Privacy Policy (United Kingdom)

1. Introduction

MyDoctors360 is operated in the United Kingdom by TBD_LEGAL_ENTITY_NAME (company number TBD_COMPANIES_HOUSE_NUMBER, registered office TBD_REGISTERED_OFFICE_ADDRESS). This Privacy Policy explains how we collect, use, store, and protect your personal data under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. It also explains how we fit alongside the doctor you book with, who is separately responsible for their own clinical records.

2. Who We Are & Our Registrations

• Legal entity: TBD_LEGAL_ENTITY_NAME
• Companies House number: TBD_COMPANIES_HOUSE_NUMBER
• Registered office: TBD_REGISTERED_OFFICE_ADDRESS
• ICO data controller registration number: TBD_ICO_REGISTRATION_NUMBER
• Data Protection Lead: TBD_DPO_NAME_OR_PRIVACY_LEAD — TBD_DPO_EMAIL

3. Controller / Processor Split

MyDoctors360 is a technology intermediary, not a healthcare provider. That distinction matters for data protection:

• For your account, booking, and payment data, TBD_LEGAL_ENTITY_NAME acts as data controller. We decide how and why this data is used.
• For clinical records authored by the doctor (prescriptions, care plans, consultation notes written by the treating doctor during or after your appointment), the doctor is the data controller for their own patient record, and TBD_LEGAL_ENTITY_NAME acts as data processor on the doctor’s behalf — we host and transmit that record under instruction from the doctor.
• For intake information you enter into your medical profile and choose to share with a particular doctor, we and the doctor act as joint controllers for that limited dataset during the booking. We are responsible for collecting and transmitting it securely; the doctor is responsible for reading it, acting on it, and retaining it per their own obligations.

We provide each doctor with a Data Processing Agreement at onboarding that documents this split. You can request a copy at TBD_DPO_EMAIL.

4. Data We Collect

4.1 Account Information

Name, email address, phone number, and password (hashed) when you create an account.

4.2 Intake & Medical Information

Health conditions, allergies, medications, blood type, and other intake information you voluntarily provide in your medical profile, and any symptoms you describe at the time of booking. Under UK GDPR this is special category data (Article 9).

4.3 Booking, Payment & Communication Data

Appointment details, messages exchanged with your doctor through the platform, and payment information processed via Stripe. We do not store full card numbers; Stripe does, under PCI-DSS Level 1 certification.

4.4 Consultation Content

Where the doctor uses platform-hosted video for your consultation, the video call is transmitted but not recorded or stored by us. Any clinical notes generated by the doctor during or after the consultation are stored by us as processor on the doctor’s behalf (see §3).

4.5 Technical Data

IP address, browser type, device information, and usage analytics (subject to your cookie preferences — see our Cookie Policy).

5. Legal Bases for Processing

For each category of data, we rely on one or more of the following bases:

• Contract performance — UK GDPR Art 6(1)(b). To create your account, run searches, take bookings, process payments, send confirmations, and deliver messaging between you and the doctor.
• Legitimate interests — UK GDPR Art 6(1)(f). For platform security, fraud prevention, abuse monitoring, and service improvement. We have balanced these interests against your rights and can share our Legitimate Interests Assessment on request.
• Legal obligation — UK GDPR Art 6(1)(c). For accounting, tax, and responding to lawful requests from competent authorities.
• Explicit consent — UK GDPR Art 9(2)(a). For collecting and transmitting health data you enter into your medical profile and choose to share with a specific doctor.
• Provision of healthcare — UK GDPR Art 9(2)(h). When processing clinical-record data on behalf of the treating doctor (as processor — see §3), the underlying basis the doctor relies on is the provision of healthcare under the responsibility of a health professional.

6. How We Use Your Data

• Help you find and book appointments with independent private doctors.
• Process payments via Stripe Connect (we act as the doctor’s payment agent).
• Send appointment reminders, confirmations, and service messages.
• Transmit your intake data to the doctor you choose — and only to that doctor — so they can prepare for your consultation.
• Host the technical infrastructure (messaging, video rooms, document storage) that the doctor uses to deliver care to you.
• Improve the platform, investigate safety incidents, and respond to support queries.

7. Who We Share Data With (Sub-processors)

We use the following sub-processors. Each has its own data-protection commitments and each handles data only under our written instruction. We review this list periodically; material changes will be notified to you.

• Stripe (payments) — processes card details and payouts. stripe.com/privacy
• Supabase (database & file storage) — stores account records, bookings, messages, and documents. EU region. supabase.com/privacy
• Vercel (hosting) — runs the web application. vercel.com/legal/privacy-policy
• Resend (transactional email) — sends booking confirmations and reminders. resend.com/legal/privacy-policy
• Daily.co (video consultations) — transmits video consultations. Calls are not recorded by the platform. daily.co/legal/privacy
• Twilio (SMS reminders) — sends text-message reminders. twilio.com/legal/privacy
• Meta WhatsApp Business (optional reminders) — sends WhatsApp reminders where you’ve opted in. whatsapp.com/legal/business-terms
• OpenAI (specialty routing) — used only for the specialty finder, which does not return a diagnosis. Inputs are not used to train models. openai.com/policies/privacy-policy
• Sentry (error monitoring) — captures anonymised error reports. sentry.io/privacy
• Google (Places, Calendar) — location autocomplete and calendar sync. policies.google.com/privacy

In addition, we share booking and intake data with the doctor you book with — that is the whole point of the platform. Each doctor is the independent controller of any clinical record they create for you after the consultation (see §3).

We do not sell your data to third parties.

8. International Transfers

Your data is primarily stored in the UK or EEA. Some sub-processors above (Stripe, Vercel, Sentry, OpenAI, Daily.co, Twilio) process or route data through the United States. Where that happens, we rely on one or more of the following safeguards:

• The UK Extension to the EU-US Data Privacy Framework (UK-US Data Bridge) where the sub-processor is self-certified.
• The UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum otherwise.

A copy of the relevant safeguards is available from TBD_DPO_EMAIL on request.

9. Data Retention

• Account data — Retained while your account is active, deleted on account deletion request.
• Booking records — Retained for 8 years after the appointment (aligned with NHS Records Management Code of Practice retention for adult records).
• Medical / intake data — Retained for 8 years from the last consultation, or until you request erasure. Note that where the doctor is the controller of a clinical record (see §3), the doctor’s own retention schedule applies and we process per their instruction.
• Payment records — Retained for 7 years (HMRC tax obligation).
• Audit logs — Retained for 2 years for security and fraud-prevention purposes.
• Pending bookings — Automatically deleted after 15 minutes (patient) or 48 hours (admin-created) if payment is not completed.

10. Your Rights

Under UK GDPR, you have the right to:

• Access your personal data — available in Dashboard > Settings > Export Data, or by written request.
• Rectification — correct inaccurate data via your profile settings or by written request.
• Erasure — delete your account (Dashboard > Settings > Delete Account). Note: some booking and payment records are retained under the legal-obligation basis in §9.
• Restrict processing — contact TBD_DPO_EMAIL to limit how we use your data.
• Data portability — export your data in a structured, machine-readable format.
• Object — to processing based on legitimate interests.
• Withdraw consent — for medical data sharing at any time, without affecting processing already carried out.
• Access to Health Records Act 1990 — if you need access to clinical records authored by a specific doctor, please contact that doctor directly; they are the controller of that record.

11. Data Subject Access Requests (DSAR)

To exercise any of the rights listed above, email TBD_DPO_EMAIL with the subject line “Data Subject Access Request”. Please include your full name, the email address on your account, and a description of your request.

We respond within 30 calendar days (UK GDPR Art 12). In complex cases or where we receive a high volume of requests, we may extend this by a further 60 days and will tell you within the initial 30-day period if so. Identity verification may be requested. Requests are free of charge except where manifestly unfounded or excessive (UK GDPR Art 12(5)).

12. Cookies

We use essential cookies for authentication and optional analytics cookies under the Privacy and Electronic Communications Regulations 2003 (PECR). Non-essential cookies are set only after you give consent. See our Cookie Policy for the full inventory.

13. Security

We protect your data with HTTPS/TLS encryption in transit, row-level security policies in the database, encrypted storage for documents, multi-factor authentication options, and a documented incident-response process. We will notify affected individuals and the ICO within 72 hours of becoming aware of a personal-data breach where the breach is likely to result in a risk to your rights and freedoms.

14. Children

The platform is not directed to individuals under 16. We do not knowingly collect data from children. If you believe a child has registered, please contact TBD_DPO_EMAIL.

15. Changes to This Policy

We may update this policy periodically. Material changes will be notified by email or in-app notification. Continued use after changes constitutes acceptance.

16. Contact & Complaints

Data Protection Lead: TBD_DPO_NAME_OR_PRIVACY_LEAD — TBD_DPO_EMAIL
General privacy queries: privacy@mydoctors360.com

You have the right to lodge a complaint with the Information Commissioner’s Office (ICO). You can reach the ICO at ico.org.uk, by phone on 0303 123 1113, or by post at: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.

We would appreciate the chance to deal with your concerns first, so please contact us at TBD_DPO_EMAIL before raising a complaint with the ICO.