how identifiable it is.

You can use Bookable without being directly identified until you choose to enter your personal details to book an appointment or register with a GP practice. Once you do this, the information you provide can be linked to you.

In some cases, we may continue to process or store information you enter even if you do not complete a booking or registration. This is explained in more detail below.

The information we hold about you, and how we use it

Information that cannot be used to directly identify you

  • Postcode.
  • Date of birth.
  • Sex at birth.
  • Free text response to 'How can we help?' (see Appendix B to find out how we use Artificial Intelligence).
  • If you accept them, we also use cookies. For information about what cookies are and how we use them, please see Appendix A.

Information that can be used to identify you

  • First name.
  • Last name.
  • Email.
  • Phone.

We use non-identifiable information to show you search results and navigate you to the best care. This information is also used to measure how people find Bookable, understand how people use the service, and to support when improving the website.

We use identifiable data to reserve and book your appointment, and to process your patient registration form. This data is also used to help GP practices confirm or cancel appointments.

We use AI (see Appendix B) to categorise the free text response to 'How can we help?'. These categories are stored indefinitely but do not contain the raw information that you enter.

Our reasons for using your information

Data protection law says we must have a lawful reason for using your personal information. Which reason applies depends on how you are using Bookable.

Public task

When you use Bookable to:

  • find the right place for your care;
  • book an appointment; or
  • register with a GP practice

your information is used to support the delivery and management of NHS services. GP practices and NHS England have a legal duty to provide access to healthcare services, and Bookable is used to help them carry out this task.

In these cases, we process your information on behalf of GP practices and/or NHS England to enable appointment booking, care navigation, and patient registration.

Legal obligation

We may use your information where required to do so by law, including to:

  • keep appropriate records;
  • meet regulatory, audit, or reporting requirements; and
  • protect patient safety and service integrity.

Legitimate interests

We use some information to run, protect, and improve the Bookable service. This includes:

  • communicating with you about the progress of your appointment booking, registration, and for post-appointment feedback;
  • understanding how people use the website;
  • improving performance and reliability;
  • maintaining security and preventing misuse; and
  • supporting product development and service planning (we may contact you to discuss your experience using Bookable).

We only rely on legitimate interests where this use does not override your rights, and we do not use legitimate interests to deliver core NHS care or make decisions about your treatment.

Special category data

Some of the information you provide relates to your health. This is known as 'special category data'. We process this information only where necessary to support healthcare services, under the healthcare and health system management condition in data protection law.

Who we share your data with

Information that cannot be used to directly identify you

  • Other health providers or for research use (anonymous)

Information that can be used to identify you

  • Healthtech-1 sub-processors (see Appendix A)
  • NHS England, the Department of Health and Social Care, and NHS GP practices in England

Note: When you complete a registration form to register with your chosen GP practice, your data is processed on behalf of the GP practice by NHS England and Healthtech-1 in the way described in the Registrations Patient Privacy Notice.

Where we store your information

Information that cannot be used to directly identify you

When using Bookable, information is stored within the UK. If you accept cookies, some of this non-identifiable information is processed outside of the UK (see Appendix A).

Information that can be used to identify you

When you book an appointment and register with a GP practice, information is stored within the UK but some information may be transferred outside of the UK too.

If we transfer information outside of the UK, we make sure that your data is protected and that:

  • The UK Government has deemed the country or organisation to provide an adequate level of protection for personal data; and
  • We've agreed specific contracts with sub-processors approved for use in the UK which give your personal data the same protections that it has in the UK.

How long we keep your information

Information that cannot be used to directly identify you

We store this information for 1 year.

Information that can be used to identify you

We store your identifiable information for 6 years. This is because identifiable data is collected at the end of the Bookable booking process and used to ensure that registration with a GP practice has taken place correctly or used by GP practices to confirm or cancel reserved appointments.

Note: To work out how long we should keep your data, we consider why we hold it, how sensitive it is, how long the law says we need to keep it for, and what the risks are. In this case, 6 years was chosen to mirror the national Records Management Guidance for registration records.

Appendix A: Sub-processors and cookies

Sub-processors

We use the following sub-processors to deliver the Bookable service:

NameDescriptionLocationGDPR Compliance
Microsoft AzureHealthtech-1 controls access to the infrastructure that we use to store and process the data on the platform. We use Microsoft Azure's secure cloud hosting service to securely store and process patient data. We also use Microsoft Azure to host our local AI models which allow Bookable's AI Care Navigation to categorise requests and future training. The Azure regions used are exclusively located in the UK, for both live, test and backup environments. This mirrors the way NHS England stores its data with Microsoft.UKYes as standard.
VercelVercel is a GDPR assured, globally distributed network used to host the Healthtech-1 registration form and Hub. The network uses servers located close to the end user to serve content to the user with low latency regardless of their geographic location. Vercel may route traffic through servers dynamically based in any one of these regions in order to maintain a consistent, low-latency system.Multi (UK / EEA / US)Yes with a Data Processing Agreement.
PostHogPostHog is used to understand how people use the Bookable website. It helps us see which pages are used, how users move through the service, and where improvements can be made. We use PostHog to support product development, service monitoring, and performance analysis. We configure PostHog to scrub and minimise the data collected so it cannot be used to identify individuals.UK / EEA (PostHog is configured to use EU/UK-hosted data centres).Yes with a Data Processing Agreement. (PostHog is GDPR compliant and supports data minimisation and IP anonymisation).
SentrySentry is used to monitor the reliability and security of the Bookable service. It helps us detect, diagnose, and fix technical errors so that the service runs safely and smoothly. Sentry may collect limited technical information (such as error logs and device or browser information) to help identify and resolve issues. It is not used to profile users or make decisions about care. (Sentry may process technical data outside the UK/EEA).EEA / USYes with a Data Processing Agreement and appropriate international transfer safeguards. Sentry uses approved contractual safeguards to protect personal data.
FiretextHealthtech-1 sends SMS messages to patients. We use third party gateways for the delivery of those SMS messages. They provide APIs that the Healthtech-1 server uses to send these messages.UKYes as standard.
Customer.ioCustomer.io is an email campaign service provider used within Healthtech-1 to communicate with patients on behalf of practices.EEA (Belgium)Yes through a Data Processing Agreement.
PostmarkPostmark is an email delivery service provider used within Healthtech-1 to send notification emails to practices.USYes through a Data Processing Agreement that includes Standard Contractual Clauses.

We only use sub-processors where appropriate safeguards are in place to protect personal data.

Cookies

If you accept them, we use the following cookies on Bookable to support product development, user research, and business decisions about the service:

  • Meta Ads
  • Google Tag Manager and Google Ads
  • Google Analytics

No information that directly identifies you is processed or stored by these cookie providers. You can read our Cookie Notice for more information.

Appendix B: Artificial Intelligence

We use artificial intelligence ('AI') to provide the Bookable service and to help us achieve the purposes for processing your personal data described in this notice.

If we use AI to process your personal data for any new purposes, we'll either update this notice or tell you separately that we are doing so.

Examples of how we use AI include things like navigating you to the recommended healthcare provider, service, or professional, (by categorising your request using AI) or helping make business decisions.

We may also use your data to train and analyse the performance of our AI. We'll only do this if it's not possible to anonymise your data. We don't allow third parties whose AI systems or models we use to use your personal data for their own training purposes.

Appendix C: Messages about unfinished bookings and registrations

If you start using Bookable but do not finish booking an appointment or registering with a GP practice, we may send you a reminder message.

These messages are sent to:

  • help you complete your booking or registration; or
  • check whether you still need help accessing care.

Using the contact details you provided during your visit to Bookable, we may contact you by:

  • email; and
  • text message (SMS)

These messages are service messages, not marketing. We do not use them to advertise products or services. As such, there is no way to opt out.

In order to improve the service, Healthtech-1 may use your contact details to ask for feedback. You can opt out of this when contacted.

Appendix D: Automated decision-making and profiling

Using Bookable

Bookable uses automated processes to help recommend appropriate services. These tools do not make decisions that have legal or similarly significant effects on you. Final decisions about your care and appointments are made by healthcare professionals or GP practices.

Registering with a GP practice

When you register with a GP practice through Bookable, some checks are done automatically by computer systems. These checks are used to:

  • confirm who you are and where you live; and
  • check whether online registration is suitable for your situation, using national NHS rules.

These checks help GP practices safely accept registrations, including people who live outside the practice catchment area.

If the automatic checks show that online registration is not suitable for you (for example, if a child is registering without a parent or guardian already registered at the practice), you can still register by visiting the GP practice in person. You can ask the GP practice for help if you have questions about this process.

No profiling is undertaken, and we have no plans to do so.

Version control

Version 1 — Approved January 2026.

If you have questions, you can contact us at [email protected]. Our team will be happy to direct your message to the best person, including our Data Protection Officer. Alternatively, you can write to us at Healthtech-1, 91 Belmont Hill, London, SE13 5AX.

Return to Bookable