Privacy Policy

AT_M_P_002_PRIVACY_POLICY_V2.1

Last updated 16th December 2025.

1. This Privacy Policy explains how Advance Tests Ltd (“Advance Tests”, “we”, “us”) collects, uses, and protects personal data.
    

2. It applies to patients who have booked with us directly, patients referred to us by other clinics, website visitors, and representatives of clinics or partner organisations.
    

3. Throughout this document, we refer to the United Kingdom General Data Protection Regulation as “UK GDPR”. Our policies are designed to adhere to the UK GDPR and the Data Protection Act 2018.
    

4. We’ve tried to make this policy as clear as possible – but if you have any questions, please contact us using the details below.

1. Advance Tests is a company based and registered in the United Kingdom.
    

2. You can contact us by email at info@advancetests.com or by phone at +44 20 8092 5449.
    

3. If you are a patient who has booked with us directly, or if you are a website visitor, or if you are a representative of a clinic or partner organisation, then we are considered to be your “Data Controller”. This means we are responsible for collecting, using, and protecting the personal data that you provide us. If we are your Data Controller, you should direct any data queries to us using the details above.
    

4. If you are a patient who has been referred to us for testing by your clinic, then we are considered to be a “Data Processor” and your clinic are the “Data Controller” for your personal data. We are processing your data at your clinic’s documented instruction. In this case, your clinic should be the main contact point for any data queries and you should refer to your clinic’s privacy policy. As a Data Processor, we will assist your clinic in responding to any request you make to exercise your data protection rights.

1. We collect personal data as a Data Controller when you:

   • Visit our website (Cookies – see section 11)

   • Book a test through our website

   • Attend a phlebotomy appointment that you have booked with us

   • Communicate with us by email or phone

   • Access your test report(s) using the link we send you

   • Provide payment information (via our payment provider).
      

2. We receive personal data as a Data Processor when/if:

   • Your clinic refers you to us for testing

   • You attend a phlebotomy appointment with us or one of our partner phlebotomy clinics, which your clinic has booked for you.

1. If you are a patient, regardless of whether we are your Data Controller or Processor, we process – at most – the following data:

   • Your full name, date of birth, sex at birth, contact details, address, any accessibility needs to attend a phlebotomy appointment*, the medical indication (reason) for testing*, and your test result* (provided by the laboratory performing the testing).

   • Certain types of personal data are considered to be “Special Category” data, meaning their processing needs additional consideration. The data marked with an asterisk (*) above are Special Category personal data.
      

2. If you are a website visitor and you choose to create an account, we will process:

   • Your full name and contact details. Sometimes, this may include the IP address you’ve used to visit our website.
      

3. If you are a patient accessing your report on the Advance Tests Portal using the link we have sent you:

   • We will process the IP address of the device that follows the link, and any subsequent activity on the Portal from that IP. We don’t actively use this data – but our security systems are designed to detect if someone is trying to access data they shouldn’t. If we think this could be the case, we may look at these records to ensure the privacy and security of your data.
      

4. If you are a representative of a clinic or partner organisation, we will process:

   • Your full name and contact details.

   • And, if you use the Advance Tests Portal (e.g. you are a clinician viewing details of a patient you have referred to us), we will also process logs regarding your access and actions on the Portal – this helps us ensure data is being used appropriately and securely.

1. By law, if we are processing your data, we must have a legitimate reason to do so. This is called the “Lawful Basis” for processing.
    

2. If you are a patient who has booked with us directly (i.e. if we are your Data Controller), then we process your data to provide you with the testing service you have contracted us to perform.

   • This processing includes us managing your booking, collecting your sample, processing your sample, laboratory testing, and the delivery of results.

   • Because some of your data is Special Category data (and because we want to make sure we’re processing your data legitimately and appropriately), we rely on two lawful bases for this processing:

   1. UK GDPR Article 6(1)(b) – performance of a contract; and

   2. UK GDPR Article 9(2)(h) – processing necessary for the purposes of medical diagnosis, provision of health care, and/or management of health systems and services.

   • This means we’re processing your data (i) because you have asked us to (‘performance of a contract’), and (ii) because it is necessary to provide a test result that may impact your health care.

   • This processing is undertaken under a duty of confidentiality, with oversight from our GMC‑registered Medical Director. It is supported by a policy called an “Appropriate Policy Document”, which requires us to thoroughly explain our reasons for processing your Special Category data.
      

3. If you are a patient who has been referred to us for testing by your clinic, then we process your data under their documented instructions. This means:

   • Your clinic is your Data Controller, and we are performing data processing as a Data Processor under an established contract we have with your clinic. This contract includes a data processing agreement.

   • We process your data only to follow the request(s) from your clinic (e.g. for us to perform a specific test).

   • Your clinic is responsible for determining the lawful basis for processing.
      

4. If you are accessing the Advance Tests Portal as a logged-in user:

   • We process your data under UK GDPR Article 6(1)(f) – our legitimate interests in securing systems, detecting abuse and maintaining audit trails. We conduct legitimate interests assessments to balance these interests against your rights.
      

5. If you are a patient accessing your report on the Advance Tests Portal using the link we have sent you:

   • In situations flagged by our security systems, we process the accessing device’s IP address and activity under UK GDPR Article 6(1)(f) – our legitimate interests in securing systems, detecting abuse and maintaining audit trails. We conduct legitimate interests assessments to balance these interests against your rights. Our assumption in this assessment is that you want us to protect your data – so we will use these measures to do so.
      

6. If we’re processing your data to provide customer service or communications about your booking/result (these are called “transactional communications”):

   • We do so under UK GDPR Article 6(1)(b) – performance of a contract; and Article 6(1)(f) – legitimate interests.
      

7. If we are processing your data as part of a payment (or chargeback):

   • We do so under UK GDPR Article 6(1)(b) – performance of a contract; and where necessary Article 6(1)(f) – legitimate interests in fraud prevention.
      

8. If we are processing your data because you are a representative of a clinic or partner organisation:

   • We do so under UK GDPR Article 6(1)(f) – legitimate interests.
      

9. Sometimes, Data Controllers are subject to legal, regulatory or compliance regulations. These are very rare situations – e.g. responding to regulators or the defence of legal claims – but in these situations we will:

   • Only ever provide the requesting authority the absolute minimum amount of data necessary for that purpose; doing so

   • Under UK GDPR Article 6(1)(c) – compliance with legal obligations; and/or Article 6(1)(f) – legitimate interests.
      

10. We use some data to help improve our service, ensure continued compliance, and for analytics purposes.

1. We only ever share your personal data where necessary for the purposes described above.
    

2. If you are undertaking the Lucent AD Complete test:

   • We will share only the following personal data with the testing laboratory (Lucent Diagnostics, a Quanterix Brand), based in the United States:

     • Your date of birth

     • Your sex at birth

     • The medical indication (reason) for testing.

   • We will never share your name, contact details, or any of your other data with Lucent Diagnostics, nor will any of this information be included in paper copy in the shipment to their lab in the USA.
      

3. If you are undertaking the APOE Genotyping test:

   • We will share only the following data with the testing laboratory (The Doctor’s Laboratory, “TDL”), based in the United Kingdom:

     • Your date of birth

     • Your sex at birth

     • The medical indication (reason) for testing.

   • We will never share your name, contact details, or any of your other data with TDL, nor will any of this information be included in paper copy in the shipment to their lab in the United Kingdom.
      

4. If you are having your blood taken at a partner phlebotomy clinic (i.e. at a location other than at the Advance Tests clinic/your referring clinic):

   • We will provide the partner phlebotomy clinic with your full name, date of birth, sex at birth, contact details, address, and any accessibility needs to attend a phlebotomy appointment.

   • We share this information so that the partner phlebotomy clinic can perform their service (arranging your appointment and taking your blood sample).

   • The partner phlebotomy clinic will not be able to see your result. 7 days after your appointment they will no longer be able to see any of your personal data.
      

5. As mentioned above, if we are required by law to share you details with a recognised authority, we will share the absolute minimum data required for that purpose.

1. Where we transfer personal data outside the UK (e.g. to Lucent Diagnostics):

   • We do so in accordance with Chapter V of the UK GDPR and put appropriate safeguards in place. These include a UK International Data Transfer Agreement (IDTA) and/or the UK Addendum to the EU Standard Contractual Clauses (as applicable), together with a documented Transfer Risk Assessment (TRA).

   • This means that anyone outside the UK we share your data with are bound by safeguards approved by the UK Information Commissioner’s Office.

1. We retain personal data only for as long as necessary for the purposes defined in this policy. After that, we either delete it or irreversibly anonymise it.
    

2. For patient records:

   • We keep this data for 8 years after the last episode of service provision (i.e. 8 years after we last performed testing for you).

   • For patients who are referred to us for testing by an external clinic, we will delete/irreversibly anonymise your data before the 8-year retention period if your clinic requests this, because they are your Data Controller.
      

3. For any booking(s) you have made through our website:

   • We keep this data for 2 years.
      

4. If you choose to create an account on our website:

   • We will keep the data until you close your account.

   • Note that any bookings you have made with this account will be retained according to 8(3) above.
      

5. Any identifiable logs on the Advance Tests Portal:

   • Will be kept for 2 years after the last activity.
      

6. While we mostly use digitised records, if we have any paper records (e.g. if your clinic has sent a paper test requisition form):

   • We will destroy these 7 days after we issue your report.

1. We do not publish detailed technical measures for security reasons. However, any personal data we hold is protected by appropriate organisational and technical controls, including encryption and restricted access, which are designed to meet or exceed recognised industry standards. These measures are regularly reviewed to ensure your data remains secure.

1. Subject to conditions and exemptions in law, you have rights to:

   • Be informed about our processing of your data

   • Access your personal data

   • Rectify inaccurate or incomplete data

   • Erase your data (where applicable)

   • Restrict or object to processing

   • Data portability

   • Not be subject to a decision based solely on automated processing with legal or similarly significant effects. (Note: we don’t perform any processing that would be applicable under this point.)
      

2. To exercise your rights if we are your Data Controller (see Section 2):

   • Contact us by email and we will respond within 1 month. Note that we may ask for information to verify your identity before complying with your request.
      

3. To exercise your rights if we are your Data Processor (see Section 2):

   • Please contact your Data Controller (most likely the clinic who referred you to us for testing). We will assist your Data Controller in responding to your query.

1. Our website uses cookies and similar technologies. Non‑essential cookies are disabled until you provide consent.

1. If you have questions about this policy or how we handle your data, please contact us (see Section 2).
    

2. You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO), who oversee data protection rights in the UK: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF (www.ico.org.uk).

1. We may update this Privacy Policy from time to time to reflect changes in our processing or legal requirements. The date this policy was last updated is shown at the top of this document.