Privacy Notice

Last updated: 1 May 2026 · Effective: 1 May 2026

MedProtocol is operated by Connectve Hub Limited, a company registered in England and Wales (company number 16XXXXXX), whose registered office is at 71–75 Shelton Street, Covent Garden, London WC2H 9JQ. We are registered with the Information Commissioner's Office (ICO) under registration reference XXXXXXXX.

This Privacy Notice explains how we collect, use, share, and protect personal information — including health data — when you use medprotocol.app and our related services. We process all personal data in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Information we collect

1.1 Information you give us

  • Identity data: full name, date of birth, gender
  • Contact data: email address, phone number, country of residence
  • Health data: reason for consultation, symptoms, medical history, medications, scan uploads, clinical documents
  • Payment data: processed by Stripe; we store only the transaction reference, never raw card details
  • Communications: messages sent to us, feedback, and support requests

1.2 Information we collect automatically

  • Technical data: IP address, browser type, device identifiers, operating system
  • Usage data: pages viewed, features used, referral source, session duration
  • Cookie data: session cookies and analytics cookies (see our Cookie Policy)

1.3 Information from third parties

  • Specialists: clinical notes or documents generated during your consultation
  • Identity verification providers: used to verify specialist credentials (not patients)

2. How we use your information

PurposeLegal basis
Provide and manage your consultation bookingContract performance (Article 6(1)(b) UK GDPR)
Process health information to facilitate your careExplicit consent (Article 9(2)(a)) and healthcare provision (Article 9(2)(h))
Send appointment confirmations and clinical summariesContract performance
Verify specialist credentials and maintain our Trust IndexLegitimate interests (Article 6(1)(f)) — patient safety
Comply with legal and regulatory obligationsLegal obligation (Article 6(1)(c))
Send service updates and platform news (optional)Consent (withdrawable at any time)
Improve our platform and conduct analyticsLegitimate interests

3. Health data (special category data)

Health data is "special category" data under UK GDPR. We process it only with your explicit consent and solely to provide the healthcare facilitation service you have requested. You may withdraw consent at any time by contacting us at privacy@medprotocol.app. Withdrawal does not affect processing carried out before withdrawal.

We never sell, rent, or share your health data with third parties for marketing purposes. Health data is never used for automated decision-making that produces legal or similarly significant effects without human review.

4. Who we share your information with

  • Verified specialists — your health information is shared with the specialist(s) you consult, to the extent necessary to provide the service.
  • Your GP — a clinical summary or GP letter is sent to the GP you specify, only with your consent.
  • Stripe — payment processing. Stripe processes card data directly; we receive only a transaction token.
  • Amazon Web Services (AWS eu-west-1) — cloud hosting. Data is stored in the Republic of Ireland and does not leave the UK/EEA without appropriate safeguards.
  • Resend — transactional email delivery. Email content is transmitted over TLS-encrypted connections.
  • scanbook.uk — if you are referred for imaging, your referral details are shared with Scanbook with your consent.
  • Legal authorities — when required by law or a court order.

We do not sell personal data. We do not transfer data outside the UK without appropriate safeguards (adequacy decisions, standard contractual clauses, or binding corporate rules).

5. Data retention

  • Patient health records: retained for a minimum of 8 years from the date of last contact, in line with NHS records management guidance, or until you withdraw consent (whichever is later)
  • Account data: retained for the duration of your account plus 2 years
  • Financial records: 7 years (HMRC requirement)
  • Marketing preferences: until you opt out

6. Your rights

Under UK GDPR you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — ask us to correct inaccurate data
  • Erasure — ask us to delete your data (subject to legal retention requirements)
  • Restriction — ask us to limit processing in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Object — object to processing based on legitimate interests
  • Withdraw consent — at any time where processing is consent-based

To exercise any right, email privacy@medprotocol.app. We will respond within one calendar month. If you are unhappy with our response, you have the right to lodge a complaint with the Information Commissioner's Office at ico.org.uk.

7. Security

We use industry-standard security measures including TLS encryption in transit, AES-256 encryption at rest, access controls, audit logging, and regular security reviews. All staff with access to personal data are trained in data protection and bound by confidentiality obligations.

8. Cookies

We use cookies and similar technologies. For full details, please read our Cookie Policy.

9. Changes to this notice

We may update this Privacy Notice from time to time. Material changes will be communicated by email or a prominent notice on our platform at least 14 days before they take effect. The date at the top of this page reflects the most recent revision.

10. Contact us

Data Controller: Connectve Hub Limited

Email: privacy@medprotocol.app

Post: Data Protection, MedProtocol, 71–75 Shelton Street, London WC2H 9JQ