Last updated: 21 April 2026

This Privacy Policy explains how the Window to the Womb group of companies collects, uses, shares and protects personal data in connection with our services, our websites and our apps. It applies to clients of our clinics, visitors to our websites, and users of our apps, and forms part of the terms on which you book and receive services from us.

We are committed to handling your personal data transparently, securely and in accordance with the UK General Data Protection Regulation (the “UK GDPR“), the Data Protection Act 2018 (the “DPA 2018“), and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (the “PECR“).

Contents

1. About this Privacy Policy
2. Who we are
3. How to contact us about your data
4. The personal data we collect
5. Health and other special category data
6. How we use your personal data and our lawful basis
7. Where we obtain your data
8. Who we share your data with
9. The Parent Room and MyScan apps
10. International transfers of data
11. How long we keep your data
12. Security of your data
13. Marketing communications
14. Cookies and website analytics
15. CCTV
16. Reviews and testimonials
17. Safeguarding
18. Your data protection rights
19. How to exercise your rights
20. Complaints and the Information Commissioner’s Office
21. Changes to this Privacy Policy

---

1. About this Privacy Policy

This Privacy Policy applies to personal data processed by the Window to the Womb group of companies (“WTTW“, “we“, “us” or “our“) in the following contexts:

• when you visit or use our websites, including windowtothewomb.co.uk, firstscan.co.uk, firstscanhealth.co.uk, or baby-scan.co.uk;
• when you make, manage or attend an appointment at any of our clinics (including our licensed franchised clinics);
• when you use our apps, The Parent Room and MyScan;
• when you undergo a blood test referred by us to a third-party laboratory;
• when you contact us, provide feedback or respond to our communications.

Our websites and services may contain links to third-party websites, apps or services with their own privacy policies. This Privacy Policy does not apply to those third parties and we are not responsible for their data practices. You should review their privacy policies before providing personal data to them.

2. Who we are

The Window to the Womb group is a UK-based provider of private pregnancy ultrasound scanning, women’s health scanning and related services. Our services are delivered through our company-owned clinics and through a national network of independently owned, licensed franchised clinics operating under the Window to the Womb brand.

The data controllers under this Privacy Policy are:

Entity	Registered office	Company number	ICO registration
Window to the Womb (Franchise) Limited (the principal data controller)	Victoria Works, Woodhead Road, Holmfirth, HD9 2PR	08756928	ZA167524
firstScan Limited	Victoria Works, Woodhead Road, Holmfirth, HD9 2PR	10512110	ZB572348
Firstscan Health Limited	Victoria Works, Woodhead Road, Holmfirth, HD9 2PR	—	ZB961807

Window to the Womb (Franchise) Limited (“WTTWFL“) is the principal data controller. WTTWFL owns and operates the booking, clinical reporting, customer relationship management and related systems used across the group, and is therefore the controller of personal data held on those systems.

Where services are provided by firstScan Limited or Firstscan Health Limited, those entities act as joint controllers with WTTWFL for the personal data processed in connection with the services they deliver. The allocation of responsibilities between the joint controllers under Article 26 UK GDPR is documented internally and is available on request.

Our licensed franchised clinics are independent limited companies licensed by WTTWFL to operate clinics using WTTWFL’s systems, processes and standards. When our franchised clinics collect, input or otherwise handle personal data in connection with your booking or appointment, they do so on behalf of WTTWFL as processors under a written data processing agreement. The franchised clinic is not a separate controller of your personal data, and your contact point for all data protection matters is WTTWFL, regardless of which clinic you attend. A current list of our licensed franchised clinics is available on our website.

Our clinics in England are regulated by the Care Quality Commission (CQC) as providers of a diagnostic imaging service. We are not currently registered with equivalent bodies in Scotland, Wales or Northern Ireland, as our service is not doctor-led.

3. How to contact us about your data

Our Data Protection Officer is Sara Lemm. If you have any questions about this Privacy Policy, the personal data we hold about you, or you wish to exercise any of your data protection rights, please contact us at:

• Email: [email protected]
• Post: Data Protection Officer, Window to the Womb (Franchise) Limited, Victoria Works, Woodhead Road, Holmfirth, HD9 2PR

Please include your full name, the clinic location you attended (if applicable), and sufficient information for us to identify you and respond properly. For security reasons we may ask you to verify your identity before we release or act upon personal data.

4. The personal data we collect

Depending on how you interact with us, we may collect and process the following categories of personal data:

4.1 Identity and contact data

Your title, first name, surname, date of birth, postal address, email address, telephone number(s), and, where provided, the name and contact details of a partner or accompanying person.

4.2 Pregnancy and clinical history

Your estimated due date (EDD), gestational age, details of your current and previous pregnancies, relevant medical history, current medication, allergies, BMI (where relevant for scan interpretation), the contact details of your GP and your preferred NHS maternity unit or hospital. For Women’s Health services, your presenting symptoms and relevant gynaecological or reproductive history.

4.3 Scan data and clinical outputs

The images, recordings, measurements, diagnostic interpretation and clinical notes generated during and after your appointment, including any reports and images we make available to you or share with a third party at your request (for example, your NHS care provider or your GP).

4.4 Blood test data

Where you undergo a blood test referred by us to a third-party laboratory, the details contained on your blood test request form, the fact of sample collection, and, where returned to us, the laboratory’s report and results.

4.5 Transaction data

Information relating to your booking, the services you have purchased, the amount paid, the method of payment, the date of the transaction and any refund we have issued. Payment card details are collected and processed by our payment service providers; we do not store your full payment card number on our systems.

4.6 Communications data

The content and metadata of communications exchanged with us, including emails, letters, telephone calls (which may be recorded for training and quality purposes, with notice), online chat messages, app messages and SMS messages, as well as feedback and reviews you provide.

4.7 App account data

Where you register for an account on The Parent Room or MyScan app, your account credentials, profile information, appointment history, stored scan media and report(s), and usage information relating to the app. Further detail is set out in section 9 below.

4.8 Website, device and technical data

IP address, browser type and version, device type, operating system, referrer URL, pages visited, time spent on pages, search queries within our websites, interactions with our online forms, and cookie and similar identifier data. See section 14 below.

4.9 Marketing and preference data

Your marketing preferences, your history of opting in to or out of marketing, the channels you have chosen to receive, and your responses to our campaigns.

4.10 CCTV footage

Where CCTV is in operation at a clinic (see section 15), images of you captured while on the premises.

5. Health and other special category data

Because we provide a diagnostic clinical service, much of the personal data we process about you is “special category” data for the purposes of Article 9 UK GDPR. In particular, this includes data concerning your health, your pregnancy and, as a result of the nature of the service, information that may reveal biological sex or medical conditions.

The principal lawful basis on which we process special category data is Article 9(2)(h) UK GDPR (processing necessary for the provision of health care or treatment and the management of health care systems and services), read together with Schedule 1, Part 1, Paragraph 2 of the DPA 2018. Processing under this basis is undertaken by health care professionals and staff bound by an obligation of professional confidentiality.

In certain circumstances we may also rely on:

• Article 9(2)(a) — your explicit consent (for example, where you ask us to share your records with a specified third party who is not part of your care team);
• Article 9(2)(c) — processing necessary to protect the vital interests of you or another person where you are physically or legally incapable of giving consent (for example, in a medical emergency);
• Article 9(2)(f) — processing necessary for the establishment, exercise or defence of legal claims;
• Schedule 1, Part 2, DPA 2018 — where we process health data for reasons of substantial public interest, including for safeguarding purposes (see section 17).

We apply additional safeguards to special category data. Access is restricted to those who need it to perform their role, audit trails are maintained for clinical records, and retention is aligned with the NHS Records Management Code of Practice 2021.

6. How we use your personal data and our lawful basis

We only process your personal data where we have a lawful basis under Article 6 UK GDPR (and, where applicable, Article 9). The following table sets out the main purposes for which we process your personal data and the lawful basis we rely on in each case.

Purpose	Categories of data	Lawful basis (Article 6)	Additional basis for health data (Article 9)
Managing your booking and appointment (including confirmations, reminders, rescheduling and cancellations)	Identity, contact, pregnancy/clinical history, transaction, communications	Contract (Article 6(1)(b))	Article 9(2)(h)
Performing the scan, preparing the clinical report and making the scan images, recordings and report available to you	All categories, including scan and clinical data	Contract (Article 6(1)(b))	Article 9(2)(h)
Referring you for a blood test with a third-party laboratory, where requested	Identity, contact, pregnancy/clinical history, blood test data	Contract (Article 6(1)(b))	Article 9(2)(h) and/or 9(2)(a) where required by the laboratory
Receiving, reviewing and communicating blood test results where returned to us	Blood test data, identity, contact	Contract (Article 6(1)(b))	Article 9(2)(h)
Providing and managing your account on The Parent Room or MyScan app	App account data, identity, contact, scan and clinical data	Contract (Article 6(1)(b))	Article 9(2)(h)
Taking payment and preventing payment fraud	Identity, contact, transaction	Contract (Article 6(1)(b)); Legitimate interests (Article 6(1)(f))	—
Sending you administrative communications (for example, safety information, changes to your appointment, responses to enquiries)	Identity, contact, communications	Contract (Article 6(1)(b)); Legitimate interests (Article 6(1)(f))	Article 9(2)(h) where relevant
Sending you marketing communications about our services (see section 13)	Identity, contact, marketing preferences, limited service history	Legitimate interests (Article 6(1)(f)), and in accordance with the “soft opt-in” at Regulation 22(3) PECR; or your consent (Article 6(1)(a)) where required	—
Requesting and handling feedback, reviews and complaints	Identity, contact, communications	Legitimate interests (Article 6(1)(f)); Legal obligation (Article 6(1)(c)) for regulated complaints	Article 9(2)(h) where clinical; Article 9(2)(f) for defence of claims
Operating our website and apps, analytics, improving the service	Website/device/technical data, app account data	Legitimate interests (Article 6(1)(f)); Consent (Article 6(1)(a)) for non-essential cookies	—
Regulatory compliance, including clinical governance and CQC inspection	All categories where required	Legal obligation (Article 6(1)(c)); Legitimate interests (Article 6(1)(f))	Article 9(2)(h); Schedule 1 DPA 2018 where applicable
Safeguarding (see section 17)	All categories where relevant	Legal obligation (Article 6(1)(c)); Vital interests (Article 6(1)(d))	Article 9(2)(c); Schedule 1, Part 2, Paragraph 18 DPA 2018 (safeguarding of children and individuals at risk)
Security of premises (CCTV, where deployed — see section 15)	CCTV footage	Legitimate interests (Article 6(1)(f))	—
Establishing, exercising or defending legal claims	Any category as required	Legitimate interests (Article 6(1)(f)); Legal obligation (Article 6(1)(c))	Article 9(2)(f)
Compliance with other legal obligations (including tax, accounting, anti-money laundering, responding to lawful requests from authorities)	All categories where required	Legal obligation (Article 6(1)(c))	As required

Where we rely on legitimate interests, we have carried out and documented a Legitimate Interests Assessment (LIA), applying the three-part test of (i) legitimate purpose, (ii) necessity, and (iii) balancing against the rights and reasonable expectations of the individual. You may request further information about our LIA by contacting our DPO.

7. Where we obtain your data

We collect personal data from the following sources:

• Directly from you, when you make a booking, attend an appointment, use our websites or apps, contact us, or respond to our communications or surveys.
• From a person booking on your behalf, where a partner, family member or friend has arranged your appointment for you. If you book for someone else, you must have that person’s authority to share their personal data with us.
• From our licensed franchised clinics, when they collect your data at the clinic and input it into our shared systems.
• From third-party laboratories, where we receive blood test results for a test we have referred.
• From third parties acting on our behalf, such as the providers of our payment, communications, analytics and hosting services.
• From publicly available sources, only where specifically relevant, such as open company data for the verification of business contacts.

8. Who we share your data with

We share personal data only where necessary and in accordance with this Privacy Policy and the law. The categories of recipient are:

8.1 Within the WTTW group

Personal data may be shared between WTTWFL, firstScan Limited and Firstscan Health Limited for the purposes set out in this Privacy Policy, including the operation of shared systems.

8.2 Our licensed franchised clinics

Our franchised clinics access and input personal data on our systems in order to deliver services to you. They are bound by written contract, including data protection terms under Article 28 UK GDPR, to process your data only in accordance with our instructions and with appropriate technical and organisational safeguards.

8.3 Third-party laboratories (blood tests)

Where you elect to have a blood test as part of or alongside your appointment (for example, an early gender blood test or Non-Invasive Prenatal Testing, “NIPT”), your sample and the information contained on the blood test request form are processed by the relevant third-party laboratory. The laboratory acts as a data controller in its own right for the processing of your sample and the production of your test results, and will obtain your specific consent at the point of blood collection, typically through a separate laboratory consent form. Where test results are returned to us for communication to you, we process those results as set out above. The identity of the laboratory used for your test will be notified to you at the point of consent, and the laboratory’s own privacy information will apply to its processing of your data.

8.4 Service providers and processors

We use carefully selected service providers who process personal data on our behalf. Each is engaged under a written contract containing the data protection terms required by Article 28 UK GDPR. The principal categories of provider are:

• Payment processing — Stripe and Super Payments, for taking online and in-clinic payments.
• Email marketing and transactional messaging — Intuit Mailchimp and Mandrill.
• SMS messaging — MessageBird (Bird).
• Website analytics — Google Analytics 4 (see section 14).
• Cloud hosting and IT infrastructure — providers of our hosted systems, clinical reporting platform and office productivity tools.
• Professional advisers — auditors, accountants, legal and compliance advisers, each under duties of confidentiality.

8.5 Apps: The Parent Room and MyScan

See section 9.

8.6 Your healthcare providers and other recipients you authorise

Where you ask us to, or where clinically indicated, we may share information with your GP, midwife, NHS maternity unit or another healthcare provider involved in your care. We will discuss such sharing with you and only proceed on an appropriate lawful basis.

8.7 Reviews platforms

See section 16.

8.8 Authorities, regulators and law enforcement

We may share personal data with the Care Quality Commission (CQC), HM Revenue & Customs (HMRC), the Information Commissioner’s Office (ICO), the courts, the police, and other regulators or public authorities where we are required or permitted by law to do so.

8.9 Business transfers

If we sell, restructure, merge or otherwise reorganise all or part of our business, or acquire another business, personal data may be disclosed to advisers and prospective or actual buyers under appropriate confidentiality protections, and ultimately transferred with the business.

9. The Parent Room and MyScan apps

9.1 MyScan

MyScan is owned and operated by WTTWFL. It is our client portal for non-pregnancy services and allows you to view your appointment history, access your scan images and reports, manage your preferences and communicate with us. WTTWFL is the data controller for personal data processed through MyScan. The processing of your personal data through MyScan is governed by this Privacy Policy.

9.2 The Parent Room

The Parent Room is an app owned and operated by Window to the Womb Retail Limited, a separate company within our group. The Parent Room enables you to manage future bookings, access your scan media and appointment history, and engage with related content. Window to the Womb Retail Limited is the data controller for personal data processed through The Parent Room, and its own privacy policy applies to its processing of your data. A copy of The Parent Room’s privacy policy is available within the app and on our website.

9.3 Data flow between our systems and the apps

Personal data originating from your booking and appointment is held on WTTWFL systems. Where you choose to use The Parent Room or MyScan, data is made available through those apps under appropriate authentication controls and in accordance with the applicable privacy policy. You may manage your account, preferences and any stored content within the settings of each app.

10. International transfers of data

The personal data we hold on our systems is stored in the United Kingdom.

A limited number of our service providers may process certain personal data outside the United Kingdom — in particular, Google Analytics 4 (see section 14), which may involve the transfer of website usage data to servers located in countries including the United States.

Where personal data is transferred outside the United Kingdom, we put in place appropriate safeguards in accordance with Articles 44 to 49 UK GDPR. These may include:

• transfer to a country or territory in respect of which the UK Government has issued adequacy regulations;
• use of the International Data Transfer Agreement (IDTA) issued by the ICO, or the European Commission’s Standard Contractual Clauses together with the UK International Data Transfer Addendum;
• the UK Extension to the EU–US Data Privacy Framework, where the receiving organisation is self-certified under that framework;
• such other lawful transfer mechanism as may be appropriate in the circumstances.

You may request information about the safeguards in place for a specific transfer by contacting our DPO.

11. How long we keep your data

We keep personal data only for as long as we need it for the purposes set out in this Privacy Policy, or for such longer period as is required by law or necessary to protect our legitimate interests. Our standard retention periods are:

Category of data	Retention period	Basis
Maternity and pregnancy-related clinical records (including scan images, reports and clinical notes)	25 years from the date of birth of the child to which the record relates	NHS Records Management Code of Practice 2021
Women’s Health (non-pregnancy) clinical records	8 years from the date of last appointment	NHS Records Management Code of Practice 2021 (adult health records)
Booking and appointment records (non-clinical)	7 years from the date of last appointment	Commercial and limitation purposes
Financial and transaction records	7 years from the end of the relevant financial year	HMRC / Companies Act requirements
Marketing preference and suppression data	Indefinitely, for the purpose of honouring your opt-out	Legitimate interest; ICO guidance on suppression lists
Email marketing engagement data	36 months from last interaction	Legitimate interest
Website analytics (Google Analytics 4)	14 months (default GA4 retention)	Legitimate interest / consent for non-essential cookies
Complaint records	7 years from closure of the complaint	Regulatory and limitation purposes
CCTV footage (where deployed)	30 days, save where retained for a specific incident	Legitimate interest; ICO CCTV guidance
Website enquiry form submissions	24 months from receipt, unless converted to a booking	Legitimate interest

Where a retention period expires, we will delete or anonymise the data so that it can no longer be associated with you.

12. Security of your data

We take appropriate technical and organisational measures to protect your personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage. These measures include:

• encryption of personal data in transit and, where appropriate, at rest;
• role-based access controls, with access to clinical data restricted to those with a need to know;
• strong authentication controls, including multi-factor authentication for administrative access;
• audit logging of access to clinical records;
• staff training on data protection and confidentiality, and obligations of confidence in our employment and franchise contracts;
• PCI DSS compliance for card payments, with card data processed by our payment service providers rather than held on our systems;
• incident detection, response and breach notification procedures in accordance with Articles 33 and 34 UK GDPR;
• regular review of our controls and providers.

No system is ever completely secure. If we become aware of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the ICO without undue delay and, where the risk is high, we will notify you.

13. Marketing communications

We use personal data to keep you informed of services we offer that are likely to be relevant to you. The framework we apply is as follows.

13.1 Lawful basis

Our lawful basis for sending you marketing communications is legitimate interest under Article 6(1)(f) UK GDPR. We have carried out and documented a Legitimate Interests Assessment for this purpose. Our legitimate interest is in informing clients who have booked and attended a scan with us of closely related services (for example, further scans during the same pregnancy), balanced against your rights, interests and reasonable expectations.

13.2 Electronic marketing under PECR

For marketing by email and SMS we rely on the “soft opt-in” set out in Regulation 22(3) PECR, which permits direct marketing to existing customers for similar services, subject to the recipient being given a simple means of refusing such use of their contact details at the time of collection and in every subsequent message. Where we rely on consent rather than the soft opt-in, we will collect and record that consent accordingly.

13.3 Your choice

You can opt out of marketing communications at any time:

• by clicking the unsubscribe link in any marketing email;
• by replying STOP to any marketing SMS message;
• by updating your preferences in The Parent Room or MyScan;
• by emailing [email protected].

When you opt out, we will suppress your contact details from our marketing lists across all channels. We will retain a minimum suppression record to ensure that your opt-out is honoured.

13.4 Service communications

Even if you have opted out of marketing, we will continue to send you communications that are necessary for the service you have booked with us (for example, appointment confirmations, safety information, and changes to your appointment). These are not marketing communications and they do not require your consent.

14. Cookies and website analytics

Our websites use cookies and similar technologies to operate, to remember your preferences, to measure how our websites are used and to support our marketing. We use Google Analytics 4 to understand aggregate website usage. Non-essential cookies are only set where you have given your consent through our cookie banner.

Full details of the cookies we use, their purpose and duration, and how to manage your preferences, are set out in our Cookie Policy.

15. CCTV

Some of our clinics operate CCTV for the purpose of the safety of clients and staff, the security of the premises and the prevention and detection of crime. Where CCTV is in use, signage is displayed at the clinic. Footage is held securely, access is restricted to authorised personnel, and images are retained for no longer than 30 days unless required for a specific incident, investigation or legal process. The lawful basis for CCTV is legitimate interest under Article 6(1)(f) UK GDPR.

16. Reviews and testimonials

We invite clients to provide feedback on their experience, including through our reviews partners Trustpilot, Google and Facebook. If you provide a review through one of these platforms, that platform processes your personal data as a separate controller in accordance with its own privacy policy. Where we invite you to leave a review by email or SMS, the invitation is treated as a service communication relating to your recent appointment. Any testimonials we publish on our website or marketing materials are published with appropriate permission.

17. Safeguarding

As a healthcare provider, we have duties of care in relation to the safeguarding of children, young people and adults at risk. Where we reasonably believe there is a safeguarding concern, we may share relevant information with the appropriate safeguarding authority (for example, the local authority safeguarding team, the police, or a healthcare provider). The lawful basis for such processing is compliance with a legal obligation (Article 6(1)(c)), the protection of vital interests (Article 6(1)(d)), Article 9(2)(c) for special category data, and Schedule 1, Part 2, Paragraph 18 of the DPA 2018 (safeguarding of children and individuals at risk). These disclosures are made in accordance with our internal Safeguarding Policy and applicable national guidance.

18. Your data protection rights

Subject to certain conditions and exceptions, you have the following rights under the UK GDPR:

• Right of access — to obtain confirmation that we process your data, a copy of the personal data we hold about you, and supplementary information.
• Right to rectification — to have inaccurate personal data corrected, or incomplete personal data completed.
• Right to erasure (the “right to be forgotten”) — to have your personal data deleted in certain circumstances. This right is not absolute. In particular, it does not ordinarily apply to clinical records we are required to retain.
• Right to restriction of processing — to require us to suspend processing of your personal data in certain circumstances.
• Right to data portability — to receive your personal data in a structured, commonly used and machine-readable format, and to have it transmitted to another controller, where the processing is based on consent or contract and carried out by automated means.
• Right to object — to object to processing based on legitimate interests (including direct marketing) or the performance of a task in the public interest.
• Right not to be subject to a decision based solely on automated processing — we do not currently use automated decision-making that produces legal or similarly significant effects on you.
• Right to withdraw consent — where our processing is based on your consent, you can withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

19. How to exercise your rights

To exercise any of the rights above, please contact our DPO at [email protected]. We will respond within one calendar month of receipt (which may be extended by up to two further months where the request is complex or we have received a number of requests from you). There is normally no charge, although we may charge a reasonable fee or refuse to act on a request that is manifestly unfounded or excessive.

We may ask you to verify your identity before we release or act on personal data, so that we can be confident we are dealing with you.

20. Complaints and the Information Commissioner’s Office

If you have a concern about the way we process your personal data, we encourage you to raise it with us in the first instance by contacting our DPO. We will respond carefully and promptly.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO), the UK’s supervisory authority for data protection:

• Website: ico.org.uk
• Helpline: 0303 123 1113
• Post: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

21. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. The date at the top indicates when the latest version was published. Where changes are material, we will draw them to your attention by an appropriate means, such as a notice on our website or a direct communication.

Previous versions of this Privacy Policy are available on request from our DPO.