Check your eligibility
Check your eligibility
Legal
Privacy Policy Complaints Returns

Privacy Policy

Last updated: 09 Mar 2026

1. About this policy
This is the umbrella privacy policy for the MedPal group. It explains how we collect, use and share personal data when you use our wellness/app services and when you use our clinic/pharmacy services.

Some services, especially regulated clinic/pharmacy services, may have a service-specific privacy notice. If there is a difference, the service-specific notice applies for that service.
2. Key definitions
  • Personal data: information that identifies you, directly or indirectly.
  • Special category data: extra-sensitive data such as health information.
  • Controller: the organisation that decides how and why personal data is used.
  • Processor: an organisation that processes personal data on a controller’s instructions, for example an IT supplier.
  • Overseas access / international transfer: personal data is accessed from, or transferred to, a country outside the UK.
3. Who we are (Data Controllers)
Which MedPal company is the controller depends on the service you are using:

Wellness / App services
Controller: MedPal AI plc
Company number: 13578804
Registered office: Hill Dickinson LLP, 8th Floor The Broadgate Tower, 20 Primrose Street, London, United Kingdom, EC2A 2EW

Clinic / Pharmacy services (regulated care)
Controller: MedPal Limited
Company number: 16679407
Registered office: Hill Dickinson LLP, 7th Floor, The Broadgate Tower, 20 Primrose Street, London, United Kingdom, EC2A 2EW

Some MedPal group companies provide platform services to other group companies. Where one group company processes personal data on behalf of another, for example platform hosting or technical support, this is governed by a written data processing agreement.

In limited circumstances, MedPal AI plc and MedPal Limited may act as joint controllers for a specific activity. Where this applies, we will explain it and provide the essence of the arrangement.

How to contact us
Data Protection Officer (DPO): [email protected]
Wellness/app support: [email protected]
Clinic support: [email protected]

If you contact us by post, use the registered office address for the relevant controller above.
4. What personal data we collect
The data we collect depends on the service you use and the choices you make, for example which integrations you enable. We aim to collect only what we need for the purposes described in this policy.

4.1 Wellness / App data (examples)
  • Identity and contact details, such as name, email address and phone number
  • Account and profile data, such as preferences and settings
  • Device and usage data, such as device identifiers, app activity, crash logs and security logs
  • Wellness metrics you choose to provide or connect, for example activity, sleep, heart rate/HRV, respiratory rate and derived indicators
  • Messages you send us, including support requests and feedback
4.2 Clinic / Pharmacy data (examples)
  • Identity and contact details
  • Appointment and communications data
  • Clinical information you provide, such as symptoms, history and questionnaires
  • Consultation notes and clinical decisions
  • Prescriptions and medication records where applicable
  • Safeguarding notes where necessary for safety
5. How we use your data and our lawful bases
UK GDPR requires us to have a lawful basis for processing personal data. Where we process health data, we also need an additional condition under Article 9 UK GDPR.

We do not rely on blanket consent as the legal basis for core clinic care delivery. We use consent only where it is appropriate for optional processing, for example optional integrations or optional product research where offered.

5.1 Wellness / App: Provide your account, core app features and customer support
Article 6 basis: Contract (Art 6(1)(b))
Article 9 condition, if applicable: Explicit consent (Art 9(2)(a)) where you connect or provide health data

You can withdraw optional permissions or consents in-app, for example by disconnecting an integration.

5.2 Wellness / App: App security, fraud prevention and service reliability
Article 6 basis: Legitimate interests (Art 6(1)(f))

We use logs and monitoring to protect users and our services.

5.3 Wellness / App: Optional analytics and product improvement (where enabled)
Article 6 basis: Legitimate interests (Art 6(1)(f)) and/or Consent (Art 6(1)(a)) depending on the feature and settings
Article 9 condition, if applicable: Explicit consent (Art 9(2)(a)) where health data is included

We aim to use aggregated or de-identified data where feasible.

5.4 Clinic / Pharmacy: Provide clinical consultations, prescribing and care delivery
Article 6 basis: Contract (Art 6(1)(b)) and/or Legal obligation (Art 6(1)(c))
Article 9 condition: Health or social care (Art 9(2)(h))

Care delivery requires accurate clinical records and appropriate professional safeguards.

5.5 Clinic / Pharmacy: Clinical safety, quality assurance and incident management
Article 6 basis: Legal obligation (Art 6(1)(c)) and/or Legitimate interests (Art 6(1)(f))
Article 9 condition, if applicable: Health or social care (Art 9(2)(h)) and/or Substantial public interest where applicable

We share only what is necessary to keep services safe and compliant.

5.6 All services: Handle complaints, legal claims and regulatory requests
Article 6 basis: Legal obligation (Art 6(1)(c)) and/or Legitimate interests (Art 6(1)(f))
Article 9 condition, if applicable: Health or social care (Art 9(2)(h)) where health data is involved

We keep appropriate records for accountability.

If you choose to share selected wellness metrics with your clinician to support your care, we will explain what is shared and you can control this through the relevant feature. This is optional.
6. Sharing your data
We may share personal data with:
  • Other MedPal group companies where needed to provide services safely and lawfully, for example account administration, platform operations and clinical safety workflows
  • Clinicians, pharmacies and healthcare partners involved in providing your care for clinic/pharmacy services
  • Service providers who act on our instructions, for example hosting, software development/support and communications providers, under written contracts
  • Professional advisers, such as legal advisers, auditors and insurers, and regulators where required
  • Law enforcement where we are legally required or permitted to do so
We do not sell your personal data.

When MedPal AI plc and MedPal Limited share data with each other as separate controllers, we do so under an internal data sharing arrangement and share only the minimum necessary for the stated purpose.
7. Our suppliers, contracts and controls
Where we use suppliers to process personal data on our instructions, we require contractual and operational safeguards. These typically include:
  • A written data processing agreement (DPA) covering confidentiality, security, breach notification and assistance with rights requests
  • Controls on sub-processors, including no new sub-processors without our authorisation and updated documentation
  • Access controls, including named accounts, least privilege and multi-factor authentication for privileged access
  • Logging, monitoring and controlled emergency "break-glass" access procedures
  • Risk assessments where appropriate, including transfer risk assessments where overseas access applies
A list of key suppliers and sub-processors can be provided on request.
8. International transfers and overseas access
We primarily host and operate our core systems in the UK.

However, some approved service providers and support personnel may access personal data from outside the UK, for example for software development or technical support, including from Ukraine.

Where personal data is accessed or transferred outside the UK and UK adequacy regulations do not apply, we use appropriate safeguards such as:
  • the UK International Data Transfer Agreement (IDTA); or
  • the UK Addendum to the EU Standard Contractual Clauses (EU SCCs).
We also apply technical and organisational measures, for example access controls, multi-factor authentication, logging and restrictions on exporting data.
9. AI and automated processing
We may use automated processing and AI to generate wellness insights and recommendations.

Where AI-assisted features are used in clinic journeys, for example navigation or drafting support, clinical decisions are made with appropriate human involvement.

We do not use solely automated decision-making that produces legal or similarly significant effects without appropriate safeguards and the ability to obtain human review.
10. Security
We use technical and organisational measures designed to protect personal data, including:
  • Access controls
  • Least-privilege permissions
  • Encryption
  • Security monitoring
Access to clinical data is restricted to authorised staff and clinicians who need it for their role.

Where feasible, we use separation and internal identifiers (pseudonymisation) to reduce risk.
11. How long we keep your data (retention)
We keep personal data only as long as necessary for the purposes described in this policy, including meeting legal, regulatory and clinical record-keeping requirements.

11.1 Wellness / App data
Generally kept while your account is active and for limited periods afterwards for security, dispute resolution and compliance.

11.2 Clinic / Pharmacy records
Retained in line with healthcare record-keeping expectations and regulatory requirements.

If you request account deletion, we remove personal data from active systems without undue delay, subject to lawful retention requirements, for example clinical record retention.

We maintain encrypted backups for continuity and security. Deleted data may remain in backups until those backups rotate and are overwritten. Backups are protected and are not used for routine access.
12. Your rights
You have rights under UK data protection law, including the right to:
  • Request access to your personal data
  • Correct inaccurate data
  • Request deletion where applicable
  • Restrict or object to certain processing
  • Data portability in some cases
To exercise your rights, contact the DPO at [email protected]. We may need to verify your identity before responding.

We aim to respond within one month. If a request is complex, we may extend the response period as permitted by law and we will explain why.

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect processing that has already taken place.
13. Cookies and similar technologies
Our websites may use cookies and similar technologies.

Where required, we provide choices through cookie banners or settings. App settings may also allow you to control certain analytics preferences.
14. Children
MedPal services are intended for adults unless we state otherwise for a specific service.

If we become aware we have collected personal data from a child without appropriate authority, we will take steps to delete it or otherwise comply with the law.
15. Complaints
If you have concerns, please contact us at [email protected] so we can try to resolve them.

You also have the right to complain to the Information Commissioner's Office (ICO).

ICO postal address:
Information Commissioner’s Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF

ICO helpline: 0303 123 1113
16. Changes to this policy
We may update this policy from time to time.

We will show the latest revision date at the top. Where changes are material, we will take appropriate steps to notify you.

Still have questions?

Instant, clinician-approved answers, 24/7. Our WhatsApp AI only pulls from our clinical database - so you can trust what you're reading.
Need a human? Just ask.

Chat on WhatsApp