Focus360 Limited (“Focus360”, “we”, “us”, “our”) is committed to protecting your privacy and handling your personal data lawfully, fairly, and transparently. This Privacy Policy explains: what personal data we collect; how and why we use it; our lawful bases for processing; how data is shared; how long data is retained; and your rights under the UK General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018. This Policy applies to all users of the Focus360 website, platform, and services.

Focus360 Limited is the data controller for personal data processed in connection with our Platform and Services.

Company name: Focus360 Limited

Registered office: 124 City Road, London, EC1V 2NX

Email: info@focus360.co.uk

Where Focus360 processes data on behalf of an independent healthcare professional, we may act as a data processor (see section 7).

Focus360 is a non-diagnostic, nurse-led digital screening and coordination platform. We do not provide medical diagnosis, treatment, prescribing, or clinical opinions. Screening outputs and reports are non-diagnostic and informational only. Clinical services are provided solely by independent regulated healthcare professionals under a separate contract between you and that professional. This distinction is critical to understanding how your data is used and shared.

We may collect and process the following categories of personal data:

4.1 Identity and contact data Name Date of birth Email address Telephone number Postal address

4.2 Account and platform data Username and login credentials IP address Device and browser information Platform usage data Communications with us

4.3 Screening and assessment information Depending on the service used, this may include: self-reported screening questionnaires; background history information; symptom descriptions; uploaded documents (where enabled). This information is not diagnostic and is processed strictly within the limits described in this Policy.

4.4 Booking and administrative data appointment requests and confirmations; referral notes (administrative); payment status (not card details).

4.5 Special category data Some screening information may constitute special category health data under UK GDPR. We apply enhanced safeguards to this data (see section 6).

We collect data when you: register on the Platform; complete screening questionnaires or forms; request bookings or coordination services; contact us by email or through the Platform; use the website (via cookies and analytics).

Lawful Bases for Processing Under UK GDPR, we rely on the following lawful bases:

6.1 Contractual necessity Processing is necessary to: provide Platform access; deliver screening, administrative, and booking services; manage subscriptions or memberships.

6.2 Legitimate interests Processing is necessary for: service improvement; fraud prevention; platform security; governance, audit, and dispute resolution. We balance these interests against your rights and freedoms.

6.3 Consent We rely on consent where required, including: optional communications; certain screening activities; immediate provision of digital content. You may withdraw consent at any time, subject to legal limitations.

6.4 Legal obligation Processing may be required to comply with: safeguarding duties; court orders; regulatory or statutory obligations.

6.5 Special category data (health) Health data is processed under: Article 9(2)(h) UK GDPR (healthcare and management of health systems), and/or Article 9(2)(a) (explicit consent), with appropriate safeguards in place.

7.1 Independent healthcare professionals Where you request booking or referral services, we may share relevant information with the selected Professional for service delivery. Professionals act as independent data controllers for their own clinical records and are responsible for their own privacy notices.

7.2 Service providers We may share data with trusted third parties providing: IT hosting and security; payment processing; analytics and performance monitoring. All processors are contractually bound to confidentiality and data protection obligations.

7.3 Safeguarding and legal disclosure We may disclose information where reasonably necessary to: protect life or prevent serious harm; comply with safeguarding duties; meet legal or regulatory requirements. Such disclosures are limited to what is strictly necessary.

7.4 No sale of data We do not sell personal data to third parties.

Screening reports and outputs: are non-diagnostic; are intended for personal information and onward referral discussions only; must not be relied upon as medical evidence or determinative proof. Focus360 is not responsible for how third parties interpret or use screening information beyond its intended scope.

We retain personal data only for as long as necessary, including for: service delivery; clinical governance boundaries; safeguarding; audit and dispute resolution; legal and regulatory compliance. Indicative retention periods: Platform account data: up to 7 years after account closure

Screening data: up to 7 years (or longer where legally required) Financial records: as required by HMRC Data is securely deleted or anonymised when no longer required.

We implement appropriate technical and organisational measures, including: secure hosting environments; access controls and role-based permissions; encryption where appropriate; staff confidentiality obligations. No system is completely secure, but we take reasonable steps to protect your data.

You have the right to: access your personal data; request correction of inaccurate data; request erasure (subject to legal limits); restrict or object to processing; data portability (where applicable); withdraw consent. Requests should be sent to info@focus360.co.uk.

We will respond to valid SARs within one month. We may: request identity verification; refuse or charge for manifestly unfounded or excessive requests; withhold information that would disclose third-party data or legally privileged material.

Focus360 services are intended for adults unless expressly stated otherwise. Where children’s data is processed, enhanced safeguarding and parental responsibility checks apply.

We use cookies and similar technologies for: essential platform functionality; analytics and performance monitoring. You can manage cookie preferences via your browser or cookie banner.

Data is stored primarily in the UK or EEA. Where data is transferred outside these areas, appropriate safeguards (such as Standard Contractual Clauses) are used.

We may update this Privacy Policy to reflect legal, regulatory, or operational changes. Updated versions will be published on our website.