Privacy policy.

Effective and updated 20th March 2025

This privacy policy for LH HEALTH LTD ('Company', 'we', 'us', or 'our',), describes how and why we might collect, store, use, and/or share ('process') your information when you use our services ('Services'), such as when you:

  • Visit our website at https://drlanasays.com, or any website of ours that links to this privacy policy

  • Engage with us in other related ways, including any consultations, sales, marketing, or events

Questions or concerns? Reading this privacy policy will help you understand your privacy rights and choices. If you do not agree with our policies and practices, please do not use our Services.

We respect your right to privacy and will only process personal information you provide to us in accordance with the General Data Protection Regulation (GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 as revised by the Privacy and Electronic Communications (EC Directive) (Amendment) Regulations 2011, and other applicable privacy laws.

We will not use or share your information with anyone except as described in this Privacy Policy.

1. Who we are

Dr Lana Says is a brand and service operated by LH Health Limited. The Company is registered with the ICO as a data controller and processor under the registration ZB658982. The Company is registered in England and Wales under company number 15342551. The registered office 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom.

In this policy, ‘we’, ‘us’ and ‘our’ refers to LH Health Limited and ‘You’ means the person the information relates to. We are required by law to tell you how we use any personal information we hold on you. This policy sets out the basis on which any personal information we collect from you, or that you provide to us, will be processed by us and how you can get access to this information. In the European Economic Area (EEA) or the United Kingdom (UK) ‘personal information’ means any information relating to an identified or identifiable individual. Please review it carefully.

2. Purpose of the Policy

“We” provide you the “user” access to online services which may also be accessed by your mobile/cell phone. This includes but is not limited to https://drlanasays.com, and all associated domains (the “websites”) or subdomains or linked service webpages, and future services including mobile/cell phone apps. This also includes any healthcare tracking technology. This policy is designed in accordance with numerous national and international regulation frameworks, including (but not limited to) the General Data Protection Regulation (“GDPR”), the UK Data Protection Act 2018 (“DPA2018”) and the UK General Data Protection Regulation (“UKGDPR”).

3. Personal Information we hold

We may collect personal information including demographics including but not limited to personal data such as your name, address, email address, contact information, age or date of birth, financial information, health and lifestyle details that are relevant to the services you are interested in and device identifiers including internet protocol (IP) address and; Special Category Data such as information relating to your health, medical history, treatments both current and previous. Specific information may include but is not limited to; smoking status, body mass index (BMI), height, and weight. We take additional measures to protect special category data, such as health information, including restricting access to authorised personnel only, encrypting data in transit and at rest, and ensuring that all processing is carried out in compliance with relevant data protection laws. Additional information collected includes monitoring system visits and resources you access including but not limited to, traffic data, location data, health information articles, logs of communication within the platform and any resources you access.

4. Where this information comes from

This information comes from the following sources but is not limited to: using our websites or mobile application, registration to use certain services, placing orders for services or products on the website or our sales or registration pages, providing information on the website or our sales or registration pages, using medical or coaching services, written or verbal communication via telephone or email, downloading our mobile applications or using our websites, which allow us to collect information about any devices or software you use to access our services and your IP address, using and managing your account once registered (we may take information such as the date, amount and payment history), other service providers such as payment platforms, advertising and analytics and giving information to us at any other time, including through social media.

If you do not provide us with certain information that we request, you may be restricted in the services that you are able to access. If connected to the websites we may be able to access health-related data from health tracking technology. Information stored includes routine data analytics regarding your use of the websites including, but not limited to, link clicks, non-sensitive text, mouse movement, operating system type, version, browser or app version, time zone setting and usage of iPhone and android apps.

5. Purposes for Processing

Under data protection laws, whenever we process your personal information, we must have a legal basis for doing so. We currently rely on these legal bases to process the activities we carry out. The performance of a contract between “you” and "us” or in order to take steps at the request of “you” prior to entering into a contract with “us”. Article 6(1)(b) of the GDPR regulation. Except for Direct Marketing for which we gain clear consent. Article 6(1)(a) of the GDPR regulation.

Special Category data: outlined in Article 9 of the GDPR: Article 9(1) - which includes data concerning health and biometrics, as processing is necessary for: Article 9(2)(h) - medical diagnosis, the provision of health care and/or treatment and/or management of healthcare systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3: Article 9(3): personal data referred to in point a, may be processed for the purposes of point b, when those data are processed by, or under the responsibility of a professional or another person subject to the obligation of professional secrecy under Union or Member State law or rules established by national competent bodies.

We only process your personal information under a valid ‘legal basis’ in the EEA and UK which includes:

You have consented to the use of personal information, for example to send marketing information or use cookies. Out of contractual necessity. We need your information to provide you with services. We have a legal obligation to use personal information for certain processes e.g. tax and accounting. There may be legitimate interests in using personal information with us or third-parties. For example in product development and internal analytics. We may use it to improve the performance, safety and quality of services. A third party may be required only to process your information provided they are not overridden by your rights and interests.

6. How we use your information

We take the use of, and protection of your data seriously. We aim to ensure the privacy, quality and integrity of your personal information. We have policies, procedures and safeguards in place to help protect personal information from improper use and disclosure. We use your information principally to provide you a service and deliver our contract to you. We may collect and use your personal information, including your special category data if you have given us specific consent. All personal data and information is used for but not limited to, internal operations, planning and other activities that assess and improve service quality and cost-effectiveness. This information may be used to communicate with you and to complete tasks required for providing you a service.

We may use automated decision-making tools to assist in providing personalised services and recommendations. These tools are based on health and lifestyle information provided by you. You have the right to object to automated decision-making if it significantly affects you, and we will review any such decisions manually upon request.

Our policies are based on a Minimum Necessary Access principle. Any required disclosure of identifiable information is minimised. There are specific examples in which we may disclose information. This list is not exhaustive but it is representative of how information may be processed. Certain disclosures may require your authorisation. Information on disclosures is provided in section 7.

7. Sharing your information with others

We may share information to ensure we can provide a service to you. We may use the information to communicate with you in the event of product unavailability, disruptions to service, queries, complaints or to obtain feedback. We may use the information to carry out security checks such as confirming identity. We may use this information to manage your account on the websites, for research and statistical purposes, to keep you informed of any products or services you use on the websites, to improve on the services and products available to you, to develop a more personalised service.

Whilst we will ensure that your information is kept protected, we may need to share your information, for purposes set out in this policy, with: Our partners in delivering services or products to you and other service providers, agents and their subcontractors. Examples of disclosures: Disclosure at your request: relating to your use of the websites when requested by you as the user. Payment: We do not store your details. These are managed by our third party processor, Stripe. They store your information and transaction details. Evidence of transactions are stored on secure servers.

Operations, reminders and notifications: Personal information may be used for internal operations, including administration, planning and improving quality of the service. This might include internal training, customer services, surveys to improve quality. You may receive communications from us as reminders for interaction or to complete actions.

Third party service providers: We may share information with third-party service providers who are providing services on our behalf including those acting as data processors. Third-parties are are subject to privacy and security obligations consistent with our privacy policy, and within legal data protection frameworks. They are only able to use and process information as specified by us. Service providers may include secure web servers in the EU and US, search engine website providers, and other service providers who enable us to allow service provision, collect information or assist you with an issue.

Anonymised information may assist us in marketing and advertising activities or improving our service and website. These services are used to enhance and improve the user experience and to perform any other function that LH Health Limited believe in good faith is required to protect and ensure the proper functionality and security of the websites. Third party medical professionals: With your consent we may disclose personal information to a third-party medical professional nominated by you: e.g. GP or local NHS service. This may be in the form of a discharge letter or an electronic disclosure to an electronic patient record.

Threat to health and safety and safeguarding: Information may need to be provided without consent if there is an immediate threat or high risk threat to your health and safety or that of another individual including minors under the age of 18. Any disclosure would be done within legal frameworks, protect individuals and/or prevent a threat.

As required by law: Certain laws permit or require use and disclosure of personal information, for example, for public health activities and law enforcement. We may be required to disclose personal information for these and other compliance purposes. If this is required by applicable laws and regulations, requested by judicial process or government agencies. We will only use or disclose personal information that the law requires.

Research and publicity purposes: Personal information may be used for internal and external publicity and research purposes. This information will remain non-identifiable unless express consent has been obtained by the user. This information may be used for provision of public information of academic research. Transfer of business assets: If LH Health Limited or substantially all of its assets are acquired by a third party, personal information held by it about its customers will be one of the transferred assets.

Except as described above, we will never share your personal information with any other party without your consent.

8. Sharing your information outside the European Economic Area (EEA)

On occasions, we may need to process your information outside of the EEA. We ensure that your information is protected when transferred outside the EEA by using Standard Contractual Clauses (SCCs) or other approved mechanisms in line with GDPR. Where applicable, we also apply pseudonymisation to further protect your data.

9. Where we store your information and important storage security information

We, and the third-party processors we use that act on our behalf (such as mailing companies, courier/delivery companies, distribution companies, printing companies, freelance staff, consultants, and software providers), collect, store, and use your personal information for the following purposes:

  • To schedule an appointment to speak with Dr. Lana Hussain, an LH HEALTH LIMITED team member, or consultant about a product or service – with your consent;

  • To respond to your customer service requests – with your consent;

  • To process transactions – in order to fulfil our contractual duties to you;

  • To carry out obligations arising from contracts between you and us and to provide requested information, products, and services – to fulfil our contractual duties;

  • To provide information about other goods and services we offer that are similar to those you have already read, purchased, or enquired about – with your consent;

  • To notify you about changes to our service – based on our legitimate interest in keeping you informed;

  • To administer our site and for internal operations (e.g., troubleshooting, data analysis) – based on our legitimate interest in improving site functionality and user experience;

  • To improve our site and ensure content is presented in the most effective manner – based on our legitimate interest in enhancing our services;

  • To allow you to participate in interactive features of our service – based on our legitimate interest in providing user engagement;

  • To ensure the security of our site – based on our legitimate interest in protecting data and systems;

  • To measure or understand the effectiveness of our advertising and to deliver relevant advertising to you – with your consent.

We use the following third-party services to store and process your personal data. All listed services encrypt your data both in transit and at rest to ensure your information is protected, and have safeguards in place to ensure secure international data transfers:

  • YouCanBook.me (Appointment Scheduling): Data is stored on Amazon Web Services (AWS) servers located in the EEA (Ireland).

  • Google Calendar (Appointment Scheduling): Data is processed on global servers, including those outside the EEA.

  • ConvertKit (Checkout and Marketing Emails): Data is processed in the U.S. and EEA.

  • Google Meet (Consultations and Webinars): Data is processed globally.

  • Stripe (Payment Processing): Data is processed in the U.S. and EEA

  • Typeform (Survey & Form Services): Data is processed globally.

  • Google Forms (Survey & Form Services): Data is processed globally.

  • Leadpages (Website and Landing Pages): Data is processed globally.

  • Google Drive (Document Storage): Data is processed globally.

  • Carepatron (Client Records): Data is stored on GDPR and HIPAA-compliant servers.

  • Squarespace (Website Hosting and Services): Data is processed on global servers, including those outside the EEA.

  • Zapier (Automation & Data Integration): Data is processed globally to automate secure transfers between appointment scheduling and email marketing platforms.

We take appropriate security measures to protect your personal data through the use of third-part technologies, including encryption of your data in transit using TLS and at rest using industry-standard encryption protocols (e.g., AES-256). Our third-party processors also implement multi-factor authentication and conduct regular security audits.

You have the right to access, correct, or delete your data at any time by contacting us at hello@drlanasays.com. We retain your personal data only as long as necessary to fulfil the purposes for which it was collected or as required by applicable laws.

10. Data retention

Under ICO principle 5 and article 5 of GDPR and UK GDPR we retain personal information no longer than is necessary for the purpose we obtained it for. With the context that your personal information may be used for research purposes we will retain any information held on individuals for up to 10 years after that individual ceases use of our services. At this point individual’s information is deleted. You may request that we delete your information at any time. If you have concerns that any of your rights regarding personal information retention, maintenance or use by us, employees, agents or third-parties related to us please do contact us.

Special category medical information is required by law to archive electronic patient records including your personal information, communication and treatments indefinitely for the foreseeable future. Please note that this data is stored but not used in any way.

11. Children & Adolescent Privacy

We do not knowingly collect, maintain or user personal information for any individual under 18 years of age. No part of our service is directed to children. If you are aware a child has provided us personal information then do alert us at the earliest opportunity by using our contact forms.

12. Your Rights

You have rights to the way we use your information: You have the right to ask us for a copy of the information we hold on you. You have the right to ask us to correct or update any information you think is incorrect or incomplete. (We will correct what we believe to be incorrect or incomplete. You have the right to object to your information being used for research, statistical and direct marketing purposes and/or withdraw consent.

You have the right to ask us to stop using your information. We will stop using your information if there is no legal reason for us to continue to hold or use it. You have the right to object to any automated decision making. This could affect your ability to fully access our products and services. You have the right to ask us to stop using your information for marketing purposes by opting out during the registration process or updating your preferences once registered. You have the right to ask us to transfer certain personal information or a copy of some of your information to you or to another organisation, including service providers, in a format they can use where this is technically possible, known as the ‘right to data portability’.

You have the right to withdraw any permission you have previously given us to use your information. To use the rights set out as above, see the ‘contact us’ section below for the various methods by which you exercise those rights.

13. Cookies

We may obtain personal information about your usage of the website by using a cookie file which is stored on the hard drive of your device. Cookies help us to give you a smooth user experience, improve the websites and deliver better services. They enable us to recognise when you return to the websites, maintain personal information you have entered, speed up searches, understand usage patterns and store information about your preferences. They may allow us to customise the site according to your preferences.

We and third-parties may use different types of cookies including google analytics cookies to inform, optimise and serve ads based on past visits to the website via other sites known as re-marketing. Opting out can be done by using your Google Ads preferences manager. Below is an overview of types of cookies that may be used.

Strictly necessary cookies may be necessary to make the services available to you. Without these we cannot provide services to you. Functional cookies are used to recognise you when returning back to access services. Our content may be adapted to you and remember your preferences e.g. language or region. Analytical or performance cookies may bemused to operate, maintain and improve services. Third party analytics providers may be used to support the service. Where required by applicable law, we obtain consent to use cookies. You can refuse to accept cookies by changing your device settings. If you select this you may not be able to access all parts of the system. Our system may issue cookies unless you change specific settings within your browser.

We typically use a consent banner to allow you to manage your cookie preferences when you first visit our site. You can update your preferences at any time through the 'Manage Cookies' link at the bottom of the page.

14. Other information

Our website may contain links to external websites. If you follow a link to any of these websites, please note that these websites have their own privacy policies and that we do not accept any responsibility or liability for these policies. Please check these policies before you submit any personal information to these websites.

15. Contact us

Options:

  • Email us at: hello@drlanasays.com

  • Write to us at: LH Health Limited, 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ, United Kingdom

16. Policy amendments

We reserve the right to revise this policy and to make the revised policy effective for all personal information prior to the effective date of the revised policy. If we make any changes to this policy or change how we use your information, we will post a notification update on our website. In certain cases we may email you directly using the information we have information stored on the system.