Our Privacy Statement describes our practices and management of privacy.
1. Introduction
Orion Health (“Orion Health,” “we,” “us,” or “our”) is a global company that designs and operates digital health platforms that enable secure health information exchange, system interoperability, virtual care services, and improved clinical outcomes. Orion Health is part of the HEALWELL AI Inc. group of companies. This Privacy Notice explains how Orion Health collects, uses, discloses, retains, and protects personal data (including personal information (“PI”) and personal health information (“PHI”)) in connection with:
- Orion Health’s digital health platforms and products, and
- Orion Health’s public website and related communications.
Orion Health is committed to protecting personal data in accordance with the privacy and health information laws that apply to us across the UK.
2. Orion Health’s Role in Processing PI and PHI
Orion Health operates in different roles depending on the context in which personal data is processed. In most cases, Orion Health acts as a data processor on behalf of healthcare providers, NHS organisations, health authorities, or government bodies (each, a “data controller”). In these situations:
- Orion Health processes personal data only under the instructions of the data controller,
- Orion Health does not determine the purposes for which patient data is collected,
- Orion Health does not use customer-controlled patient data for its own independent commercial purposes.
In certain limited cases (for example, when managing our website, marketing activities, or business relationships, where we decide how and why your data is used), Orion Health acts as a data controller. The entity in question here is:
Company Name: Orion Health Limited
Registered Address: 87-91 Newman Street, London W1T 3EY, United Kingdom
Company Number: 04306308
ICO Registration Number: Z8683942
Global Chief Privacy Officer: Samara Starkman
Contact Information: privacy@orionhealth.com
3. Orion Health’s Products and Services that Process PHI
Orion Health provides a range of digital health platforms that may process personal data under the direction of healthcare organisations:
- Digital Care Record and Clinical Data Platforms, which support shared care records and consolidated patient views across healthcare settings,
- Interoperability and Integration Platforms, which enable secure, standards-based data exchange (e.g., HL7, FHIR, APIs) across providers,
- Care Coordination and Engagement Solutions, including virtual care, messaging, and workflow tools, and
- Analytics and Health Intelligence Platforms, which support reporting, population health management, and authorised research.
Each Orion Health product processes personal data only for the purposes described in this notice and under the authority of the relevant data controller.
4. Information we collect and how we use it
A. Information related to healthcare professionals and authorised users
When healthcare professionals, administrators, or authorised users interact with Orion Health systems or support channels, we may collect:
- Account and contact information, e.g., name, role, organisation, and email address
- Technical and usage information, e.g., IP address, device identifiers, system logs
- Credentials and authentication data
- Communications with Orion Health, including support requests and inquiries
- Audit trail and system activity logs
Orion Health uses the above information and technical data for the following purposes:
- Provision and manage access to Orion Health platforms
- Authenticate users and maintain system security
- Deliver technical support and service communications
- Monitor and improve system performance and reliability
- Meet contractual, regulatory, and legal obligations
Orion Health may also process personal data relating to employees, contractors, prospective customers, business contacts, for purposes such as workforce administration, training, contract management, customer relationship management, and business development.
B. Information related to patients
Orion Health does not typically collect personal data directly from patients. Instead, healthcare professionals or NHS organisations input or make patient data available through Orion Health systems so that services can be delivered on their behalf. Patient data processed by us may include:
- Demographic information (e.g., name, NHS number, date of birth),
- Clinical and health information (e.g., diagnoses, medications, test results, care records),
- Information generated through clinical interactions (e.g., virtual consultations, triage, contact-centre interactions),
- Longitudinal care record data aggregated across systems.
Health data is considered “special category” personal data under the UK GDPR and is subject to enhanced legal protections. We only process it under the authority and instructions of the relevant NHS organization or healthcare professional, for purposes including:
- Supporting clinical care and coordination,
- Enabling interoperability and continuity of care,
- Maintaining accurate and accessible health records,
- Supporting authorised public health reporting and healthcare operations; and
- Ensuring system integrity, security, and reliability.
5. Lawful Basis for Processing
Where Orion Health acts as a data controller, we rely on the following lawful bases:
| What we do | Data Involved | Lawful basis | Additional condition(s) for processing special category data |
|---|---|---|---|
| Marketing and sales communications to business contacts | Name, business email, job title. | Legitimate interests (B2B marketing with clear opt-out opportunity), Consent (where needed) | Not applicable |
| Website analytics and cookies | IP address, browser type, cookie data | Consent (non-essential cookies) Legitimate interests (strictly necessary cookies) | Not applicable |
| Responding to legal/law-enforcement enquiries or court orders | As required | Legal Obligation | As applicable, depending on the data being requested |
Where Orion Health processes special category data as a data processor, the lawful basis is determined by the relevant data controller. This typically includes:
- Provision of healthcare or treatment,
- Public health purposes, and
- Compliance with legal obligations.
Orion Health processes this information solely based on the documented instructions from the relevant data controller.
6. Sharing of personal information
Orion Health may share the personal information we collect via our website outside our organisation for specific third-party processing. This includes:
| Platform | Description |
|---|---|
| HubSpot | We use HubSpot to manage customer relationships and marketing activities. Information collected through forms and cookies, such as your name, email address, company information, and website interaction data, is stored in HubSpot to facilitate communications, personalise marketing efforts, and analyse campaign performance. |
| NetSuite | Information submitted through forms, such as inquiries and registration details, may be transferred to NetSuite. This enables us to manage follow-ups, maintain accurate customer records, and streamline operational processes. |
| Google Ads | We use Google Ads to promote our services. Cookie and activity data, including information related to website interactions and conversions (such as form submissions), is shared with Google to measure ad performance, create audience segments, and optimise advertising campaigns. |
| We use LinkedIn advertising services to promote relevant content. Cookie and interaction data is shared with LinkedIn to build advertising audiences, track ad conversions, and enhance the performance of our LinkedIn campaigns. | |
| Eventbrite | When you register for one of our events via Eventbrite and its integrations within our website, the information you provide, including your name, email address, and organisation, is collected to manage event registrations and related communications. This information may also be used to facilitate post-event engagement. |
Patient data is only shared as strictly required to deliver contracted services under NHS or healthcare provider instructions. This includes:
- Sharing with authorised healthcare providers/ partners, Integrated Care Boards, and NHS organizations through secure, standards-based frameworks
- Approved third-party service providers (e.g., hosting, analytics, support services),
- Regulators, courts, or law enforcement where required by law, and
- Professional advisors and business partners where appropriate.
All third parties are subject to appropriate contractual and confidentiality obligations.
7. Artificial Intelligence and Analytics
Orion Health platforms may include analytics, automation, and AI-assisted capabilities that support healthcare reporting, care coordination, service delivery, and operational efficiency. These technologies may be used to:
- Support healthcare reporting and population health management,
- Improve service delivery and user experience,
- Assist with customer relationship management, workforce enablement, and internal business operations,
- Support compliance, security, and operational processes, and
- Generate insights that assist healthcare organisations in making informed decisions.
These tools are designed to support, not replace, human decision-making. Orion Health does not use customer-controlled identifiable patient data for independent commercial AI model training without appropriate authorisation from the relevant data controller and where permitted by law. Orion Health does not make solely automated decisions, including those based on AI-assisted processing, that produce legal or similarly significant effects on individuals without appropriate human review and oversight.
8. Cross-border Data Transfers
Some of the services we use are based outside the UK. Applicable laws in the UK restrict sending personal data outside UK unless adequate protections are in place. Here is how we handle this:
- EEA countries — the UK government has confirmed these provide adequate protection, allowing flow of information
- New Zealand — also recognised by the UK as providing adequate protection. Our parent company (Orion Health Group Limited) is based in New Zealand
- United States and other countries – where personal data is transferred to countries that are not recognised as providing an adequate level of protection, Orion Health implements appropriate safeguards, including approved contractual transfer mechanisms and supplementary security measures as needed.
Where required by relevant data controllers, patient data processed by Orion Health is processed within the UK and EEA. Any international access to such data by Orion Health staff is governed by appropriate inter-company agreements that comply with applicable laws and regulations. Orion Health ensures that there are adequate privacy and security arrangements in place wherever your information is accessed by way of strict privacy and security obligations imposed in our agreements with third parties.
9. Data Security
Orion Health actively seeks to maintain the privacy of the information under our control. To prevent unauthorised use, maintain data accuracy, and ensure the appropriate use of information, we have put in place appropriate physical, technical, and administrative procedures to safeguard and secure the information we collect.
10. Data Retention
Orion Health retains patient information for only as long as necessary to deliver services, comply with applicable legal, regulatory and contractual obligations (as agreed to with the relevant data controller) and to support authorized healthcare operations.
11. Children’s Information
Orion Health does not knowingly solicit, collect, or accept any information from or about children via our website. If we become aware that a person submitting personal information through any part of our website is a child, we will delete the information as soon as we discover it and do not use it for any purpose, nor do we disclose it to third parties.
Since we do not seek to collect any personal information about children, and we delete any information collected inadvertently as soon as we discover that a child has submitted it, we retain no information about children that could be reviewed or deleted. If a parent requests review or deletion of information about their child before discovering and deleting it, we will honour that request.
12. Your Rights
Based on the applicable privacy laws, data subjects, as applicable, have rights to access the personal information that Orion Health holds regarding them, and have it corrected where necessary, subject to some exceptions. Data subjects also have the right to access their personal information in a portable, electronic format, a right to have their personal information erased, a right to know the third parties with whom their personal information has been shared with and/or a right to object to Orion Health processing their personal information. Other rights granted to data subjects include a right to ask
Orion Health to limit how we use information while a concern is being resolved (restriction), a right to not be subject to a solely automated decision (including AI-based profiling) that has a legal or similarly significant effect on them and the right to withdraw consent (where processing is based on consent).
Individuals also have the right, under applicable laws, to lodge a complaint with the Information Commissioner’s Office (https://www.ico.org.uk) if they believe Orion Health is not handling their personal information in accordance with the law. For any questions or concerns about Orion Health’s privacy practices or this policy, please contact our Privacy Office at privacy@orionhealth.com.
When acting as a data processor, Orion Health may direct you to the appropriate data controller for the fulfilment of these rights requests. Orion Health may lend support to the data controller, as contractually agreed upon receiving such a request.
13. Cookies
Our website uses cookies and similar technologies for functionality, analytics, and marketing. In accordance with applicable law(s), non-essential cookies are used only with your consent, and users can manage their preferences through our cookie settings. Orion Health may use website analytics and user interaction technologies to better understand how visitors engage with our public-facing websites and to improve website functionality, content, and user experience. These technologies are deployed only on public marketing websites and are not used within authenticated clinical applications, support portals, or environments intended to process patient personal data. For more information, please visit our Cookie Policy.
14. Changes to this Privacy Policy
This policy may be updated from time to time. The date of the most recent revisions will appear on our page. If you do not agree to these changes, please do not continue to use our website or to submit personal information to Orion Health via our website.
June 2026