Last updated: October 2025 Welcome to the website of Rob Milligan Breaat Surgeon (“we”, “us”, or “our”). We are committed to respecting and protecting your privacy. This policy explains how we collect, use, store and protect your personal information in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. What Information We Collect

Depending on your interactions with us, we may collect:

• Contact details – name, address, email, telephone.
• Personal identifiers – date of birth, occupation, GP details.
• Health and medical information – medical history, medications, allergies, photographs, consultation notes, and treatment details.
• Payment information – billing address and transaction details (we do not store full card details).
• Marketing preferences – your choices about receiving newsletters, updates, or promotional offers.
• Website and usage data – cookies, IP address, browser type, and device data to help us improve website performance and security.

We only collect what we genuinely need to deliver care, respond to enquiries, or improve your experience with us.

2. How We Use Your Information

Your personal data may be used for:

• Booking, managing and delivering your consultations and treatments.
• Maintaining accurate and up-to-date medical and administrative records.
• Communicating with you about appointments, aftercare and clinical advice.
• Processing payments and issuing invoices or receipts.
• Sharing information (with your consent) with other healthcare professionals involved in your care, such as your GP or laboratory.
• Sending relevant updates or marketing communications if you have opted in.
• Complying with legal, regulatory or professional obligations.
• Analysing website performance and security.

We will never sell your information to third parties.

3. Our Legal Basis for Processing

We process your information under the following lawful bases:

• Consent – for example, to receive marketing or to use images.
• Contract – to deliver the services you have requested.
• Legal obligation – to meet clinical, tax, or record-keeping requirements.
• Legitimate interests – for business administration, audit and service improvement, provided your rights are not overridden.
• Health care provision – for processing special category (medical) data required to deliver safe and effective treatment.

4. Sharing Your Information

We may share your data with trusted third parties, such as:

• Registered medical professionals directly involved in your care.
• Laboratories, imaging centres, or pharmacies as required for treatment.
• Professional advisors (legal, insurance, accounting).
• Secure IT and administrative service providers (e.g. clinical software, encrypted email, website hosting).

All third parties are bound by confidentiality and data processing agreements to ensure your information is protected.

5. Retaining Your Information

We retain your data only as long as necessary:

• Medical and clinical records – typically kept for at least 7 years after your last treatment (or longer if required by law or professional standards).
• Marketing data – retained until you withdraw consent or unsubscribe.
• Website and analytics data – kept for a limited period for security and improvement purposes.

When no longer required, your data is securely deleted or anonymised.

6. Your Rights

You have the right to:

• Access your personal data and receive a copy.
• Correct inaccurate or incomplete information.
• Request erasure (“right to be forgotten”), where legally permissible.
• Restrict or object to certain forms of processing.
• Withdraw consent for marketing or photography at any time.
• Data portability – request your data in a usable format.
• Complain to the ICO if you believe your data has been mishandled.

To exercise your rights, contact us via the details above. We may ask for ID verification before processing your request.

7. How We Protect Your Information

We use a combination of technical and organisational measures to safeguard your data, including:

• Encrypted data storage and secure electronic medical records.
• Password-protected devices and restricted staff access.
• Regular staff training on confidentiality and data protection.

8. Cookies & Website Analytics

Our website uses cookies to improve user experience and monitor performance. Cookies help us understand how visitors use our site and allow certain functions (e.g. booking forms). You can manage or disable cookies in your browser settings at any time. For more details, please see our Cookie Policy.

9. Marketing & Communication Preferences

We will only send you marketing emails or updates if you have explicitly opted in. You can change your preferences or unsubscribe at any time by clicking the link in our emails or contacting us directly. Any photographs, testimonials or case studies used for marketing are shared only with your written consent. You have the right to withdraw this consent at any point, and we will remove the material promptly.

10. Updates to This Policy

We may update this policy occasionally to reflect legal or operational changes. The latest version will always be available on this website and marked with a new “Last updated” date.

11. Contact Us

If you have any questions or wish to exercise your rights, please contact: If you have any questions or wish to exercise your rights, please contact: Penny@xilium.co.uk