Privacy policy

Hero is used by healthcare professionals and patients every day. Users must be able to easily understand what data Hero is processing, why it is being processed and how it's used.

Who are we?

We are Hero Doctor Limited t/a Hero Health (CRN: 10924177).

You can find us at 256 Mayfield House, 3rd Floor, 256 Banbury Road, Oxford, United Kingdom, OX2 7DE.

If you have any questions about this privacy statement or want to exercise any of your rights under data protection law please contact us at

How do we use your data?

Where you register as a clinician or admin we will collect your name, IP address, company/ clinic name, phone number and email address. We collect this in order to take steps to enter into a contract with you.

When you are a patient whose data has been uploaded by your clinic/ practice. We will process your name, age, gender, email address, address and any additional information on patients which our healthcare providers add to our platform. This may include health data such as medical records. We do this in our capacity as a data processor for our healthcare provider clients.

Where you join our service to access our broad range of registered clinics. Where you register with us via our website, or after your data has been uploaded by your registered practice, we will collect your name, age, gender email address, address. We collect this in order to take steps to enter into a contract with you.

When you receive our news updates. We will handle your personal information (such as your name and email address) to provide you with our news updates in line with any preferences you have told us about.

When we send you our news updates because you have opted-in to receive them, we rely on your consent to contact you. If you have not opted-in and we send you our news updates emails, we do this because of our legitimate interest to promote our business.

You can unsubscribe from our updates at any time by clicking the unsubscribe link at the bottom of any of our emails, or by emailing

When you contact us. When you contact us either by phone, email, on social media or via our website contact us page with general queries, we will usually collect your name and contact details, because it’s in our legitimate interest to make sure we can properly respond to your query.

Technical information when you use our website. When you consent, we collect information about how you use our website. We use this information to improve our website and to better understand how people use it. More detail on the information we collect and how we do this is set out in our cookie policy

When you attend one of our events or a third party event we also attend. When you attend one of our events or we meet you at a third party event (including virtual events via video conferencing providers including Zoom), we will usually collect your name, address, email address and phone number. At our own events we collect this information because it’s in our legitimate interests to know who’s attending our events; and at third party events, we collect this information because it is in our legitimate interests to promote our business.

When you apply for a job with us. When you enter into the recruitment process with us we may collect your name, contact details, recruitment information (e.g. right to work documentation and references), qualifications, accreditations, test results (inc. psychometric tests), as well as any additional personal data we may receive from our third party recruitment consultants.

If our business is sold. We process your personal information for this purpose because we have a legitimate interest to ensure our business can be continued by the buyer. If you object to our use of your personal information in this way, the buyer of our business may not be able to provide services to you.

Who do we share your data with?

Business partners, suppliers, registered healthcare providers, laboratories, testing centres and subcontractors for the performance of the contract we enter into with them or you.

Promotional events and marketing organisations, we do not sell data for marketing purposes, but may share your data with an event organiser including where we run workshops with co-presenters. We will always tell you before (usually on the event registration form) and you will be given the chance to opt-out before we do this.

Regulators/ Authorities/ Enforcement Agencies if we are under a duty to disclose or share your personal data in order to comply with any legal obligation, or in order to enforce or apply our terms of use and other agreements; or to protect the rights, property, or safety of our clients or others. This includes exchanging information with other companies and organisations for the purposes of fraud protection.

Prospective buyers of our business under our legitimate interest to ensure our business can be continued by the buyer.

Using NHS Login

Please note that if you access our service using your NHS login details, the identity verification services are managed by NHS England. NHS England is the controller for any personal information you provided to NHS England to get an NHS login account and verify your identity and uses that personal information solely for that single purpose. For this personal information, our role is a “processor” only and we must act under the instructions provided by NHS England (as the “controller”) when verifying your identity. To see NHS England’s Privacy Notice and Terms and Conditions, please click here. This restriction does not apply to the personal information you provide to us separately.

Where is my data stored?

We store your data on AWS in EU-WEST-2, some data is transmitted by Heroku which is hosted in the EU. All payments data is stored by external PCI-compliant payment providers. 

To keep this privacy policy as short and easy to understand as possible, we haven’t set out the specific circumstances when each of these protection measures are used. You can contact us at for more detail on this.

How long do we keep your data for?

We will only retain your personal information for as long as we need it unless we are required to keep it for longer to comply with our legal, accounting or regulatory requirements.

In some circumstances we may carefully anonymise your personal data so that it can no longer be associated with you, and we may use this anonymised information indefinitely without notifying you. We use this anonymised information to analyse our programmes and support other similar programmes around the world.

What are my rights under data protection laws?

You have various other rights under applicable data protection laws, including the right to:

  • access your personal data (also known as a “subject access request”);
  • correct incomplete or inaccurate data we hold about you;
  • ask us to erase the personal data we hold about you;
  • ask us to restrict our handling of your personal data;
  • ask us to transfer your personal data to a third party; 
  • object to how we are using your personal data; and
  • withdraw your consent to us handling your personal data.

You also have the right to lodge a complaint with us or the Information Commissioner's Office, the supervisory authority for data protection issues in England and Wales. If you are based outside of England and Wales, you can find your relevant supervisory authority here.

Please keep in mind that privacy law is complicated, and these rights will not always be available to you all of the time.

Children's data

We take child data privacy very seriously. We only process minimal data pertaining to under 18s, as supplied by the person booking the appointment (their legal guardian). We rely on consent as the lawful basis for processing data. We understand that children have the same rights as adults to access their personal data, request rectification, object to processing and have their personal data erased.


Your feedback and suggestions on this notice are welcome.

We’ve worked hard to create a notice that’s easy to read and clear. But if you feel that we have overlooked an important perspective or used language which you think we could improve, please let us know by email at


Any changes we make to this privacy notice in the future will be posted on this page and, where appropriate, notified to you by e-mail.

Please check back frequently to see any updates or changes to our privacy notice.

This privacy policy was last updated on 13th March 2023.