We use cookies to help provide you with the best possible online experience.
By using this site, you agree that we may store and access cookies on your device. Cookie policy.
Cookie settings.
Functional Cookies
Functional Cookies are enabled by default at all times so that we can save your preferences for cookie settings and ensure site works and delivers best experience.
3rd Party Cookies
This website uses Google Analytics to collect anonymous information such as the number of visitors to the site, and the most popular pages.
Keeping this cookie enabled helps us to improve our website.
Nexus by Blum: Privacy Policy
Introduction
Welcome to Nexus’ privacy policy
Nexus respects your privacy and is committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you use our applications and the Nexus Platform, which is deployed on behalf of the Primary Care Gambling Service (PCGS), operated by Hurley Group, as part of an NHS-commissioned clinical service. This Policy will also tell you about your privacy rights and how the law protects you.
1. Important information and who we are
Deployment context
The Nexus platform is deployed in this instance as a digital health tool for patients referred to the Primary Care Gambling Service (PCGS), a specialist NHS-commissioned service operated by Hurley Group. PCGS provides clinical assessment, treatment and support for individuals affected by gambling-related harm. If you are accessing Nexus through the PCGS, your use of this platform forms part of your engagement with that clinical service.
This means that some of the personal data you provide – including information relating to your gambling behaviour, mental health, and treatment progress – constitutes special category data under UK data protection law and is handled with the highest level of care and protection.
Nexus’ commitment to you
We place the integrity and control of your personal information at the centre of the Nexus business and Platforms. We will request information about your health, well-being and, where relevant, your gambling behaviour and its impact, for the purpose of supporting your clinical care through the PCGS. The collection of this special category data is subject to the lawful basis described in the Controller and Processor section below, and you may exercise your rights in relation to it at all times – see Section 9 (Your Legal Rights).
What this policy is about
This privacy policy aims to give you information on how Nexus collects and processes your personal data through your use of the Nexus application (the Platform), deployed for the Primary Care Gambling Service (PCGS). This includes any information you provide when registering as a PCGS patient on the Platform, completing clinical questionnaires, or communicating with the service through the Platform. This Policy explains how and when information may be shared with PCGS, Hurley Group, and other parties involved in your clinical care.
It is important that you read this privacy policy together with any other privacy information or notices provided by PCGS or Hurley Group.
Not intended for children
The Nexus Platform, in its deployment for PCGS, is intended for adults aged 18 and over. We do not knowingly collect data relating to children.
Please contact us at hello@blumhealth.co.uk if you have any questions.
Controller and processor
Hurley Group, operating the Primary Care Gambling Service (PCGS), is the Data Controller under UK data protection law for the personal data processed through this deployment of the Nexus Platform. As Data Controller, Hurley Group / PCGS determines the purposes and means for which your personal data is processed and is responsible for ensuring that processing is lawful.
Nexus By Blum is the data processor in this arrangement. This means we are responsible for the security, integrity and quality of the data processed on the Platform, and we act only on the documented instructions of Hurley Group / PCGS.
Lawful basis for processing special category data
The processing of special category personal data (including health data and information relating to gambling behaviour) through the Nexus Platform is carried out under Article 9(2)(h) of the UK GDPR – processing necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment, or the management of health or social care systems and services. This processing is carried out under the responsibility of Hurley Group as the NHS-commissioned service provider.
Where other categories of personal data are processed, the lawful basis is Article 6(1)(b) of the UK GDPR (performance of a contract) and/or Article 6(1)(e) (public interest task, given the NHS commissioning context).
Contact details
If you have any questions about this privacy policy, please contact our Data Privacy Manager/DPO:
- Email address: hello@blumhealth.co.uk
- Postal address: Data Privacy Manager, Nexus By Blum Ltd, Atlantic House, 18–22 Hamilton Street, Birkenhead, England, CH41 1AL
For questions relating to how Hurley Group / PCGS processes your data as Data Controller, please contact PCGS directly using the contact details provided to you by the service.
You have the right to make a complaint to the Information Commissioner’s Office (ICO).
Changes to the privacy policy
We keep our privacy policy under regular review. This version was last updated on 18 March 2026 to reflect the deployment of Nexus for the Primary Care Gambling Service (PCGS) operated by Hurley Group.
2. The information we collect about you
Personal data, or personal information, means any information about you from which you can be identified.
Nexus Platform
Each time you use the Nexus Platform we may automatically collect the following information:
- technical information, including the type of device you use, a unique device identifier, mobile network information, your mobile operating system, and time zone setting;
- information either accessed through your device or stored on your device which you have explicitly consented to sharing; and
- details of your use of the Platform.
PCGS Patients (Nexus Users)
As a patient of the Primary Care Gambling Service accessing the Nexus Platform, we may process the following personal information about you:
- Identity Data includes first name, last name, username or similar identifier, title, date of birth and gender.
- Contact Data includes address, email address and telephone numbers.
- Profile Data includes your basic account information, username, password and access information, information you may provide in response to clinical questionnaires or surveys, support queries and complaints raised, your preferences and feedback.
- Communications Data includes your preferences in receiving service-related communications from us and from PCGS. Please note that your clinical data will not be used for marketing purposes.
- Health and Clinical Data (Special Category Data): includes information about your gambling behaviour and its impact on your health and wellbeing, mental health information, clinical assessment outcomes, treatment progress, and any other health information provided through the Platform as part of your engagement with the PCGS clinical service. This data is processed under Article 9(2)(h) UK GDPR as described above.
Special category data (health and clinical information)
Special Category Data includes health data, mental health information, and in the context of the PCGS deployment, information about gambling-related harm and its impact on your mental and physical health. This data is subject to enhanced protection under UK GDPR.
For PCGS patients using the Platform, we collect Special Category Data through clinical questionnaires and assessments as part of your treatment and care pathway. This processing is carried out under Article 9(2)(h) UK GDPR, under the responsibility of Hurley Group as the NHS-commissioned Data Controller.
3. How is your personal data collected?
We use different methods to collect data from and about you including through:
Direct interactions
You may give us your personal information directly when you:
- register on the Nexus Platform as a PCGS patient;
- complete clinical questionnaires or assessments;
- ommunicate with us or the PCGS clinical team via the Platform;
- respond to a survey or provide feedback.
Automated technologies or interactions
As you interact with the Platform, we will automatically collect data about your equipment and usage patterns using cookies and server logs. Please see our cookie policy for further details.
Referral from PCGS / Hurley Group.
We may receive personal data about you from Hurley Group / PCGS as part of your referral to and enrolment on the Platform as a clinical patient. This data is shared under the Data Processing Agreement between Nexus by Blum and Hurley Group.
Profiling and automated decision making.
We do not currently use profiling or automated decision making. We will update this Policy if this changes.
4. How we use your personal data
Lawful basis for processing
We will only use your personal data when the law allows us to. For PCGS patients, we use your personal data on the following bases:
- Article 6(1)(b) UK GDPR – Contractual necessity: to set up and maintain your account and provide access to the Platform as part of the PCGS service.
- Article 6(1)(e) UK GDPR – Public task: where processing is necessary for a task carried out in the public interest, given the NHS-commissioned nature of the PCGS service.
- Article 6(1)(c) UK GDPR – Legal obligation: where we need to comply with a legal obligation.
- Article 9(2)(h) UK GDPR – Health and social care: for the processing of special category data as part of the PCGS clinical care pathway, under the responsibility of Hurley Group as the NHS-commissioned Data Controller.
- Consent: where we rely on your explicit consent for specific processing activities, such as optional communications preferences.
| Purpose / Activity | Type of Data | Lawful Basis |
|---|---|---|
| To register you on the Platform as a PCGS patient | Identity Data, Contact Data | Article 6(1)(b) – Performance of contract |
| To collect clinical information via questionnaires and assessments | Health and Clinical Data (Special Category) | Article 9(2)(h) UK GDPR – Provision of health or social care (NHS-commissioned PCGS) |
| To support your clinical treatment and care pathway through PCGS | Health and Clinical Data, Identity Data, Contact Data | Article 9(2)(h) UK GDPR; Article 6(1)(e) – Public task |
| To manage and protect the Platform (security, hosting, troubleshooting) | Technical Data, Usage Data | Article 6(1)(f) – Legitimate interests (platform operation and security) |
| To manage our relationship with you (policy changes, feedback) | Identity Data, Contact Data, Communications Data | Article 6(1)(b) – Contractual; Article 6(1)(c) – Legal obligation |
| To use anonymised analytics to improve the Platform | Anonymised / Aggregated Data | Legitimate interests (anonymised data; agreed with Hurley Group / PCGS as Controller) |
Communications and marketing
We will only use your contact information to send you communications directly related to your use of the Nexus Platform as part of your PCGS clinical care. We will not use your clinical data – including any information relating to gambling behaviour or treatment – for marketing or commercial purposes.
Any service-related communications will be sent in accordance with PCGS’s instructions as Data Controller. You may manage your communication preferences within the Platform settings.
We do not share your information with third parties for marketing purposes.
5. Disclosures of your personal data
We may share your personal data with the following parties:
- Nexus by Blum staff who require access for technical support, security, and platform operation, subject to confidentiality obligations.
- Hurley Group / PCGS as Data Controller, with whom data is shared as necessary for the operation of the clinical service and in accordance with the Data Processing Agreement
- External third parties including specialist IT support, cloud hosting providers, and sub-contractors who process data on our behalf under appropriate data processing agreements.
- Professional advisers including lawyers, auditors and insurers, where necessary.
- HM Revenue and Customs, regulators and other authorities where required by law
- In the event of a clinical safety concern, relevant NHS bodies, safeguarding authorities or emergency services, where disclosure is necessary to protect the vital interests of a patient or third party.
We require all third parties to respect the security of your personal data and to treat it in accordance with the law.
6. International transfers
We do not transfer patient data outside of the United Kingdom. All data processed through the Nexus Platform for the PCGS deployment is stored and processed within the UK. In the event that any transfer outside the UK were ever required, prior written agreement from Hurley Group / PCGS as Data Controller would be required, and at least one of the following safeguards would be implemented:
- We will only transfer personal data to countries deemed to provide an adequate level of protection by the UK Government.
- Where we use certain service providers, we may use specific contracts approved for use in the UK which give personal data the same protection it has in the UK.
7. Data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. Access to your personal data is limited to those who have a business need to know.
The Nexus Platform is designed and maintained in accordance with NHS Digital Technology Assessment Criteria (DTAC) requirements, including the clinical safety, data protection, and technical security standards set out in that framework.
We have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where legally required to do so.
8. Data retention
We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for.
For PCGS patients, personal data (including clinical and special category data) will be retained in accordance with the retention schedule agreed with Hurley Group / PCGS as Data Controller, and in line with NHS Records Management requirements. Clinical records are typically retained for a minimum of 8 years from the end of treatment in line with NHS Records Management Code of Practice.
In some circumstances you can ask us to delete your data: see Your Legal Rights below. Please note that for clinical records, erasure requests may be subject to the overriding legal obligations of Hurley Group / PCGS as Data Controller.
9. Your legal rights
Under certain circumstances, you have rights under UK data protection law in relation to your personal data. These rights are exercisable primarily against Hurley Group / PCGS as Data Controller. Nexus by Blum will assist in fulfilling these rights in accordance with our obligations as Data Processor.
- Request access to your personal data (commonly known as a data subject access request). This enables you to receive a copy of the personal data held about you.
- Request correction of the personal data held about you. This enables you to have any incomplete or inaccurate data corrected.
- Request erasure of your personal data where there is no good reason for us continuing to process it. Note that we may not always be able to comply due to NHS records retention obligations.
- Object to processing of your personal data where we are relying on a legitimate interest, or where we are processing it for direct marketing purposes.
- Request restriction of processing in certain circumstances, such as where you want us to establish the data’s accuracy.
- Request the transfer of your personal data to you or a third party in a structured, machine-readable format.
- Withdraw consent at any time where we are relying on consent to process your personal data.
To exercise any of the above rights in relation to data processed as part of the PCGS clinical service, please contact Hurley Group / PCGS as Data Controller in the first instance. You may also contact Nexus by Blum at hello@blumhealth.co.uk and we will liaise with PCGS accordingly.
You will not have to pay a fee to access your personal data or exercise any of the other rights. We try to respond to all legitimate requests within one month.