Dr. Costa's Appointment

Privacy Policy

Privacy Policy

Template – customize the bracketed fields to your practice. This is informational and not legal advice. Please have a qualified lawyer review before publishing.

Last updated: [DD Month YYYY]

1) Who we are (Data Controller)

  • Provider/Practice Name: [Practice/Doctor Name]
  • Legal Entity: [Entity Name, Company No.]
  • Registered Address: [Address]
  • Contact: [Email] • [Phone]
  • Data Protection Officer / Contact for privacy matters: [Name/Role, Email]
  • Supervisory Authority: If you are in the UK, the Information Commissioner’s Office (ICO). If you are in the EEA, your local authority.

This Privacy Policy explains how we collect, use, share, and protect your personal information when you use our website, patient portal, messaging tools, and video consultations (together, the Services).

2) Scope

This policy applies to patients, prospective patients, website visitors, and others who interact with us. It covers data processed via our website, telemedicine platform(s), payment processor(s), and clinical systems.

3) The information we collect

We collect and process the following categories of personal data:

  • Identity & contact data: name, date of birth, address, email, phone, ID documents where required for verification.
  • Clinical & health data (special category data): medical history, medications, allergies, test results, images/photos (e.g., dermatology), consultation notes, vital signs, device data you share (e.g., BP, glucose), pregnancy status where relevant.
  • Appointment & admin data: bookings, cancellations, referrals, letters, certificates, sick notes/fit notes.
  • Payment & billing data: transaction amount, method, last 4 digits of card (from our payment processor). We do not store full card details.
  • Technical/usage data: IP address, device/browser information, access times, cookies and similar technologies, log data, crash reports.
  • Communications: messages sent via our portal/email/SMS and call/video recordings [if applicable; otherwise state that you do not record].

4) How we obtain your data

  • Information you provide directly (forms, consultations, messages).
  • Information from third parties with your consent or for care: your GP/previous clinicians, laboratories, imaging centres, pharmacies, insurers, or carers/guardians.
  • Automatically via cookies and similar technologies when you use our website.

5) Why we use your data (purposes)

We process your data to:

  1. Provide medical care: assess, diagnose, treat, prescribe, refer, and manage your care.
  2. Coordinate care with other providers and services (with your consent or as permitted by law).
  3. Administer the Services: create accounts, schedule appointments, communicate with you, handle payments, manage your records.
  4. Quality, safety, and training: clinical audit, incident management, safeguarding, and service improvement [and call/consult recording if you use it].
  5. Legal and regulatory compliance: record-keeping, responding to requests from regulators, reporting notifiable diseases, fraud prevention.
  6. Security and troubleshooting: protecting systems and data, detecting misuse.
  7. Marketing/communications: sending service updates and, with your consent where required, optional newsletters or promotions. You may opt out any time.

6) Lawful bases for processing (UK/EU GDPR)

Depending on the context, we rely on:

  • Article 6(1)(b) Contract – to provide the Services you request.
  • Article 6(1)(c) Legal obligation – to meet healthcare record-keeping and regulatory duties.
  • Article 6(1)(d) Vital interests – to protect life in emergencies.
  • Article 6(1)(f) Legitimate interests – to secure our systems, prevent fraud, improve services (balanced against your rights).
  • Article 6(1)(a) Consent – for specific activities (e.g., marketing emails, recording consultations, sharing summaries with your GP where required).

For special category data (health data), we rely on Article 9(2)(h) (provision of health care or treatment and management of health systems) and, where applicable, Article 9(2)(c) (vital interests) or Article 9(2)(a) (explicit consent) for activities like marketing or recordings.

[If you operate in the U.S.: HIPAA Notice] If you are a U.S. patient, your health information may also be protected by HIPAA. See our Notice of Privacy Practices for HIPAA-specific rights and uses.

7) Sharing your data

We share data only as needed and with appropriate safeguards:

  • Healthcare providers: your GP/primary care, specialists, allied health professionals, hospitals (with your consent or as permitted by law).
  • Service providers (processors): hosting, EHR/EMR, video platform, secure messaging, payments, analytics, labs, imaging, pharmacies, identity verification, and IT support.
  • Regulators and authorities: where legally required (e.g., reportable conditions, safeguarding, court orders).
  • Insurers or employers: only with your consent or as required to provide requested services.
  • Business transfers: in case of a merger/reorganisation, subject to confidentiality safeguards.

We do not sell your personal data.

8) International data transfers

Some processors may be located outside the UK/EEA. Where we transfer data internationally, we use lawful transfer mechanisms such as UK/EU Standard Contractual Clauses, UK Addendum, adequacy decisions, or other appropriate safeguards.

9) Data retention

We retain clinical records for at least [X years – e.g., UK private medical records typically 8 years after last entry; children’s records until age 25 or 26 if aged 17 at last entry] or as otherwise required by law and clinical guidance. Non-clinical data (account, billing, communications) is retained for [Y years] or as needed to meet legal/accounting obligations. We securely delete or anonymise data when no longer necessary.

10) Your rights (UK/EU)

Subject to conditions and exemptions, you have the right to:

  • Access your data and receive a copy.
  • Rectify inaccurate or incomplete data.
  • Erase (“right to be forgotten”) where processing is no longer necessary or consent is withdrawn, subject to medical/legal retention requirements.
  • Restrict processing in certain circumstances.
  • Data portability for data you provided, processed by automated means based on consent or contract.
  • Object to processing based on legitimate interests or to direct marketing.
  • Withdraw consent at any time where processing relies on consent.

To exercise your rights, contact [privacy contact]. We will respond within one month (extendable by two months for complex requests). You also have the right to lodge a complaint with the ICO (www.ico.org.uk) or your local supervisory authority.

11) Children’s data

We provide services to minors [age range] with appropriate consent from a parent/guardian or as permitted by law. We take extra care when processing children’s information.

12) Cookies & similar technologies

We use cookies and similar technologies for website functionality, security, performance, and (with consent) analytics/marketing.

  • Essential cookies: required for the site to function and to keep you signed in.
  • Analytics cookies: help us understand site usage [list provider, e.g., Google Analytics].
  • Marketing cookies: only with your consent.

You can manage cookie preferences in our Cookie Banner or browser settings. For details, see our Cookie Policy.

13) Security measures

We implement technical and organisational measures appropriate to risk, such as encryption in transit, access controls, multi-factor authentication for staff, audit logs, regular security testing, role-based access, staff confidentiality obligations, and data minimisation. No method of transmission or storage is 100% secure.

14) Automated decision-making & profiling

We do not make decisions based solely on automated processing that produce legal or similarly significant effects. [If you use risk algorithms/symptom checkers that profile, describe and explain human oversight and impact.]

15) Communications preferences

We may send you service messages (appointment reminders, test results notifications). For marketing communications, we will obtain your consent where required; you can opt out at any time via the message footer or by contacting us.

16) Third‑party links

Our website may contain links to third-party sites. We are not responsible for their privacy practices. Review their policies before providing personal data.

17) Changes to this policy

We may update this policy from time to time. Material changes will be notified on our website and/or by email. The “Last updated” date indicates the latest revision. Continued use of the Services after updates constitutes acceptance of the revised policy.

18) How to contact us

If you have questions, concerns, or requests about your data or this policy, contact:

[Practice/Doctor Name]
Email: [privacy@domain]
Phone: [+XX XXXX XXX XXX]
Address: [Address]

Review My Order

0

Subtotal

Taxes & shipping calculated at checkout

Checkout