Web from £295/mo · Email from £195/mo + seats · EU-sovereign · Cancel any time

Web from £295/mo · Email from £195/mo + seats

See the ladders →
UK Web Marketing Start your build

← Back to portfolio All case studies

Health & clinics · Mental health · Case study

Private psychiatry clinic — site + DPIA pack from one builder

London-based independent psychiatry clinic — discreet, compliance-led Astro build on Vercel London, with a written Data Protection Impact Assessment, a referral flow that survives a CQC inspection, and a public sub-processor list. Growth tier.

London-based independent psychiatry clinic (anonymised)
  • Astro 6
  • Vercel London (lhr1)
  • Cloudflare DNS
  • Resend EU
  • Capsule UK CRM
  • Written DPIA pack
  • Pseudonymous intake schema
18 DPIA pages
9 weeks Time to launch
0 PII fields collected pre-registration
Growth Tier

A consultant-psychiatrist-led independent clinic in central London came to UK Web Marketing for a rebuild of the practice site and — the part nobody else was offering — a written Data Protection Impact Assessment (DPIA) covering the referral flow. The clinic sees adults privately and is CQC-registered. Anonymity is a clinical necessity for this audience; this case study describes the work, not the practice.

The brief, in one paragraph

The practice had an old WordPress site running a clinical-themed template, half a dozen plugins of uncertain provenance, and a “Book a consultation” form that — without anyone meaning it to — was collecting the kind of information that constitutes Article 9 special-category personal data (mental health) at the first contact. The lead consultant had recently been through a CQC inspection elsewhere and knew the pattern wouldn’t survive the next one. The brief: rebuild the site, redesign the referral flow so no clinical detail is collected pre-registration, and write the DPIA — because the previous builder didn’t know what one was.

What we did, in three steps

  1. Referral flow redesign before any pixels. Mapped the existing flow on a whiteboard with the consultant. Identified four points where the form was capturing clinical detail it didn’t need to. Redesigned the flow into three stages: (a) anonymous initial enquiry — name, email, preferred contact time, no clinical detail; (b) registration call from the practice manager, who explains the next step verbally; (c) intake form on the clinical system (a regulated CCG-style platform the practice already runs), not on the marketing site. The marketing site never sees an Article 9 field.
  2. Compliance-led Astro build. Hand-coded Astro on Vercel London (lhr1). Cloudflare for DNS. Resend EU for the initial-enquiry form. Capsule UK for the practice manager’s call list. No third-party widgets, no chat bubbles, no “review carousel” plugins. The CSP is restrictive enough that a future builder dropping in a Calendly embed would notice immediately.
  3. The 18-page DPIA pack. Written by us, reviewed by the practice’s external clinical-safety officer, signed by the lead consultant. Sections covered: the lawful basis (Article 9(2)(h) — provision of healthcare), the data flow diagram, the sub-processor list with regions, retention windows, the data-subject rights procedure (DSAR turnaround, erasure exceptions for clinical records), the breach-notification runbook (72-hour ICO timing), and the residual-risk register. Versioned in the practice’s compliance folder; updateable when the platform stack changes.

The outcome, in numbers

  • Zero Article 9 fields collected pre-registration. The marketing site’s contact form captures three things: name, email, preferred contact time. Anything clinical is on the regulated clinical platform after the practice manager call.
  • 9-week build with a 2-week DPIA-only sprint up front. Growth-tier setup phase covered the DPIA writing before any code was written. The build phase then implemented the flow the DPIA had already described.
  • 18-page DPIA pack handed over. Signed, dated, ready to show at the next CQC inspection.
  • Public /about-our-data page on the site. A patient-readable summary of the same compliance disclosures, written for the patient audience rather than the auditor. The lead consultant flagged this as the page they were most relieved to be able to point patients at.

Why us

A web agency that publishes its own DPIA-style disclosures on its /compliance page knows what one looks like for a clinic. We’re not writing the clinical content (we’re not clinicians), but we are writing the data-flow content, the lawful-basis tables, the sub-processor disclosures and the retention windows — and we’re writing them into the build, not retrofitting after launch. The practice’s clinical-safety officer read our /compliance page on the first call and was the one who pushed the lead consultant to brief us.

The clinic is on the Growth tier (£1,495/mo). Fortnightly cadence, embedded operator, monthly substantive piece, and the DPIA pack is now a living document maintained on the same engagement. WhatsApp me if your practice is in a similar position — a private clinic, an Article 9 audience, no written DPIA. We’ll talk before we quote.

Other case studies

← All case studies

From £295/mo web · From £195/mo email · Cancel any time

Ready for the web + email infrastructure your practice should already have?

Start your build
See pricing — from £295/mo WhatsApp