Privacy Policy

Last updated: 05 Jan 2026

1. Who we are

This Privacy Policy explains how we, MedPal AI plc, trading as Medpal Clinic (“we”, “us”, “our”), collect, use and protect your personal information when you use our online clinic services via medpal.clinic.

Medpal Clinic provides online clinical consultations and prescribing services. Where medicines are dispensed following a Medpal Clinic consultation, this is usually done by Universal Pharmacy Ltd, trading as Medpal Universal Pharmacy (“Universal Pharmacy”).

  • MedPal AI plc is responsible for operating the Medpal Clinic online platform and clinical service.
  • Universal Pharmacy Ltd is responsible for the pharmacy and dispensing services it provides.

We are committed to protecting your privacy and using your information in accordance with UK data protection law, including the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Purpose of this Privacy Policy

This Privacy Policy applies to:

  • Your use of the medpal.clinic website and online consultation service;
  • Our provision of remote clinical consultations and prescribing through Medpal Clinic; and
  • Any communications you have with us in relation to Medpal Clinic (for example by email or via the platform).

It explains:

  • What personal data we collect;
  • How and why we use it;
  • Who we share it with; and
  • Your rights in relation to your personal data.

3. Data controllers

For most activities described in this Privacy Policy:

  • MedPal AI plc is the data controller for the Medpal Clinic online consultation and clinical service; and
  • Universal Pharmacy Ltd is the data controller for the pharmacy dispensing and delivery services it provides when fulfilling prescriptions issued via Medpal Clinic.

In some situations (for example, where we provide NHS-funded services or work with other providers), we may act jointly with, or as a processor for, other data controllers such as NHS England, an Integrated Care Board (ICB) or your GP practice. We can provide more information on request.

If you have any questions about this Privacy Policy or how we use your data, you can contact us:

  • Email: [email protected]
  • Post: Data Protection Officer
    Medpal Universal Pharmacy
    25 Turbine Way
    Ecotech Business Park
    Swaffham
    PE37 7XD

4. What information we collect

The information we collect depends on how you use Medpal Clinic, but may include:

4.1 Identity and contact details

    • Name, date of birth, sex/gender
    • Address and delivery details
    • Email address and telephone number
    • NHS number (where relevant)
    • Contact details for your GP or other prescribers

4.2 Health and clinical information

Because we provide healthcare services, we will process special category data about your health, such as:

    • Information about your symptoms and current health concerns
    • Relevant medical history, existing conditions and risk factors
    • Answers you provide in clinical questionnaires or forms (for example, weight management or erectile dysfunction pathways)
    • Medicines you are taking or have taken, including doses and duration
    • Allergies, intolerances and pregnancy/breastfeeding status (where relevant)
    • Clinical notes and consultation records created by our clinicians
    • Test results or reports you or other healthcare professionals share with us
    • Safeguarding information where applicable

4.3 Service, order and payment information

    • Details of consultations and services you receive via Medpal Clinic
    • Information about prescriptions issued and medicines supplied
    • Payment transaction information for private services (we do not usually store full card details; payments are processed by our payment providers)
    • Information related to delivery of medicines by a dispensing pharmacy (for example, delivery address and status)

4.4 Website and technical information

When you use medpal.clinic, we may collect:

    • IP address and approximate location
    • Device type, operating system and browser type
    • Pages visited, actions taken on the site and timestamps
    • Cookie and tracking information (for example, for essential site functionality and, where permitted, analytics)

More detail may be provided in a separate cookies notice.

4.5 Communications

    • Records of emails, messages, web forms and other communications
    • Feedback, survey responses and complaints, including outcomes and follow-up actions

We only collect the information that is relevant and necessary for the purposes described in this policy.

5. How we collect your information

We may collect your personal data:

  • Directly from you – when you register for Medpal Clinic, complete questionnaires, book consultations, communicate with us or provide information during a consultation;
  • From other healthcare professionals and organisations – such as your GP, prescribers, pharmacies, NHS bodies or hospitals, where this is necessary for your care or to meet legal obligations;
  • From our website and systems – via cookies and similar technologies; and
  • From service providers – for example, payment providers or identity verification services, where needed to deliver our services and meet legal requirements.

6. Legal bases for processing your data

We will only use your personal data when we have a lawful basis under UK GDPR. Depending on the context, this may include:

6.1 Performance of a contract

To provide you with the services you request, including:

    • Online clinical assessments and consultations;
    • Prescribing and clinical decision-making;
    • Arranging for prescriptions to be dispensed and medicines delivered.

6.2 Legal obligations

To comply with legal and regulatory obligations that apply to healthcare providers and pharmacies, such as:

    • Medicines and healthcare legislation and guidance;
    • Record keeping and audit requirements;
    • Responding to lawful requests from regulators or law enforcement.

6.3 Vital interests

To protect you or another person where there is a serious or imminent risk to life or health (for example, in a medical emergency or serious safeguarding concern).

6.4 Public task / provision of healthcare

For the performance of tasks carried out in the public interest or in the exercise of official authority, particularly where services are NHS-funded or part of the healthcare system.

6.5 Legitimate interests

Where we have a legitimate interest in using your data and this is not overridden by your rights and interests, for example:

    • Managing and improving Medpal Clinic;
    • Handling queries and complaints;
    • Monitoring and improving the safety and quality of our services;
    • Preventing misuse or abuse of our platform;
    • Producing anonymised or aggregated statistics.

6.6 Consent

We may rely on your consent:

    • For certain optional communications (for example, some forms of marketing or service updates); or
    • Where we ask your explicit permission to use your information in ways not covered above.

You can withdraw your consent at any time, although this will not affect the lawfulness of any processing carried out before consent was withdrawn.

7. Special category data (health information)

Because we provide healthcare services, we regularly process special category data about your health. In addition to a lawful basis under Article 6 UK GDPR, we rely on one or more of the following conditions under Article 9 UK GDPR:

  • Provision of health or social care or treatment;
  • Management of health or social care systems and services;
  • Public interest in the area of public health;
  • Establishment, exercise or defence of legal claims;
  • Your explicit consent (for example, for certain optional services).

8. How we use your information

We may use your information to:

  • Assess your symptoms and health needs and provide clinical advice;
  • Make prescribing decisions, issue prescriptions or recommend other services;
  • Communicate with you about your consultations, prescriptions and follow-up;
  • Arrange for prescriptions to be dispensed and medicines delivered;
  • Verify your identity and eligibility for services;
  • Handle queries, feedback and complaints;
  • Record and manage incidents, near misses, safeguarding concerns and quality assurance activities;
  • Meet legal, regulatory and professional requirements;
  • Monitor, maintain and improve Medpal Clinic, including through anonymised or aggregated analysis;
  • Protect our organisation against fraud, misuse and security risks.

We do not use your health information for automated decision-making that produces legal or similarly significant effects without appropriate human involvement.

 

9. Who we share your information with

We will only share your information when necessary and lawful. Depending on the services you use, we may share data with:

  • Your GP, prescribers and other healthcare professionals involved in your care;
  • Dispensing pharmacies (such as Universal Pharmacy Ltd and, where relevant, other partner pharmacies) that need information to safely dispense and supply medicines;
  • NHS organisations, such as NHS England, ICBs and NHS Business Services Authority, where required for commissioning, funding, audit or assurance;
  • IT and system providers who support Medpal Clinic, our clinical systems and communications;
  • Payment service providers, to process payments for private services;
  • Regulators and professional bodies (for example, GPhC, MHRA, ICO) where required;
  • Organisations that support us with incident management, complaints handling or dispute resolution;
  • Law enforcement agencies, courts or other authorities where we are legally required to do so, or where it is necessary to protect individuals from serious harm.

Where we share information with third parties who process data on our behalf, we require them to:

  • Keep it secure; and
  • Use it only in accordance with our instructions and the law.

We do not sell your personal data.

10. International transfers

Medpal Clinic data is currently hosted on servers located in the UK.

We do not currently transfer Medpal Clinic data outside the UK.

If this changes in future (for example, if we use carefully selected technical providers who access personal data from outside the UK), we will:

  • Update this Privacy Policy; and
  • Ensure that any international transfers are subject to appropriate safeguards, such as the UK International Data Transfer Agreement (IDTA), standard contractual clauses, or other protections required by data protection law.

You can contact us for more information about any international transfers affecting your data.

11. How long we keep your information

We keep your personal data only for as long as necessary for the purposes described in this Privacy Policy and to meet legal, clinical and regulatory requirements.

This means different categories of records may be kept for different periods. For example:

  • Clinical consultation records and prescribing information are usually kept for at least 10 years from the date of last contact, or longer where required by healthcare guidance;
  • Records of complaints, incidents and safeguarding concerns are kept for an appropriate period (typically between 6 and 10 years, depending on the case);
  • Financial and transaction records may be retained for at least 6 years for tax and accounting purposes.

When information is no longer needed, we will securely delete or anonymise it. Anonymised information that no longer identifies you may be retained for longer for audit, research or service improvement.

12. How we protect your information

We take appropriate technical and organisational measures to protect your personal data against loss, unauthorised access or misuse. These include:

  • Access controls, so only authorised staff can see relevant information;
  • Staff training and confidentiality obligations;
  • Secure systems and encryption for storing and transmitting data;
  • Procedures for responding to data protection incidents.

No system can be guaranteed to be completely secure. We encourage you to keep your login details safe and to contact us if you suspect any misuse of your account.

13. Your rights

Under data protection law, you have a number of rights in relation to your personal data. These may include the right to:

  • Access a copy of your personal data and obtain information about how it is used;
  • Rectify inaccurate or incomplete information;
  • Erase your information in certain circumstances;
  • Restrict the way we use your data in some circumstances;
  • Object to certain types of processing, including processing based on our legitimate interests;
  • Data portability – ask for your data to be provided in a structured, commonly used and machine-readable format, and to have that data transmitted to another controller where technically feasible;
  • Withdraw consent where we rely on your consent to process your data.

These rights are not absolute and may be subject to conditions and legal exemptions. If we cannot fully comply with your request, we will explain why.

To exercise your rights, please contact us using the details in section 3. We may need to confirm your identity before we act on your request.

If you are unhappy with how we handle your personal data, you also have the right to complain to the UK regulator, the Information Commissioner’s Office (ICO):

14. Changes to this Privacy Policy

We may update this Privacy Policy from time to time, for example to reflect changes in law, guidance or our services. Any changes will be posted on medpal.clinic with an updated “Last updated” date.

We encourage you to review this policy periodically to stay informed about how we use your data.

Talk to us on WhatsApp