Back to Resources

Privacy Notes

1. Who We Are

Lens Health Technologies Ltd ("we", "us", "our") provides FocusAI, a software platform that delivers an intelligence layer alongside existing care systems, enabling organisations to use AI to streamline operations, enhance compliant reporting, and focus more time on critical tasks.

We are registered in the United Kingdom with our registered office at:

A6 Kingfisher House Kingsway, Team Valley Trading Estate, Gateshead, England, NE11 0JQ.

This Privacy Notice explains how Lens Health Technologies Ltd processes personal data in connection with the FocusAI platform.

It applies to:

  • Customer administrators and authorised users of the platform
  • Individuals whose data is processed within customer systems and accessed through the platform

Where we process personal data on behalf of our customers, the relevant organisation (our customer) remains the data controller.

Lens Health Technologies Ltd does not currently appoint a Data Protection Officer (DPO), as we are not required to do so under Article 37 of the UK GDPR. Data protection responsibilities are managed internally by our compliance team.

2. Our Role

For most personal data processed through our platform, we act as a Data Processor on behalf of our customers (who are the Data Controllers).

We only process personal data that has been provided by our customers, either through direct upload to the platform or via authorised third-party system integrations. This may include personal data and special category data, such as health data.

The purpose of this processing is to support our customers in streamlining data aggregation tasks, including reporting, searching, and deriving insights from their data. All such processing is carried out strictly in accordance with our customers' instructions and applicable data protection laws.

3. What Personal Data We Collect

We process personal data on behalf of our customers in order to provide our services. The types of data we process include:

a) Customer Account Data

Providing account and authentication data is necessary to access and use the platform. If this information is not provided, we may be unable to create or maintain your account or provide access to the service.

  • Name, email address, and job title
  • Organisation details
  • Login credentials

b) End-User Data

We process personal data that is uploaded to, or connected with, our system by our customers via authorised integrations or system connections.

This may include:

  • Personal details (such as names and identifiers)
  • Health and care information (including clinical records, notes, and reports)
  • Business and operational data (such as organisational records, service activity, and administrative information)
  • Administrative records (such as appointments, referrals, and service interactions)

c) Technical and System Data

  • IP address
  • Device and browser information
  • Usage logs and access records
  • System metadata (e.g. timestamps, document references)

We do not collect new personal data directly from individuals. We only process information that is already held within our customers' authorised systems or made available to us via direct upload or approved system integrations.

4. How We Collect And Use Data

We collect and process personal data in the following ways:

  • Directly from users, for example when creating an account or using administrative features of the platform. This data is used for authentication, login, and access management to ensure secure access to the platform.
  • From our customers' systems, where data is uploaded, transferred, or synchronised with our platform via authorised integrations or system connections. Where integrations are enabled, data may be continuously synchronised to ensure it remains up to date. Changes made in the source system (including updates, permissions changes, or deletions) may be reflected in our platform in accordance with the configuration and instructions provided by our customers. We do not use this data for any purpose other than providing the service to our customers, and access to this data is restricted to authorised customer use.
  • Automatically, through the operation of our systems, including technical logs, usage data, and cookies or similar technologies. This data is used for security monitoring, fraud prevention, and for the provision and ongoing maintenance and improvement of our platform.

5. Why We Use Your Information

We use personal data solely to support compliance, reporting, and data search functionality within our platform.

In particular, we use this information to enable authorised users to:

  • Search for information across connected systems more quickly and efficiently
  • Complete compliance and operational reporting tasks by providing an AI-enabled intelligence layer on top of existing data systems
  • Reduce the time and effort required to process, locate, and compile information from multiple systems

We do not use personal data to make automated decisions that produce legal or similarly significant effects on individuals. All outputs generated by the platform are decision-support tools only and must be reviewed and validated by authorised professionals.

The lawful basis for each processing activity described above is set out in Section 6 (Lawful Basis for Processing).

6. Lawful Basis For Processing

We process personal data in accordance with UK GDPR and the Data Protection Act 2018.

Where we act as a data processor, we process personal data on behalf of our customers under their instructions. In these cases, the lawful basis for processing is determined by our customers (the data controllers).

For personal data we process for our own operational purposes (such as account management, platform security, and support services), the lawful basis for processing depends on the specific purpose of the activity:

Lawful Basis under Article 6 UK GDPR

  • Public Task (Article 6(1)(e)). Where processing is necessary to support the delivery of healthcare services or related public service functions.

  • Legal Obligation (Article 6(1)(c)). Where processing is required to comply with legal, regulatory, or healthcare obligations.

  • Article 6(1)(b). Contract: Where processing is necessary for the performance of a contract with our customers, including providing access to and operation of the FocusAI platform.

  • Article 6(1)(c). Where processing is necessary to comply with applicable legal, regulatory, or healthcare-related obligations.

  • Article 6(1)(f). Where processing is necessary for the operation, security, and improvement of the platform, including ensuring system integrity, preventing misuse, and maintaining service performance, provided these interests are not overridden by the rights and freedoms of individuals.

Special Category Data

Where we process special category data (such as health information), we rely on:

  • Where we process special category data as a data processor, we do so only under the documented instructions of our customers (the data controllers), who are responsible for identifying the appropriate Article 9 condition. Our processing is carried out under Schedule 1 DPA 2018 condition 5 (health or social care) to the extent we handle such data in our own operational capacity.

Supporting Technical Processing

Where limited technical processing is required to operate the platform (such as search, indexing, and system optimisation), this is carried out under Legitimate Interests (Article 6(1)(f)), with appropriate safeguards in place.

7. How We Use And Process Data

Your information is processed using secure systems designed to support authorised users in searching, organising, and reviewing existing records more efficiently.

Our system processes data in the following ways:

  • Organising existing records into a structure that can be searched using natural language and semantic search capabilities
  • Helping authorised users identify relevant information based on their queries across connected datasets
  • Generating summaries that are strictly based on authorised source data
  • Maintaining traceability so that all outputs can be linked back to the original records
  • Extracting information from uploaded images where applicable

The purpose of this processing is to preserve the meaning and context of the original records while making information easier to access and review. All generated outputs are grounded in existing data, and system safeguards are in place to ensure outputs are constrained to authorised source information.

Some parts of the system use automated tools to assist with retrieving, organising, and summarising information.

These tools:

  • Do not make clinical or operational decisions
  • Do not replace professional judgement
  • Only assist authorised users in locating and summarising relevant information from existing records

All outputs are provided as decision-support tools and are intended to be used by authorised professionals as part of their normal workflows.

8. Data Sharing And International Transfers

We do not expand or broaden access to personal data. Data is only accessible to authorised users and systems based on existing permissions within our customers' environments.

Where integrations are enabled, data may be synchronised between systems to ensure information remains accurate and up to date.

We use third-party service providers to support the operation of our platform. These include:

  • Cloud infrastructure and hosting providers
  • Security and monitoring services
  • Technical support and maintenance providers
  • Analytics and system performance tools

All providers act as data processors under contractual and security obligations.

All access is strictly controlled so that:

  • Users can only access information they are already authorised to view within their underlying connected systems
  • The platform does not grant any additional or unauthorised access to data
  • Access is governed by role-based access controls and the security policies defined by the customer's organisation

We use secure cloud infrastructure providers to host our systems. Data remains encrypted and is protected using industry-standard security measures. Our infrastructure providers do not have access to the content of customer data.

All third-party processors and suppliers are subject to due diligence checks, including security and data protection assessments, before being engaged.

Where data is processed by third parties or infrastructure providers, appropriate contractual and technical safeguards are in place to ensure compliance with UK GDPR requirements.

We do not transfer personal data outside the UK unless required for service delivery. Where international transfers are necessary, we ensure appropriate safeguards are in place, such as UK-approved transfer mechanisms and technical protections including encryption, pseudonymisation, or anonymisation where appropriate.

9. Your Data Protection Rights

Where we process personal data on behalf of our customers, requests to exercise data protection rights should generally be directed to the relevant organisation (the data controller).

We will support our customers in responding to such requests where required.

Under UK GDPR, individuals have the right to:

  • Request access to your personal data
  • Request correction of inaccurate or incomplete data
  • Request restriction of processing in certain circumstances
  • Object to certain types of processing
  • Request deletion of your personal data, where legally permitted
  • Request the transfer of your data (data portability), in certain circumstances

Where we process personal data on behalf of our customers, data protection rights should generally be exercised through the relevant organisation (the data controller). We will support our customers in responding to any requests where required.

To exercise any of these rights, please log a ticket at: Customer Help Portal

Where processing is based on consent, you have the right to withdraw that consent at any time. This will not affect the lawfulness of processing carried out before consent was withdrawn.

We will respond to all valid data protection requests within one calendar month, in accordance with UK GDPR requirements.

10. Security Of Your Information

We use appropriate technical and organisational measures to protect personal data and ensure it is processed securely.

These measures include:

  • Role-based access controls to ensure only authorised users can access relevant data
  • Encryption of data in transit and at rest
  • Audit logging of system access and activity for security and accountability purposes
  • Ongoing security monitoring and compliance reviews
  • Access restrictions based on user role and organisational permissions, including clinical or operational need where applicable

11. Children's Data

Our platform is designed for use by healthcare and care organisations and is not intended for direct use by children. We do not knowingly collect personal data directly from children.

Where personal data relating to children is processed through the FocusAI platform, this occurs only as part of data held and controlled by our customers (such as NHS organisations or care providers). This data is accessed and processed by authorised professionals through the platform in order to support the delivery of health and care services.

In these circumstances, our customers remain the data controllers and are responsible for determining the lawful basis for processing, ensuring appropriate safeguards are in place, and meeting all obligations under UK GDPR and the Data Protection Act 2018 in relation to children’s data.

We process children’s personal data strictly on the documented instructions of our customers as a data processor and do not use this data for any independent purpose.

Where children’s data is included in customer systems, it may include health and care information, identifiers, and administrative records necessary for the provision of services. We apply the same technical and organisational safeguards to this data as we do to all personal data processed through the platform.

12. Data Retention

We retain personal data only for as long as necessary to provide our services and meet legal, regulatory, and contractual obligations.

As a data processor, retention of customer data is primarily determined by our customers and their source systems. Our platform is designed to stay aligned with these systems.

  • Account and user data is retained for as long as the account remains active and for a short period afterwards where required for security or legal purposes.
  • Connected or synchronised customer data is retained only while the customer uses the platform and remains connected. It is updated or deleted in line with the source system.
  • Platform-generated data (such as conversations, reports, and summaries) is retained only as long as necessary to provide the service and maintain functionality.
  • System logs and technical data are retained for limited periods for security, monitoring, and operational purposes.
  • Backups are retained for a short period to support recovery before being automatically deleted.

Our retention approach ensures compliance with the UK GDPR principles of data minimisation, storage limitation, and integrity of synchronised systems of record.

13. Complaints

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK supervisory authority for data protection matters, if you are unhappy with how we handle your personal data.

Information Commissioner’s Office (ICO) Website: https://ico.org.uk Telephone: 0303 123 1113

14. Cookies

We use cookies and similar technologies to support the operation and performance of our platform. For more information on how we use cookies and how you can manage them, please see our Cookie Policy.

15. Changes to This Notice

We may update this Privacy Notice from time to time. Any updates will be published on this page, and where appropriate, we will notify users of significant changes.