Call Us Now: +44 1721 360 045
1. Who We Are
Castle Craig Hospital Ltd is the Data Controller for all personal data collected through Castle Health Group websites and all enquiries submitted via phone, web form, chat, email or messaging service.
Data Controller
Castle Craig Hospital Ltd
Blyth Bridge
West Linton
EH46 7DH
Scotland, United Kingdom
Email: info@castlecraig.co.uk
Tel: +44 (0)1721 722 763
ICO Registration Number: Z497039X
Castle Craig Hospital Ltd centrally manages all marketing, enquiry management, website operations, LiveChat, analytics, cloud storage, and digital communications on behalf of:
- Smarmore Castle Private Clinic (Ireland)
- CATCH Recovery (England)
- Castle Craig Hospital Ltd (Scotland)
- Castle Craig Netherlands (Netherlands)
- SBK Stockholm (Sweden)
Although these are separate legal entities, all website-related data collection and first-line enquiry handling are conducted by Castle Craig Hospital Ltd as Data Controller.
For EU/EEA users visiting our Irish, Dutch or Swedish websites, Castle Craig Hospital Ltd remains the data controller under Article 3(2) EU GDPR.
2. How We Collect Your Personal Data
We collect personal data when:
- You submit an enquiry
- You call our helplines
- You use LiveChat
- You complete a referral or admissions form
- You subscribe to newsletters
- You browse our websites
- Friends, family, clinicians or referrers contact us on your behalf
The data collected may include:
2.1 Personal Information
- Name, email, telephone number
- Country/region
- Preferred contact method
- Relationship to the individual (for family/referrer enquiries)
2.2 Special Category (Health) Data
With your explicit consent (Article 9(2)(a)):
- Information about addiction, mental health, medical history
- Risk concerns (e.g., detox need, safeguarding)
2.3 Technical Data
Collected automatically:
- IP address
- Browser type/version
- Device type
- Operating system
- Website pages viewed
- Time zone
- Cookies and tracking technologies (see Cookie Policy)
2.4 Communication Data
- Emails
- Call notes
- LiveChat transcripts
- Web forms
- Call recordings where in use (subject to DPIA)
3. Lawful Bases for Processing
We process your data under:
| Processing Purpose | Lawful Basis |
| Responding to enquiries | Legitimate Interests (Art. 6(1)(f)) |
| Handling referrals/admissions | Contract / Steps prior to contract (Art. 6(1)(b)) |
| Processing health information to assess suitability for treatment | Explicit Consent (Art. 9(2)(a)) |
| Staff training and quality assurance (e.g. call reviews) | Legitimate Interests |
| Legal, regulatory and clinical obligations | Legal Obligation (Art. 6(1)(c)) |
| Marketing communications | Consent (opt-in only) |
We do not use your health data for marketing.
4. How We Use Your Data
Your data is used to:
- Respond to your enquiries
- Provide information about treatment options
- Assess clinical suitability
- Arrange admissions or assessments
- Coordinate with clinical or admissions teams
- Improve website performance and user experience
- Maintain security and detect misuse
- Provide marketing communications where consented
All enquiry handling for all Castle Health Group websites is conducted by Castle Craig Hospital Ltd.
5. Who We Share Data With
We only share your data when necessary, including with:
5.1 Other Castle Health Group Clinics
Where appropriate—for example, if:
- You enquire about more than one clinic
- You require treatment at a specific location
- You ask us to share your data with another site
Sharing is based on legitimate interests or explicit consent, depending on the nature of information.
5.2 Third-Party Processors
CCH uses trusted suppliers for:
- Website hosting
- Cloud storage
- Email delivery
- LiveChat and call systems
- Analytics
- Referral management
- Secure messaging
All suppliers are bound by Data Processing Agreements (DPA) and GDPR-compliant safeguards.
5.3 Legal or Regulatory Bodies
When required by law (e.g., safeguarding, law enforcement, regulatory authorities).
We do not sell or trade personal data.
6. International Transfers
Because our clinics operate across the UK, Ireland, the Netherlands, and Sweden, some data is transferred between these jurisdictions.
Transfers outside the UK/EU are protected by:
- UK Addendum to EU SCCs
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions
- Encryption and secure channels
7. How Long We Keep Your Information
| Data Type | Retention Period |
| Enquiry data (non-admitted) | 6 months |
| Clinical treatment data | 6 years (UK), or longer if legally required |
| Financial records | 7 years (HMRC/DPA) |
| Marketing subscriber data | Until you unsubscribe |
| Website analytics | 26 months (Google default) |
Where you enter treatment, an updated patient privacy notice will be issued.
8. How We Protect Your Data
We use a combination of:
- Encryption (in transit and at rest)
- MFA on all systems
- Strict access controls
- Staff confidentiality agreements
- Secure cloud environments
- Regular audits and DPIAs
- Anonymisation and pseudonymisation where possible
9. Your Rights
You have the following rights:
- Right to be informed
- Right of access (Subject Access Request)
- Right to rectification
- Right to erasure (where applicable)
- Right to restrict processing
- Right to data portability
- Right to object
- Rights related to automated decision-making
To exercise your rights, email: dpo@castlecraig.co.uk
10. How to Request Your Data
Submit a Subject Access Request by contacting our Data Protection Officer:
Email: dpo@castlecraig.co.uk
Address: Castle Craig Hospital, Blyth Bridge, West Linton, EH46 7DH
We will respond within one month, or two months for complex cases.
11. Complaints
If you have concerns about how your data is handled:
Internal Complaint Route:
Data Protection Officer
Castle Craig Hospital
Blyth Bridge
West Linton
EH46 7DH
Email: dpo@castlecraig.co.uk
UK Supervisory Authority (ICO):
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire, SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk
EU/EEA Supervisory Authorities
Users in Ireland, the Netherlands or Sweden may contact your national authority.
12. Cookies
Our websites use necessary, functional, analytical and advertising cookies.
See our Cookie Policy for full details, including how to manage preferences.
