Privacy policy

Last updated: May 2026

1. Who we are

Earan Ltd ("Earan", "we", "us") is the data controller for the personal information described in this policy. Our registered office is at 20 Yalden Gardens, Farnham, Surrey, GU10 1FJ, United Kingdom.

If you have any questions about this policy or your personal data, contact our Data Protection Lead at privacy@earan.co.uk or call 07474 606175.

2. What personal data we collect

2.1 When you book an appointment

  • Patient name, phone number, and home address
  • Booker name and phone number (if booking on behalf of someone else)
  • Booker email address (if provided)
  • Postcode and coverage-check results
  • Service selected, requested date, and time window
  • Pre-screening health information (recent ear surgery, blood-thinning medication)

2.2 When you contact us

  • Name, phone number, email address, and the content of your message

2.3 Automatically collected data

  • IP address (hashed and truncated for rate-limiting and fraud prevention)
  • Error reports via Sentry (may include browser type and page URL; no patient data is included)

2.4 Special category data

Pre-screening answers about ear surgery and blood-thinning medication constitute health data under Article 9 of the UK GDPR. We explain the lawful basis for processing this data in section 3 below.

3. Lawful basis for processing

3.1 Ordinary personal data

We process your personal data under Article 6(1)(b) of the UK GDPR — processing is necessary for the performance of the contract between you and Earan when you book and receive an audiology appointment.

3.2 Special category (health) data

We process health data under Article 9(2)(h) of the UK GDPR — processing is necessary for the provision of health care, carried out by or under the responsibility of a health professional who is subject to a duty of confidentiality. Our audiologists are registered with the Health and Care Professions Council (HCPC registration numbers: Fariba Faghan, HAD004481; Mohsen Golshahi, HAD004743).

3.3 Other lawful bases

  • Legitimate interest (Art. 6(1)(f)): fraud prevention, service improvement, and internal audit logging.
  • Legal obligation (Art. 6(1)(c)): where we are required by law to retain records (see section 5).

4. How we use your data

  • To check whether we cover your postcode area
  • To process, confirm, and manage your booking
  • To send you appointment confirmations, reminders, and cancellation notices by email and SMS
  • To enable our audiologists to prepare for and carry out your appointment
  • To handle complaints and resolve disputes
  • To maintain an audit trail for clinical governance
  • To detect fraud and prevent abuse of our booking system

5. Data retention

We retain personal data for the following periods:

  • Adult patient records (age 17+): 8 years from the date of the last appointment, in line with NHS records management guidance.
  • Under-17 patient records: retained until the patient's 25th birthday, or 8 years after the last appointment, whichever is longer.
  • Coverage checks: 12 months.
  • Contact form submissions: 12 months.
  • Audit logs: retained for the same period as the associated booking record.
  • Error tracking data (Sentry): 90 days.

After the retention period, records are securely deleted or anonymised.

6. Who we share your data with

  • Our audiologists: to carry out your appointment. They are bound by professional confidentiality under HCPC standards.
  • Service providers: we use Resend (email delivery), Twilio (SMS delivery), Neon (database hosting), and Vercel (website hosting). These providers process data on our behalf under data processing agreements.
  • Sentry: error monitoring. No patient-identifiable data is sent to Sentry.

We do not sell your personal data. We do not share it with third parties for marketing purposes.

7. International transfers

Some of our service providers (Resend, Twilio, Vercel, Sentry) may process data outside the UK. Where this occurs, transfers are protected by Standard Contractual Clauses approved by the ICO, or the provider is certified under an adequacy framework recognised by the UK.

8. Your rights

Under the UK GDPR, you have the right to:

  • Access your personal data (Subject Access Request)
  • Rectify inaccurate or incomplete data
  • Erase your data ("right to be forgotten"), subject to our legal retention obligations
  • Restrict processing in certain circumstances
  • Data portability — receive your data in a structured, machine-readable format
  • Object to processing based on legitimate interest

To exercise any of these rights, email privacy@earan.co.uk. We will respond within one calendar month.

9. Complaints

If you are unhappy with how we have handled your personal data, you have the right to complain to the Information Commissioner's Office (ICO):

We would appreciate the opportunity to address your concern before you contact the ICO. Please reach out to us first at privacy@earan.co.uk.

10. Changes to this policy

We may update this policy from time to time. The "last updated" date at the top of this page indicates when the policy was last revised. We will notify you of material changes by posting a prominent notice on our website.