PRIVACY POLICY
Effective Date: 06th May 2025
Last Updated: 10th May 2025
1. Who Controls Your Data
The data controller responsible for your personal data is:
Hellodoc Ltd
86-90 Paul Street,
London EC2A 4NE,
United Kingdom
Company number: 16394721
Clinical Data Responsibility
For the purposes of consultations, the consulting doctor is responsible for the clinical decisions made during your care. While HelloDoc Ltd facilitates the platform and stores your consultation records securely, the clinical data resulting from your consultation is handled under the professional responsibility of the doctor, who is a registered independent healthcare professional.
If you have any questions or concerns about this Privacy Policy, or if you would like to exercise your data protection rights, please contact us our data protection officer via the email as provided above.
2. What Personal Data We Collect
When you use HelloDoc, we may collect and process the following categories of personal data:
a) Identity and Contact Data
• Full name
• Date of birth
• Gender
• NHS number (if available)
• Address
• Email address
• Mobile number
• Next of kin details
• Guardian or carer details (if applicable)
• Power of attorney details (if applicable)
b) Medical and Health Data
• Medical history (existing conditions, allergies, medications)
• Symptoms described during consultations
• Consultation notes and diagnosis records
• Prescriptions issued
• Referral letters and medical certificates
• Diagnostic reports (e.g., pathology or radiology results)
• Files and images uploaded by patients, including photographs of symptoms, copies of medical reports, and other healthcare documentation
• Correspondence from other healthcare providers (e.g., specialist letters, GP communications)
c) Technical and Usage Data
• Device type, operating system, and browser type
• IP address
• Mobile app version and usage statistics
• Interaction logs within our platform
d) Payment Data
• Limited payment information (e.g., last four digits of card number) for billing purposes, processed securely by our payment providers.
e) Identity Verification Data
• Images and documentation collected through third-party ID verification services (e.g., Veriff), where applicable.
• If manual verification is performed, we may request sighting government-issued identity documents (such as passports, driving licences, or national ID cards) via secure video link. In certain cases, images of these documents may be securely stored to confirm patient identity.
f) Minor’s Data
• We may collect and process personal and medical data relating to minors when a parent, legal guardian, or authorised representative (such as a person holding power of attorney) uses our services on their behalf. We require verification of legal guardianship or authority where applicable. Data relating to minors is handled with heightened protection and in accordance with applicable child and minor data protection standards.
3. How We Collect Your Data
We collect your data in several ways:
• Directly from you: when you register an account, complete your medical history, participate in consultations, or contact our support team.
• Automatically: through your use of our website and mobile apps, including technical information and interaction data collected via cookies and similar technologies.
• From third parties: including healthcare providers (such as your GP or specialists), diagnostic labs, pharmacies, or identity verification services.
4. How We Use Your Data
We use your personal data for the following purposes:
• To provide you with healthcare services, including video consultations, prescriptions, referrals, and issuing medical certificates.
• To verify your identity and manage your account, including billing and appointment management.
• To issue and manage electronic prescriptions through trusted third-party providers, such as Clynxx Ltd.
• To coordinate and manage pathology and radiology investigations through accredited third-party providers, including but not limited to Nationwide Pathology Ltd and other diagnostic providers.
• To communicate with you about your care, including appointment reminders, service updates, and clinical correspondence.
• To improve the quality, safety, and functionality of our platform and services, including internal testing, research, troubleshooting, and statistical analysis.
• To maintain accurate and complete medical records for clinical, safety, and legal compliance.
• To comply with legal obligations, including maintaining health records in accordance with healthcare regulatory standards.
• To respond to regulatory inquiries, inspections, and audits by relevant healthcare authorities.
• To process your data for clinical audit, quality assurance, regulatory reporting, and to comply with applicable healthcare standards.
• Some consultations may be recorded for quality assurance, training, monitoring, and regulatory compliance purposes. Recordings will only be made with patient awareness and will be securely stored and handled with strict confidentiality.
We do not sell your personal data or use your health data for marketing without your explicit consent.
5. Legal Bases for Processing
Under the UK GDPR, we rely on the following legal bases to process your personal data:
• Contractual necessity: To deliver the healthcare services you request.
• Explicit consent: For optional features, data sharing with third parties (e.g., nominated pharmacies), or where legally required.
• Legal obligations: To comply with regulatory, tax, or healthcare regulations.
• Vital interests: To protect your life or health in emergencies.
• Medical purposes: Processing health data is necessary for medical diagnosis, the provision of healthcare or treatment, pursuant to Article 9(2)(h) UK GDPR, under the responsibility of a healthcare professional or a person subject to confidentiality obligations.
6. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to enhance your browsing experience, analyse website and app usage, and improve our services. Cookies are small text files stored on your device that help us recognise you when you return to our platform.
You can control and manage cookies through your browser settings or mobile device preferences. Please note that disabling certain cookies may affect the functionality of the HelloDoc website or app.
For more detailed information about the cookies we use, the purposes for which we use them, and how you can manage your cookie preferences, please see our separate Cookie Policy.
7. How We Share Your Data
We only share your personal data when necessary and in accordance with applicable data protection laws. Your data may be shared with:
• Doctors and healthcare professionals providing consultations and medical care through HelloDoc.
• E-prescription service providers, such as Clynxx Ltd, for secure electronic prescription management.
• Pathology and radiology service providers, including but not limited to Nationwide Pathology Ltd and other accredited third-party diagnostic providers.
• Secure IT service providers and hosting providers, bound by contractual obligations to maintain confidentiality and security.
• Regulatory authorities or law enforcement agencies where legally required (e.g., in safeguarding situations or serious health threats).
• Pharmacies or other healthcare providers, when necessary for the provision of your treatment or upon your request.
• Analytics providers and technical partners (with appropriate data minimization) to help us improve our services.
Special Sharing Circumstances:
• We may share your personal health data with your registered GP or another healthcare provider if you request us to do so.
• In certain legal circumstances, such as emergencies or safeguarding concerns, we may be obliged to share your personal data without your prior consent.
We ensure that all third parties we work with maintain appropriate security and privacy standards.
8. International Data Transfers
We primarily store and process your personal data on secure servers located within the United Kingdom. Some of your personal data may be transferred outside the United Kingdom or the European Economic Area (EEA). Whenever we transfer your data internationally, we ensure a similar degree of protection is afforded by implementing safeguards such as:
• Transfers to countries deemed to provide an adequate level of data protection by the UK Government.
• Use of legally approved Standard Contractual Clauses (SCCs) with third parties.
9. How We Protect Your Data
We implement appropriate technical and organisational measures to ensure the security of your personal data. These measures include:
• Encryption of data both in transit and at rest.
• Secure data centres located within the United Kingdom.
• Role-based access controls to limit data access to authorised personnel only.
• Regular security audits, penetration testing, and vulnerability assessments.
• Monitoring systems to detect and respond to potential security threats.
• Mandatory staff training on data protection and confidentiality standards.
Although we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security. In the event of a personal data breach, we will notify affected individuals and regulators as required by law.
10. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, including to satisfy any legal, regulatory, tax, accounting, or reporting requirements. The retention periods we apply are:
• Medical records: Retained for a minimum of 8 years after the last consultation, following NHS and healthcare industry standards.
• User accounts: Retained until you request deletion or after 5 years of inactivity.
• Payment and billing data: Retained for 6 years to comply with accounting and tax regulations.
• Support queries and correspondence: Retained for 2 years after resolution.
When data is no longer needed, we securely delete or anonymise it.
11. Your Rights
Under data protection law, you have rights regarding your personal data, which include:
• Right of access: You can request a copy of the personal data we hold about you.
• Right to rectification: You can ask us to correct inaccurate or incomplete data.
• Right to erasure: You can request that we delete your personal data in certain circumstances.
• Right to restrict processing: You can ask us to suspend the processing of your personal data.
• Right to data portability: You can request that we provide your data to you or to a third party in a structured, commonly used, and machine-readable format.
• Right to object: You can object to our processing of your personal data where we rely on a legitimate interest.
• Right to withdraw consent: Where we rely on consent to process your personal data, you have the right to withdraw that consent at any time.
To exercise any of these rights, please contact our data protection officer at the email as provided above. We will respond to your request within one calendar month.
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO):
Website: www.ico.org.uk
Phone: +44 0303 123 1113
12. Third-Party Links
Our website and mobile apps may contain links to third-party websites, plug-ins, and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you.
We do not control these third-party websites and are not responsible for their privacy policies or practices. We encourage you to read the privacy policy of every website you visit.
13. Changes to This Privacy Policy
We may update this Privacy Policy from time to time in response to changing legal, technical, or business developments. When we update our Privacy Policy, we will take appropriate measures to inform you, consistent with the significance of the changes made.
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.
The “Effective Date” and “Last Updated” date at the top of this document indicate when this Privacy Policy was last revised.
14. Contact Us
If you have any questions about this Privacy Policy, your personal data, or if you would like to exercise your data protection rights, please contact us at:
Data Protection Officer
HelloDoc Ltd
86-90 Paul Street
London EC2A 4NE
United Kingdom
