Privacy Policy

Please note the bold and underlined text in section 5

Welcome to the privacy policy for Colab Services Limited. This document outlines how your personal data is used, who we may share that personal data with and how we keep it secure. This notice does not provide exhaustive detail. However, we are happy to provide any additional information or explanation needed. Any requests for this should be sent to the addresses noted below. We keep our Privacy Policy under regular review. This Privacy Policy was last reviewed in December 2020.

1. About us

Colab Services Limited ("Colabs") offers services to practitioners to facilitate their clients' access to laboratory testing and analysis. We do not conduct testing or analysis ourselves, nor do we have a direct contractual relationship with individual patients.

Colabs respects your privacy and is committed to protecting your personal data. The purpose of this privacy policy is to inform you how your personal data is managed by us, and to let you know about your privacy rights and how you are protected by law. The privacy policy applies to any personal data collected or received via email, letter, telephone or face to face contact and will also cover any data collected by our website.

Colab Services Limited is a data controller. The Information Commissioners Office requires that personal data is fairly and lawfully processed.

Contact details for Colab are:

Data Controller: Colab Services Limited

Email address:

Address: PO Box 1331, Lincoln, LN5 5TP, UK

Please use these contact details should you wish to make a data subject access request, which must be done in writing. Please also use these address details in the first instance if you need to make a complaint. We will try to respond to all legitimate requests within one month. Occasionally it may take us longer than a month if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated.

If you have a complaint regarding the use of your personal data then please contact us by writing at the postal or email address and we will try to help you.

If your complaint is not resolved to your satisfaction and you wish to make a formal complaint to the Information Commissioner’s Office (ICO), you can contact them on 01625 545745 or 0303 1231113 and on the web at

2. The Data we collect about you

Information provided by you

You and others (including, if you are a patient or other test subject, the practitioner ordering tests relating to you) provide us with personal data in the following ways:

  • enquire about our services;
  • order a test;
  • attend at our premises for the withdrawal of a sample;
  • correspond with us by email, telephone or post;
  • make a payment to us;
  • use our website and/or services.

This may typically include the following information:

  • basic details such as name, address, contact details and next of kin;
  • details of contact we have had with you such as referrals and testing requests;
  • health information, namely the tests ordered in relation to you (if you are a patient);
  • practitioner contact information;
  • bank details;
  • marketing preferences.

We may also collect, use and share aggregated or anonymised data for any purpose. Aggregated/anonymised data may be derived from your personal data but is not considered personal data in law as this data does not directly or indirectly reveal your identity.

Third Party Links

Our website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy measures and practices. When you leave our website, we encourage you to read the privacy policy/notice of every website you visit.

Following completion of your testing we retain your personal data as described in section 7 of this Privacy Policy.

If you fail to provide personal data

Where we need to collect personal data by law, or under the terms of a contract we have with you and you fail to provide that data when requested, we may not be able to perform the contract we have or are trying to enter into with you. In this case, we may have to cancel a service we proposed to provide to you, but we will notify you if this is the case at the time.

It is important that you update us if your contact details or those of your practitioner change. This is to ensure that all personal data we hold for you is correct at all times.

3. How we use your personal data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you.
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

Generally we do not rely on consent as a legal basis for processing your personal data other than in relation to sending direct marketing communications to you via email or text message, or where we specifically ask you to sign a consent form. You have the right to withdraw consent to marketing at any time by contacting us.

We may use your personal data where there is an overriding public interest in using the information e.g. in order to safeguard an individual, or to prevent a serious crime. We may also process special category personal data, such as information about your health, on the basis of such processing being necessary in the context of our provision to you (or your practitioner) of healthcare-related services.

Purposes for which we will use your personal data

We have set out below, in a table format, a description of all the ways we plan (or may in the future plan) to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Type of data

Lawful basis for processing including basis of legitimate interest

Provision of medical test facilitation services

  • Identity & Contact
  • Financial
  • Services
  • Performance of a contract with you
  • Necessary for our legitimate interests (including to recover debts due to us)

File archiving, deletion and destruction

  • Identity & Contact
  • Financial
  • Services
  • Marketing & Communications
  • Performance of a contract with you
  • Necessary for our legitimate interests (to keep our records updated and to study how clients use our services)
  • Necessary to comply with a legal obligation

To administer and protect our business and our website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)

  • Identity & Contact
  • Technical
  • Necessary for our legitimate interests (for running our business, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)
  • Necessary to comply with a legal obligation


  • Identity & Contact
  • Transaction
  • Usage
  • Marketing and Communications



We strive to provide you with choices regarding certain personal data uses, particularly around marketing and advertising. It is entirely your choice whether you consent to us providing you with direct electronic marketing – we will only do so where you have given us your consent to do so (including so called "soft opt in").

Promotional offers from us

We may use your Identity & Contact, Technical, Usage and Services Data to form a view on what we think you may want or need, or what may be of interest to you. This is how we decide which services may be relevant for you (we call this marketing).

You will receive marketing communications from us if you have requested information from us or obtained services from us or if you provided us with your details when you entered a competition or registered for contact and, in each case, you have opted in to receiving that marketing (including via so called "soft opt in").

Third-party marketing

We will not share your personal data with any third party for their marketing purposes. However, where you have consented to the receipt of marketing from us, we may use a third party to prepare and deliver such marketing materials on our behalf.

Opting out

You can ask us to stop (and to ask third parties to whom we have provided your personal data to stop) sending you marketing messages by contacting us at any time.


You can set your browser to refuse all or some browser cookies, or to alert you when websites set or access cookies. If you disable or refuse cookies, please note that some parts of our website may become inaccessible or not function properly.

Change of purpose

We will only use your personal data for the purposes for which we collected it, unless we reasonably consider that we need to use it for another reason and that reason is compatible with the original purpose. If you wish to get an explanation as to how the processing for the new purpose is compatible with the original purpose, please contact us.

If we need to use your personal data for an unrelated purpose, we will notify you and we will explain the legal basis which allows us to do so.

Please note that we may process your personal data without your knowledge or consent, in compliance with the above rules, where this is required or permitted by law.

4. What are your rights?

Every individual has the right to see, amend, delete or have a copy of data held that can identify you, with some exceptions. You do not need to give a reason to see your data.

If you want to access your data you must make a subject access request in writing to the addresses outlined above. We will require proof of ID. Under special circumstances, some information may be withheld. We shall respond within 30 days from the point of receiving the request and all necessary information from you. Our response will include the details of the personal data we hold on you including:

  • Sources from which we acquired the information
  • The purposes of processing the information
  • Persons or entities with whom we are sharing the information

You have the right, subject to exemptions, to ask to:

  • Have your information deleted
  • Have your information corrected or updated where it is no longer accurate
  • Ask us to stop processing information about you.
  • Receive a copy of your personal data, which you have provided to us, in a structured, commonly used and machine readable format and have the right to transmit that data to another controller, without hindrance from us.
  • Object to the processing of personal data concerning you

We do not carry out any automated processing, which may lead to automated decisions based on your personal data.

If you would like to invoke any of the above rights then please contact us.

5. Disclosures of your personal data

We may have to share your personal data with the parties set out below for the purposes set out in the table in paragraph 4 above.

  • External Third Parties such as IT and system administration services, Professional advisors e.g. banking, legal and accounting services or those who provide consultancy and HM Revenue and Customs.
  • Practitioners ordering tests on your behalf (if you are a patient).
  • Testing labs who we are instructed to request a test from in relation to you.
  • Any third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this privacy policy.

We require third parties to respect the security of your personal data and to treat it in accordance with the law. We do not authorise our third-party service providers to use your personal data for their own purposes, and only authorise them to process your personal data for specified purposes and in accordance with our instructions.


6. What safeguards are in place to ensure data that identifies me is secure?

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

7. Data retention- How long do you hold confidential information for?

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. All records held by us will be kept for the duration the duration of our involvement with you and a further period of 7 years (to allow for any claims to be made).