Clinical Privacy Notice

About this notice

This notice explains how Luca Health Ltd ("Luca Health", "we", "us") uses the clinical information created when you or your child receives a concussion consultation through the Luca Health platform. Luca Health is the controller of that clinical information, which means we are responsible for it and decide how it is handled.

Your school or club holds separate information about you (such as your account and contact details) and is responsible for that under its own privacy notice. This notice covers only the clinical record.

Who we are and how to contact us

Luca Health Ltd (company number 14060836). For any question about your clinical information, or to exercise your rights, contact us at privacy@luca.health.

The clinical service

Concussion consultations are carried out by independent registered clinicians (registered with the HCPC, the GMC or another UK regulator). Each clinician treats you (or your child) as their own patient and is responsible for their own clinical judgement. Luca Health provides the technology platform through which consultations take place, and holds the resulting clinical record.

What clinical information we hold

We hold the clinical record relating to a concussion, which may include: the consultation audio and video recording and its transcript; the clinician’s notes; any diagnosis; return-to-activity decisions and clearances; onward referral information; the clinician’s review of any baseline or assessment results considered during the consultation; and clinician-approved summaries, letters and emails.

Why we hold it, and our legal basis

We hold this information to provide and manage health care safely, and to keep an accurate clinical record. Our legal basis under UK data protection law is our legitimate interests in providing and recording health care (Article 6(1)(f) UK GDPR), together with the condition for the provision of health care by, or under the responsibility of, a health professional (Article 9(2)(h) UK GDPR and the corresponding condition in the Data Protection Act 2018).

Recording of consultations

Consultations are video calls, and both the audio and video are recorded and transcribed as part of the clinical record. You are told in the consultation invitation that the consultation will be recorded, and you can decline recording in advance or by telling the clinician during the consultation. If you decline, the consultation still goes ahead and the clinician writes up their own notes of it in the usual way, rather than working from a recording. Recording is part of providing health care; it is not based on your consent, and declining it does not affect the care you receive.

Use of AI to assist clinicians

We use AI tools to produce draft summaries, letters and emails from the consultation transcript. These are drafts only: a clinician always reviews, edits and approves them before they form part of the record or are acted upon. No decision about you is made by a computer alone. The AI tools we use do not learn from your information, and your information is not shared with the AI providers.

Where your information is held

Your clinical information is hosted on secure infrastructure within the UK and the European Economic Area (in Ireland) and is not transferred outside the UK or the EEA.

How long we keep it

We keep clinical records in line with recognised standards for health records:

• if the patient is under 18, until their 25th birthday (or 26th birthday if they were 17 at the time of the last consultation); and
• if the patient is an adult, for 8 years from the last consultation.

We may keep raw audio recordings for a shorter period than the rest of the record. We may keep a record for longer where a claim or complaint is live or reasonably expected, or where the law requires. After the retention period ends, we securely delete or anonymise the record.

If you close your account or ask us to delete your data

Even if you close your Luca Health account, or ask us to delete your information, we may keep the clinical record. UK data protection law allows this where keeping the information is necessary for the provision of health care, or for the establishment, exercise or defence of legal claims (Article 17(3) UK GDPR). In that case we keep the record only for those purposes, only for the retention period above, and we keep it securely.

Who we share it with

We share clinical information only as needed to provide care — with the treating clinician, and, where appropriate, with a specialist on referral. Our technology providers process information for us under contract and only on our instructions. We do not sell your information, and we do not use it for marketing.

Your rights

You have rights to access your information, to have it corrected, to ask for erasure (subject to the limits above), to restrict or object to processing, and to data portability. Some of these rights are limited for health records — for example, access can be limited where disclosure could cause serious harm, and erasure is limited where we must keep the record. To exercise any right, contact us at privacy@luca.health.

Complaints

If you are unhappy with how we handle your information, please contact us at privacy@luca.health so we can put it right. You also have the right to complain to the Information Commissioner’s Office (ICO) at ico.org.uk or 0303 123 1113.

Changes to this notice

We may update this notice from time to time. This version is dated June 2026 (Version 1.0).