At C the Signs (C the Signs Limited, company number 10683539 and registered office is at Gridiron Building, 1 Pancras Square, London N1C 4AG) ("We", "Us" and "Our)), We are committed to protecting and respecting your privacy, and the personal data that We hold and process about you. This privacy policy explains what data We collect, how We use it and your rights to ensure that data is managed appropriately.
The data protection laws require controllers to be open and transparent about data use. We are the controller of your personal data used for the purposes set out in this privacy policy.
Your privacy is important to us, so if there is anything in our privacy policy that is unclear or you do not understand, please contact us at support@cthesigns.co.uk.
This privacy policy explains how C the Signs and other organisations may use your data when you use the C the Signs Self-Assessment Service (also known as "C my Signs" and also referred to in this privacy policy as our "Services").
You can access the C the Signs Self-Assessment Service via our website or mobile device. This policy applies to using either of those channels.
As well as this policy, you should also read the NHS App terms of use and cookies policy.
You may find it helps to understand these terms when reading this policy.
You can find out more about these terms on the Information Commissioner’s Office website.
We use your data to provide the C the Signs Self-Assessment Services. It means we can give you access to specific cancer pathways commissioned within the NHS in your area.
We may also use your personal data to:
The points above are a short summary of our reasons for capturing and using personal data. You can find more details in the sections below.
In the tables below, you can find out more about data we may collect about you when you use the C the Signs Self-Assessment Service.
We obtain your personal data from you directly when you use the C the Signs Self-Assessment Service.
Lawful basis: Necessary to perform the contract with you
Lawful basis: Necessary to pursue our legitimate interests in the improvement of our Services and to enable users to use our messaging service
Include you in our email list for future notifications
Lawful basis: Consent
ODS codes are unique identifiers used by the NHS to assign to all parts of its organisation. This is used:
Lawful basis: Necessary to pursue our legitimate interests in making sure that your GP practice is within the commissioned area, to accurately retrieve your GP records for utilisation within the referral form, and reporting on how our service is being used
The ODS code of the NHS organisation receiving the self-assessment referral generated at the end of the self-assessment pathway is used for:
Lawful basis: Necessary to pursue our legitimate interests to facilitate the referral, track the referral to relevant organisation and reporting on how our service is being used
This is a part of your demographic information that forms part of your health record. It enables us to:
Lawful basis: Necessary to pursue our legitimate interests in making sure we have correctly identified you
This is calculated from your date of birth. It is used to:
Lawful basis: Necessary to pursue our legitimate interests in determining whether you are eligible for our Services, making sure we have correctly identified you, and reporting on how our service is being used
This is part of your demographic information that is part of your health record. It is used to:
Lawful basis: Necessary to pursue our legitimate interests in correctly identifying you and appropriately address you in communications
Your NHS number is unique identification number for you and your health record. It is used to:
Lawful basis: Necessary to pursue our legitimate interests in correctly identifying you
Your CTS number is a unique identity number assigned by C the Signs to you. It is used:
Lawful basis: Necessary to pursue our legitimate interests in ensuring the security of data that we process and ensuring the resolution of any user queries or issues
This is part of your contact. It is used to:
Lawful basis: Necessary to pursue our legitimate interests in effectively communicating with you, resolving any user issues and enabling you to use our Messaging Service
This is used to log events, trace faults and provide security protective monitoring log data.
This is used for session and performance management.
Lawful basis: Necessary to pursue our legitimate interests in ensuring the security of our Services, and performance monitoring and improvement
Facilitating the Self-Assessment Service: The C the Signs Self-Assessment Service requires you to insert your medical information in order to complete the self-assessment and determine your eligibility for the referral pathway. If you are eligible this data is then transferred into a referral form (or letter) and sent to the receiving NHS Organisation (either via secure NHSmail or via a secure C the Signs dashboard). This includes any additional information uploaded by you in the process of completing your self-assessment (e.g. photos of any conditions/symptoms that you might be suffering, such as skin lesions).
Lawful basis: Necessary to pursue our legitimate interests in determining your eligibility for the referral pathway
The condition for processing your special category data (i.e. your health data) is that the processing is necessary for the purposes of preventive medicine
Messages processed as part of Messaging Service will be stored within your record for the duration of your account (and any additional time required by law or NHS data requirements).
Lawful basis: Necessary to pursue our legitimate interests in providing our Messaging Service
Used for user research purposes, including to:
Lawful basis: Consent
C the Signs will process identifiable data from the Self-Assessment Service:
C the Signs will also anonymise data from the Self-Assessment Service:
C the Signs' lawful basis for this use of your personal data is that it is necessary for the pursuit of its legitimate interests (being the improvement of its Self-Assessment Service, ensuring that the Service is working correctly and is secure and reporting on how the Service is being used).
In addition, where commissioned and with the consent of your GP practice, C the Signs processes your GP practice electronic healthcare record to attach critical information relating to your health into the referral form before transmission to the NHS Organisation receiving the referral. This includes but is not limited to:
C the Signs acts as a Processor for this information and is unable to show you the contents of this information prior to the referral being sent. This information is transferred onto the referral form automatically without any individual from C the Signs seeing or accessing the data. The receiving NHS Organisation will receive this information (as they would routinely with other referrals sent by your GP). Your GP practice is the controller of your personal data used for this purpose and you should ask them if you have any questions about how they use your personal data.
This is technical data about your activities when you are using or logged in. It's also called audit data. It may include the time when you use the C the Signs Self-Assessment Service, what actions you take and related technical details. This information is captured against your NHS number. We keep this data for up to 2 years or required by law or NHS data requirements (whichever is longer).
We keep the information that you provide for the purposes of the self-assessment (including medical information, photographs etc.) for the duration of time that you have an account with us, or required by law or NHS data requirements (whichever is longer).
This is also called performance data. We’ve appointed an approved analytics service provider to help us process this data. We keep this data for up to 2 years.
This means information captured when you contact the C the Signs service desk for support, or when you provide feedback or complete a survey. If you raise a technical issue with the service desk team, we may link this to an Organisation Data Service (ODS) code. ODS codes are unique codes that are associated with particular health and care services, such as GP surgeries. When we capture an ODS code, it is stored in an issue management system alongside other details about the issue. We keep data about your contact with our service desk for up to 2 years.
When you register to use the C the Signs Self-Assessment Service, you will be added to an email mailing list for necessary service updates. You may also voluntarily choose to join other mailing lists (for email or SMS contact), for example for user research involvement. We have appointed an approved emailing and list management service provider as a processor for this data.
We process data about messages that you send or receive through the C the Signs Self-Assessment Service Messaging Service. Messages and replies are stored in your account for as long as your C the Signs account exists. Please also note, we have appointed a secure and approved SMS messaging provider as a processor for sending these messages. Any personal data contained in these messages will be kept for as long as you have an account with us.
You gain access to the C the Signs Self-Assessment Service using the personal login you generate through the service or by using Your NHS App login (where available).
The Self-Assessment Service may ask for access to the camera on your device for specific pathways available in your area (e.g. to photograph skin lesions).
Where available and necessary, the C the Signs Self-Assessment Service may also ask for access to your device location. If you allow access to your device’s location, then location data may be used to help you find services in your area.
This service is intended to be used by yourself, and not on behalf of anyone else. If you are completing this risk assessment on behalf of someone else you must keep this data safe and secure. To the extent possible bearing in mind their age, condition and capacity, you must:
When you register to use the C the Signs Self-Assessment Service, we may ask if you would like to join our user research community. User research helps us to make sure that the C the Signs Self-Assessment Service are meeting people’s needs.
If you choose to take part, we will email you a short survey to fill in about yourself. Your answers will help make sure we invite you to user research that is relevant to you.
When you have signed up, we may ask you to:
You can always say no to an invite, and you can leave the user research panel at any time.
Your personal data will only be captured if you choose to provide it as part of participating in user research relating to the C the Signs Self-Assessment Service. C the Signs is the controller for this data. This may be shared with third parties (e.g. commissioners of the service in the NHS or researchers).
We’ll collect your name and email address to maintain a mailing list for the user research, where you have consented to receive it. We will ask general questions about your health and background to ensure we are inclusive in our research, which counts as special category data. The amount of time we keep this data varies depending on the research you are taking part in. We will tell you before asking your consent.
All of our information that is held within the business is stored in a database within our control which is located within the UK.
Some of our third party suppliers, including our newsletter service provider and some of our data analytics providers are based outside of the United Kingdom (UK) and European Economic Area (EEA), meaning that your personal data will be transferred to and processed by these suppliers outside of the UK and the EEA. In order to protect your personal data where it is being collected, transferred to and processed by these suppliers, we ensure that our contract with them includes appropriate safeguards for your data, including, where appropriate, standard contractual clauses or ensuring that US companies are members of the US Data Privacy Framework. You can ask us for further information about the appropriate safeguards we rely on by contacting us at support@cthesigns.co.uk.
If we have your consent, we use the personal data contained in your responses to the self-assessment questionnaire to determine your eligibility for a referral and this involves automated decision-making because there is no human oversight on the decision of eligibility. To make this decision, we use an algorithm that scans and automatically assesses the responses that you give to the self-assessment questionnaire and that algorithm triages you based on your responses and decides whether to refer you back to GP or to secondary care, or to provide you with advice only.
You can also always attend your GP in the usual way if you are concerned about your health, even if you do not receive a GP or secondary care referral in response to your self-assessment questionnaire.
You have the right to obtain human intervention on the decision made about how we triage you, to express your point of view and to contest the triaging decision. If you would like further information on this automated decision-making, or to exercise your rights, please contact us at info@cthesigns.co.uk.
We work closely with GP practices Primary Care Network, Boroughs, Integrated Care Board, Cancer Alliances, and contract with them to provide our Services. As part of our contract with these overarching bodies, we may be required to share details of users including usage data, take up and details of the pathways researched to enable informed decisions to be taken on service planning. Although the reported data is aggregated and anonymised as far as possible to compile individual reports, it may be possible for individual users to identify an individual GP or healthcare professional based on a specific set of circumstances.
Where possible We will support our online services internally, however, We do use external suppliers to support specific aspects of our business that We cannot manage ourselves, such as software and IT providers that provide our CRM systems and analytics tools. Where We engage a third party supplier, We only share information that is necessary to provide a particular support service, and ensure that We only work with third parties who understand and implement good data handling practices. We have contracts in place to ensure that data is only used for specific purposes and under Our instructions, that the supplier respects confidentiality and holds the data securely.
We share personal data if We have to in order to comply with the law. For example, We may disclose your personal data to respond to a court order. We will disclose information if a government agency or regulatory body requests it, which includes law enforcement or regulatory authorities.
We share personal data with our professional advisors for the purpose of receiving professional services and advice.
We share anonymous information with the online analytics and search engine providers that assist us to improve and optimise the use of our site.
We do not sell the data that is captured or recorded through the website or the services for commercial benefit.
We may share your personal data with third parties authorised by the healthcare authority commissioning the pathway when requested to do (for example, a hospital requiring C the Signs to provide names and addresses to a trusted logistics companies to deliver test kits to homes).
If We sell the whole or part of our business, or We acquire the whole or part of another business, We may share personal data to facilitate that business transaction.
All information that you provide to us is stored on our secure servers, which are located within the UK.
Once We have received your personal data We employ a number of technical and organisational security measures to keep information secure and confidential. We ensure that only our personnel who need to access data do so, and that they are trained and understand good data handling techniques. Unfortunately the transmission of information via the internet is not completely secure, and although We will do our best to protect your information whilst stored on our systems, We cannot guarantee the complete security of data in transmission.
In order to access our Services you have unique user names and passwords – please help us to keep your personal data safe by keeping these secret and confidential, and not sharing them with other people. If you think that someone else knows your user name or password, please tell us as soon as possible to help us reset the security.
Data protection laws include a number of specific rights that you have in certain circumstances to ensure that your personal data is collected and handled in a secure and appropriate manner. These include the right to ask for:
If you would like to exercise your rights, please contact our Data Protection Officer at info@cthesigns.co.uk
Whilst We try our best, there may be times when you are not happy with the way in which We have handled your personal data. If you have any concerns, please contact our Data Protection Officer, by emailing info@cthesigns.co.uk to allow us to investigate your concerns. You also have the right to complain to the Information Commissioner’s Office (the regulator for data protection in the UK) via www.ico.org.uk
If you have a general question about using the C the Signs Self-Assessment Service, please contact support@cthesigns.co.uk.
It is important that We are able to keep a track of our users, and your rights to use our Services may change if you change your employer. Please keep us informed if any of the information that We hold about you changes.
The terms of our privacy policy may change from time to time. We will inform you via email or via the C the Signs Self-Assessment Service if we make any significant changes to our Privacy Policy, Cookies Policy or Terms of Use.
This Self-Assessment Service Privacy Policy was last updated on July 2025.