Privacy policy

Introduction

Heydoc Limited (Heydoc) respects the privacy of individuals and is committed to protecting personal data of data subjects.

For the purposes of data protection law, including the UK Data Protection Act 1998 (DPA) and (from 25th May 2018) the EU General Data Protection Regulation (GDPR), Heydoc is registered with the Information Commissioner’s Office with notification number ZA162035.

This Privacy Policy (this "Policy") applies to the software and information services we offer to Clients through our website located at www.heydoc.co.uk and our clinical system (collectively, our "Services"), which are governed by our Terms of Service. In this Policy, "Client" or "you" means any person (for example, a healthcare professional) who registers to use our Services, and where the context permits, includes any entity on whose behalf that person registers to use our Services (for example, healthcare providers, hospitals, clinics etc.).

Patients should refer to their own healthcare providers (our Clients) for more information on the terms, privacy policies and obligations that apply to their relationship under data protection law.

Maintaining your trust is important to us, and we strongly encourage you to read this Policy in full. In particular, where you have registered to use our Services under our Terms of Service, you are deemed to have accepted this Privacy Policy on behalf of yourself and any authorised users.

The purpose of this Policy is to describe how we, and our partners, obtain, use, and share information about you, as a "data subject", under data protection law. In providing our Services, we are a data processor only and act on behalf of Clients who are data controllers for the personal data of data subjects which we process.

Some of our users are subject to laws and regulations governing the use and disclosure of health information they create or receive. When we store, process or transmit individually identifiable health information on behalf of a healthcare professional, we cannot use or disclose such information in a way that the provider itself may not. We are also required to, among other things, apply reasonable and appropriate measures to safeguard the confidentiality, integrity, and availability of the individually identifiable health information we store and process on behalf of such providers.

Information we hold

Heydoc obtains personal data (as defined in data protection law) about data subjects in a variety of ways when Clients visit our website, use our Services, (including our online booking engine), or deal with us by email or on the phone.

We may process (obtain, use, store and transfer) the following information:

  • Client data: for example, (but not restricted to) information on healthcare providers, professionals, staff belonging to the hospital, practice, clinic or other entity;
  • Client and Patient Identity data: for example, (but not restricted to) first and last name, username or similar identifier, marital status, title, date of birth and gender;
  • Client and Patient Contact information: for example, (but not restricted to) address, email address and telephone numbers.
  • Patient healthcare information: depending on the information recorded by our Clients, this may include demographic information, medical records, prescriptions, test results, correspondence between Patients and Clients, and other medical information;
  • Client Financial information: including invoicing and payment information;
  • Client Profile data: including your username and password and other information relating to your account with us;
  • Client Usage data: we automatically receive and record information when you visit our website, such as your IP address and information stored in cookies on your computer hard-drive.

We process special categories of data (also known as "sensitive personal data") about Patients in the provision of our Services. We only process such data to provide our Services and do so under the instructions of our Clients, under our Terms of Service. Our Clients are responsible for obtaining the necessary consent from Patients for us to process their personal data and special categories of data.

In addition to the above categories of personal data and special categories of data, to assist us in improving our products and services, we monitor aggregated data that is collected by our Services and may share this with third parties collectively and in an anonymous way. Aggregated data may be derived from personal data but is not considered personal data under data protection law as this data does not directly or indirectly reveal the identity of an individual data subject. However, if we combine or connect aggregated data with personal data so that it can directly or indirectly identify individuals, we treat the combined data as personal data which will be used in accordance with this Privacy Policy.

Use of information

We will only use personal data when the law allows us to. Most commonly, we will use personal data in the following circumstances and rely on these lawful bases for processing your personal data:

  • Contract: where we need to perform the contract we are about to enter into or have entered into with Clients:
    • to provide our Services (without personal data being provided we may not be able to provide our Services).
  • Legitimate interests: where it is necessary for our legitimate interests (or those of a third party) and the data subjects’ interests and fundamental rights do not override those interests:
    • the personal data we obtain is used to operate our business efficiently. We use it for billing, identification, authentication, service improvement, research, and also for contacting you when necessary.
    • we may also use your personal data to advise you of new or updated products or services or special offers or promotions that you may be interested in. You can contact us at any time to let us know that you do not want us to use your information for this purpose.
  • Where we need to comply with a legal or regulatory obligation.

Please note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.

Information Sharing

We may disclose personal data, when it is required to assist with a lawful investigation or comply with the law, if we believe disclosure is necessary to protect our rights, or if some or all of the assets and operations of our business are or may be transferred to another party.

We integrate with third party healthcare providers (such as laboratories) and other third party service providers as required, and may share personal data with those third party providers, to enable Clients to access their services (for example for Patient tests, as instructed by our Clients). We encourage Clients to read the privacy policies of these third party services, as required.

We will not sell, rent or share your personal data or personal data collected by our Services with third parties in other ways without appropriate lawful bases, unless we are entitled by law to do so. By providing your personal data to us, you understand our business needs to transfer this information to third party IT providers, including our website host and back-up service provider.

This website may include links to third-party websites, plug-ins and applications. Clicking on those links or enabling those connections may allow third parties to collect or share data about you. We do not control these third-party websites and are not responsible for their privacy statements. When you leave our website, we encourage you to read the privacy notice of every website you visit.

Storage and protection

We will only retain personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting or reporting requirements.

We hold personal data in electronic databases, such as our customer relationship management system. The servers we use for our Services are located in London, UK. Whenever we transfer your personal data out of the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • We will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission.
  • Where we use certain service providers we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe.
  • Where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between the Europe and the US.

We take all reasonable steps to keep any personal data we hold secure and have adopted technical and organisational measures to prevent personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. We use two-factor authentication to increase the security of Client accounts. Data is replicated continuously, with multiple copies stored between security centres to ensure immediate failover. Data in transfer is fully encrypted using the most secure cryptographic technologies available. This means that when you access your data via the internet, the server will negotiate a secure link with the end user via a process called SSL. This is the same technology used for online banking and credit card transactions and is known to be the most secure system available.

We restrict access to personal data to our employees, contractors and agents who require that information in order to operate and develop our application and services. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.

Your rights

Under certain circumstances, you have rights under data protection law, in relation to your personal data, including to: request access, correction, erasure, restriction of processing and data portability.

If you wish to exercise any of these rights, please contact us, using the contact details below.

Changes to this policy

We may review and amend this Policy from time to time. We will post updated versions of the Policy on our website.

Questions or complaints

If you have any questions about this Policy or the way that we handle your personal data, please let us know. We have appointed a data privacy manager, who is responsible for this Policy.