Home / Privacy Policy

Privacy Policy

How we collect, use and protect your personal information.

Last reviewed: 19 April 2026

This Privacy Policy explains how Mr Masha Singh and his private practice (operating through Adept Surgical Limited) collect, use, share and protect your personal information when you visit plastic-surgery.uk, when you contact us, and when you are under our care as a patient. It applies to all personal information we hold, however that information has been provided to us.

We take your privacy seriously. Our handling of your information complies with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the common law duty of confidentiality, and our professional obligations under General Medical Council (GMC) guidance.

1. Who we are (data controller)

The data controller for your personal information is:

Mr Masha Singh — Consultant Plastic, Reconstructive and Aesthetic Surgeon (GMC No. 6141386), practising through Adept Surgical Limited, a company registered in England and Wales. Adept Surgical Limited is registered with the Information Commissioner's Office (ICO) under registration reference ZB280884.

For any queries about this Privacy Policy or how your information is used, please contact:

2. What information we collect

Depending on how you interact with us, we may collect and use the following categories of information:

  • Identity information: full name, title, date of birth, gender.
  • Contact information: email address, telephone number, postal address, next of kin details.
  • Health information (special category data): medical and surgical history, family history, current medications, allergies, results of examinations, imaging and biopsy results, photographs (clinical and before-and-after where consented), treatment plans, operation notes, aftercare records and correspondence with your GP or other healthcare professionals.
  • Financial information: billing address, invoicing details, payment card information (processed via secure payment providers — we do not store full card numbers), insurance policy details, insurer authorisation codes.
  • Communication records: emails, letters, telephone call notes, and messages submitted via our website contact form.
  • Website usage data: IP address, browser type and version, operating system, referring URL, pages visited, date and time of visit, and other technical information logged by our website or analytics tools (only where you have consented to analytics cookies).

3. Our lawful basis for processing your information

Under UK GDPR we can only process your personal information where we have a valid lawful basis. The bases we rely on are:

  • Contract (Article 6(1)(b)): where we need to process your information to provide the medical services you have engaged us for and to manage billing.
  • Legal obligation (Article 6(1)(c)): where we are required to retain or disclose information by law (for example, under regulatory requirements from the Care Quality Commission, the General Medical Council, or HMRC).
  • Legitimate interest (Article 6(1)(f)): to run our practice effectively, maintain records, prevent fraud, and improve our services — provided your rights and interests are not overridden.
  • Consent (Article 6(1)(a)): for optional processing such as website analytics cookies, marketing communications (we do not currently send any), or use of clinical photographs beyond your individual care.

For health data (special category information), we additionally rely on:

  • Provision of health care (Article 9(2)(h)): processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, and the management of health systems.
  • Explicit consent (Article 9(2)(a)): where we seek your written consent, for example for use of anonymised photographs for teaching or publications.

4. Why we use your information

We use your information for the following purposes:

  • To provide and manage your medical care — assessment, diagnosis, surgery, reconstruction, follow-up and aftercare.
  • To arrange appointments, send reminders and communicate with you about your treatment.
  • To prepare clinical letters and liaise with your GP, referring clinician, insurer and other healthcare professionals involved in your care.
  • To discuss complex or unusual cases in multidisciplinary team (MDT) meetings where additional expert input is appropriate.
  • To process payments, invoices and insurer claims.
  • To keep clinical records that meet our regulatory and legal obligations.
  • To handle any complaint, concern or legal claim.
  • To operate, maintain, secure and improve our website.
  • With your explicit consent, to use clinical photographs for educational purposes (always anonymised where possible).

5. Who we share your information with

We treat your information as confidential. We will only share it where there is a lawful basis to do so. Recipients may include:

  • Hospitals and clinical staff at the locations where you are seen or treated — St George's Hospital, Parkside Hospital, Ashtead Hospital, Shirley Oaks Hospital — including theatre and ward teams, anaesthetists and nursing staff.
  • Your GP and other healthcare professionals (e.g. dermatologist, oncologist, pathologist, radiologist) involved in your care.
  • Multidisciplinary Team (MDT) meetings where your case is discussed with other consultants and specialists to plan the best treatment.
  • Pathology and radiology providers for necessary tests, scans and laboratory reports.
  • Your private medical insurer, if you are using insurance to fund treatment.
  • Our secretary and administrative staff, who are bound by confidentiality.
  • Our professional indemnity insurer and legal advisers, if required in connection with a claim or complaint.
  • Regulators and authorities, including the Care Quality Commission (CQC), General Medical Council (GMC), Information Commissioner's Office (ICO) and HMRC, where legally required.
  • Service providers acting on our behalf under contract (data processors), such as our email host, practice management software, and the contact form service (Web3Forms). These providers process information only on our documented instructions and are contractually required to protect your data.
  • Emergency services or other parties where there is a serious risk to life, in line with GMC guidance on disclosures in the public interest.

We do not sell your personal information to third parties and we do not use it for third-party marketing.

6. International transfers

Some of the service providers we use may process data outside the United Kingdom. Where this happens, we ensure your information is protected by appropriate safeguards, such as:

  • Transfers to countries that the UK Government has deemed to provide an adequate level of protection ("adequacy decisions"), or
  • Transfers made under the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses (SCCs), with supplementary technical and organisational measures where needed.

Specifically, Google Analytics (if you have consented to analytics cookies) and Web3Forms (if you submit our contact form) may involve transfer to the United States under such safeguards.

7. How long we keep your information

We retain your personal information only for as long as necessary for the purposes for which it was collected, taking into account our legal and regulatory obligations. Typical retention periods are:

  • Adult medical records: retained for a minimum of 8 years after the last episode of care, in line with NHS and Department of Health retention guidance. Some records (e.g. relating to mental health or claims) may be retained for longer.
  • Records for patients treated under 18: retained until the patient's 25th birthday, or their 26th birthday if the last entry was made when they were 17.
  • Financial and billing records: retained for a minimum of 6 years to meet HMRC requirements.
  • Website contact form enquiries: retained for up to 2 years unless you go on to become a patient, in which case they are kept as part of your clinical record.
  • Website usage and analytics data: retained according to the settings of our analytics provider (currently 14 months of Google Analytics data).

Once the relevant retention period has expired, we securely delete or anonymise the information.

8. How we keep your information secure

We take appropriate technical and organisational measures to protect your information against unauthorised access, accidental loss, alteration or disclosure. These include:

  • Access controls and role-based permissions for practice systems.
  • Encrypted storage and transmission of digital records where reasonably practicable.
  • Secure email and secure messaging for clinical correspondence.
  • Physical security of paper records stored at the practice.
  • Regular software updates and cybersecurity practices.
  • Written agreements with all our data processors requiring them to protect data to UK GDPR standards.
  • Staff training on confidentiality and data protection.

9. Your rights

Under UK data protection law, you have the following rights in relation to your personal information:

  • Right of access: you can ask for a copy of the personal information we hold about you (a "subject access request").
  • Right of rectification: you can ask us to correct information that is inaccurate or incomplete.
  • Right to erasure ("right to be forgotten"): you can ask us to delete information in certain circumstances — though we may be required by law or professional duty to retain medical records for a minimum period.
  • Right to restrict processing: you can ask us to pause or limit how we use your information in certain circumstances.
  • Right to data portability: where processing is based on consent or contract and carried out by automated means, you can ask to receive the data in a structured, machine-readable format.
  • Right to object: you can object to our processing of your information where we rely on legitimate interests.
  • Right to withdraw consent: where processing is based on your consent, you can withdraw it at any time without affecting the lawfulness of previous processing.
  • Rights in relation to automated decision-making: we do not use automated decision-making or profiling that produces legal or similarly significant effects.

To exercise any of these rights, please email admin@plastic-surgery.uk. We will respond within one month (this may be extended by a further two months for complex requests, in which case we will notify you). There is no fee unless your request is manifestly unfounded or excessive.

10. Cookies and website analytics

Our website uses two categories of cookies:

  • Essential cookies: strictly necessary for the website to function (for example, remembering your cookie preferences). They do not collect personally identifiable information and cannot be switched off.
  • Analytics cookies: with your consent, we use Google Analytics 4 to collect anonymous information about how visitors use our site — for example, which pages are most viewed, how long visitors stay, and where they come from. These cookies are only set after you have selected "Accept All" on our cookie banner.

When you first visit the site, a cookie consent banner appears. You can select Accept All (essential + analytics) or Reject (essential only). Your choice is stored locally in your browser. You can change your decision at any time by clearing your browser's site data for plastic-surgery.uk and reloading the page.

We use IP anonymisation and secure cookie flags for all analytics data. For more information about how Google Analytics processes data, see Google's Privacy Policy.

11. Children's privacy

We do not knowingly collect information directly from children under the age of 13 through our website. Where we treat children or young people as patients, information is collected and processed with the consent of a parent or guardian where appropriate, and in accordance with GMC guidance on consent in young people.

Our website may contain links to external sites (for example hospital websites, professional bodies or the Private Healthcare Information Network). We are not responsible for the privacy practices of those websites, and we encourage you to read their own privacy policies.

13. Changes to this policy

We may update this Privacy Policy from time to time to reflect changes in our practice, technology, or the law. The "Last reviewed" date at the top of this page indicates when it was most recently updated. Significant changes will be highlighted on the website where appropriate.

14. How to complain

If you have concerns about how we have handled your personal information, please contact us first at admin@plastic-surgery.uk. We will do our best to resolve your concerns.

You also have the right to lodge a complaint with the UK data protection regulator:

Information Commissioner's Office (ICO)
Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF
Telephone: 0303 123 1113
Website: ico.org.uk