Heydoc Limited (Heydoc) respects the privacy of individuals and is committed to protecting personal data of data subjects.
For the purposes of data protection law, including the UK Data Protection Act 1998 (DPA) and (from 25th May 2018) the EU General Data Protection Regulation (GDPR), Heydoc is registered with the Information Commissioner’s Office with notification number ZA162035.
Patients should refer to their own healthcare providers (our Clients) for more information on the terms, privacy policies and obligations that apply to their relationship under data protection law.
The purpose of this Policy is to describe how we, and our partners, obtain, use, and share information about you, as a "data subject", under data protection law. In providing our Services, we are a data processor only and act on behalf of Clients who are data controllers for the personal data of data subjects which we process.
Some of our users are subject to laws and regulations governing the use and disclosure of health information they create or receive. When we store, process or transmit individually identifiable health information on behalf of a healthcare professional, we cannot use or disclose such information in a way that the provider itself may not. We are also required to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of the individually identifiable health information we store and process on behalf of such providers.
Information we hold
Heydoc obtains personal data (as defined in data protection law) about data subjects in a variety of ways when Clients visit our website, use our Services, (including our online booking engine), or deal with us by email or on the phone.
We may process (obtain, use, store and transfer) the following information:
- Client data: for example, (but not restricted to) information on healthcare providers, professionals, staff belonging to the hospital, practice, clinic or other entity;
- Client and Patient Identity data: for example, (but not restricted to) first and last name, username or similar identifier, marital status, title, date of birth and gender;
- Client and Patient Contact information: for example, (but not restricted to) address, email address and telephone numbers.
- Patient healthcare information: depending on the information recorded by our Clients, this may include demographic information, medical records, prescriptions, test results, correspondence between Patients and Clients, and other medical information;
- Client Financial information: including invoicing and payment information;
- Client Profile data: including your username and password and other information relating to your account with us;
- Client Usage data: we automatically receive and record information when you visit our website, such as your IP address and information stored in cookies on your computer hard-drive.
We process special categories of data (also known as "sensitive personal data") about Patients in the provision of our Services. We only process such data to provide our Services and do so under the instructions of our Clients, under our Terms of Service. Our Clients are responsible for obtaining the necessary consent from Patients for us to process their personal data and special categories of data.
Use of information
We will only use personal data when the law allows us to. Most commonly, we will use personal data in the following circumstances and rely on these lawful bases for processing your personal data:
- Contract: where we need to perform the contract we are about to enter into or have entered into with Clients:
- to provide our Services (without personal data being provided we may not be able to provide our Services).
- Legitimate interests: where it is necessary for our legitimate interests (or those of a third party) and the data subjects’ interests and fundamental rights do not override those interests:
- the personal data we obtain is used to operate our business efficiently. We use it for billing, identification, authentication, service improvement, research, and also for contacting you when necessary.
- we may also use your personal data to advise you of new or updated products or services or special offers or promotions that you may be interested in. You can contact us at any time to let us know that you do not want us to use your information for this purpose.
- Where we need to comply with a legal or regulatory obligation.
Please note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.
We may disclose personal data, when it is required to assist with a lawful investigation or comply with the law, if we believe disclosure is necessary to protect our rights, or if some or all of the assets and operations of our business are or may be transferred to another party.
We integrate with third party healthcare providers (such as laboratories) and other third party service providers as required, and may share personal data with those third party providers, to enable Clients to access their services (for example for Patient tests, as instructed by our Clients). We encourage Clients to read the privacy policies of these third party services, as required.
We will not sell, rent or share your personal data or personal data collected by our Services with third parties in other ways without appropriate lawful bases, unless we are entitled by law to do so. By providing your personal data to us, you understand our business needs to transfer this information to third party IT providers, including our website host and back-up service provider.
This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.
Storage and protection
We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.
We hold personal data in electronic databases, such as our customer relationship management system. The servers we use for our Services are located in London, UK. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
- Where we use certain service providers we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
- Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.
We take all reasonable steps to keep any personal data we hold secure and have adopted technical and organisational measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We use two-factor authentication to increase the security of Client accounts. Data is replicated continuously, with multiple copies stored between security centres to ensure immediate failover. Data in transfer is fully encrypted using the most secure cryptographic technologies available. This means that when you access your data via the internet, the server will negotiate a secure link with the end user via a process called SSL. This is the same technology used for online banking and credit card transactions and is known to be the most secure system available.
We restrict access to personal data to our employees, contractors and agents who require that information in order to operate and develop our application and services. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Under certain circumstances, you have rights under data protection law, in relation to your personal data, including to: request access, correction, erasure, restriction of processing and data portability.
If you wish to exercise any of these rights, please contact us, using the contact details below.
Changes to this policy
We may review and amend this Policy from time to time. We will post updated versions of the Policy on our website.
Questions or complaints
If you have any questions about this Policy or the way that we handle your personal data, please let us know. We have appointed a data privacy manager, who is responsible for this Policy.