Privacy Notice - Updoc

Privacy Notice

1. Overview

Updoc is committed to protecting your personal data. This Privacy Notice (Privacy Notice) explains how Venture Startups Limited (Updoc, we, us, or our) processes, holds, uses, manages and secures personal data that we collect about you, and the rights and choices that you have regarding your personal data under the Data Protection Act 2018 and the UK General Data Protection Regulation (Data Protection Laws).

This Privacy Notice, together with the Terms & Conditions, cover your use of the Updoc Platform and forms a contract between you and Updoc. It is important that you take time to read each document.

Capitalised terms that are not defined in this Privacy Notice have the same meaning given to them in the Terms & Conditions.

2. How do we collect your personal data?

Updoc manages your personal data as a controller. Importantly, Partner Practitioners manage your personal data as separate and independent controllers in accordance with their own data privacy policies and processes.

The way that we collect personal data from you depends on our relationship with you. From your initial interaction with Updoc, we collect personal data from you (voluntarily or automatically) as well as from third parties such as your Partner Practitioners and through direct mailing or online marketing sources.

3. What types of personal data do we collect?

We collect different types of personal data from you depending on our relationship with you, as well as your interactions with us.

If you choose not to provide personal data to us, or do not provide us with accurate personal data, you may not be able to receive the Services, experience certain features of the Updoc Platform or we may not be able to undertake certain activities for you.

Here are some examples of the types of personal data that we collect:

Patient of Partner Practitioner

Category	Examples
Identity	Your full name, date of birth, gender and NHS number.
Contact details	Your residential address, email address and telephone number.
Health data*	Your symptoms, desired outcome, medical history (including, allergies, hereditary issues, pre-existing health conditions and prescription medications), name and contact details of your regular general practitioner (GP) (if applicable) and any other information you provide to us through the health questionnaire provided to you through the Updoc Platform. Any information that you provide to a Partner Practitioner through the Updoc Platform, or that we, or they, may record (including photos and documents that you upload for their review, questions that you ask them, their responses and any of their notes that they write or that are transcribed). Details of any services and products that you engage with and purchase (including details of any medications that have been prescribed by the Partner Practitioners (as applicable)). Any other health-related information that you choose to provide us. *Health data constitutes ‘special category data’, meaning that these data are considered sensitive.
Financial data	Your billing details, including credit/debit card details/direct debit details and your billing address.
Marketing & feedback data	Your marketing preferences Feedback you provide in surveys Testimonials (with your permission)
Other data	Any other information that you choose to provide us.

User of the Updoc Website and Platform

Category	Examples
Device & web data	Your device ID, IP address, statistics on page views, traffic, standard web log-in information, interactions with the Updoc Platform, and any other website event-based data to help us understand how you are using the website.
Mobile activity data	Updoc Platform activity, crash logs, diagnostics, approximate location and any other app and device-based data to help us understand how you are using the application version of the Updoc Platform.
Other data	Any information that you provide us when you contact us through the Updoc Platform, which can include details about your identity, queries and, where you choose to provide it, your health data.

4. How do we use your personal data?

Data Protection Laws require that we only use your personal data for purposes that we tell you about and with an appropriate legal basis. Here are the purposes that we process your personal data, along with the legal basis that we rely on for such processing:

Purpose	Legal Basis
Provision of Services – to offer, and facilitate the provision of the Services, including creating your Account, managing your requests, questions/ queries, connecting you with Partner Practitioners, delivering outcomes provided by Partner Practitioners, billing and collection activities, delivering products to you and providing you with content. We use internal tools and third-party software that utilise artificial intelligence and large language models (collectively, the Software) to generate and summarise content for you and your Partner Practitioners.	Perform our contract with you Your consent
Communication – to interact with, and inform you about, the Services. For example, keeping you informed when Partner Practitioners send you notifications, responding to your questions/ queries and otherwise facilitating Services provided by Partner Practitioners. When a call is included as a part of the Services, we may record the conversation with your Partner Practitioner to create a written record of the consultation – this is similar to the notes your GP takes when you consult with them. We promptly delete the recording after the transcription is developed, which is used for quality and assurance purposes, and to maintain a record of the consultation that we maintain so that your Partner Practitioner can comply with their professional obligations. We use Software to analyse the communication that you send us, including to streamline the customer service that we provide you by retrieving information that we, or our service providers, have about you.	Perform our contract with you Legitimate interest: to perform our contract with you, provide the Services, respond to queries submitted and administer our business
Marketing – to send you marketing or promotional information that you have asked us to provide, or that we think you would like. We may use your health data to send you marketing information that is tailored to you or that we think could be of interest to you, but only where you have provided explicit consent. You can opt out of receiving some or all of the marketing or promotional materials that we send to you by clicking ‘unsubscribe’ in the communication that we have sent you or by contacting our customer support team.	Your consent Your explicit consent where we process your health data to send you marketing or promotional information In each case, with the choice to opt-out at any time
Online advertising – to keep you aware of our Services and to help you find products and services that you may like.	Your consent Your explicit consent where we process your health data for online advertising purposes In each case, with the choice to opt-out at any time
Analytics & service improvement – analyse and improve the Services, Updoc and its products and services of Updoc as well as related bodies corporate of Updoc (each a Group Entity and collectively the Updoc Group), including through research and development, or otherwise managing our business and processes.	Your consent (where required) Legitimate interest: to perform our contract with you or improve our business
Compliance – to comply with applicable Laws (including applicable record-keeping requirements) or to comply with orders made by Regulatory Authorities.	Your consent (where required) Legitimate interest: to comply with our legal or regulatory obligations
Enforcing our rights – to enforce, protect or get advice on our rights or obligations, exercising or defending claims, fraud detection, product misuse, credit checks and regulatory authority checks and requirements.	Legitimate interest: to protect and enforce our legal rights and claims

5. Who do we share your data with?

Where we have appropriate safeguards in place and we consider it necessary for the purposes outlined in this Privacy Notice, we may share your personal data with the third parties set out below:

Partner Practitioners – we provide your personal data to Partner Practitioners so that they can provide the Services to you (i.e. health services), including health data that you have provided.
Your regular GP or healthcare practitioner – we provide your personal data (including your health data) to your regular GP or health practitioner, but only when you have explicitly requested that we do so.
Group companies – we provide your personal data to the Group Entities to support the provision of the Services to you.
Third party service providers – we share your personal data with third parties that we rely on to assist with the provision of the Services to you (for example, cloud service providers, IT infrastructure providers and payment processors) and to assist us with our business (for example, to provide advertising services). We may also share your personal data to help prevent fraud or to protect or enforce our rights, or any one or more Group Entity.
Authorities – where we are required to do so by applicable Laws, we may share your personal data with Authorities at their request or, if legally permitted and where necessary to comply with a legal obligation or for the establishment, exercise or defence of legal claims.
Prospective purchaser – if we sell or transfer any part of our business or assets, we may provide your personal data to a prospective purchaser.

Other than as listed above, we will only disclose your personal data when you direct or give us permission, when we are required by applicable Law, or when we suspect fraudulent or criminal activities.

We do not sell your personal data to third parties for marketing purposes.

6. International transfers

We may transfer your personal data to countries outside of the UK. We may disclose personal data to Group Entities, as well as certain third-party service providers located in Australia, the United States, Europe and the United Kingdom.

Some of these countries may not offer the same level of data protection as the applicable Data Protection Laws and are not recognised by the Information Commission’s Office (ICO) as providing an adequate level of protection. Where this is the case, we enter into appropriate contractual safeguards with providers in such countries to uphold the purpose limitation, access, recourse, enforcement and adequate security of your privacy rights and the integrity of your personal data when we transfer it out of the UK (including, where required, entering into the UK standard contractual clauses).

7. Marketing

Where your consent is required for any direct marketing-related communication, we will only provide you with such information if you have opted in. You may opt out at any time by clicking the unsubscribe or opt-out links in any electronic marketing communication we send to you or by contacting us at to privacy@updoc.uk.

8. How do we store and secure your personal data?

We generally store your personal data in secure cloud systems using Amazon Web Services.

Your personal data is important to us, so we make sure that we take reasonable steps to protect your personal data from misuse, interference and loss, and from unauthorised access, modification, destruction or disclosure in accordance with Data Protection Laws. Some of the security measures we take include, redundancy protection and monitoring, access controls, encryption and security audits and testing. In addition, all our employees are trained in privacy compliance and are required to protect your personal data to comply with this Privacy Notice.

9. How long do we store your personal data?

We retain your personal data for as long as is required for the permitted purposes (outlined above), or for longer if otherwise required by Law.

When determining retention periods, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised disclosure or the use of the personal data, the purposes for which we collect the personal data and any other applicable legal, tax, accounting or other regulatory requirements.

10. Your data protection rights

Under this Privacy Notice and Data Protection Law, you have various rights concerning the personal data that we hold about you.

It is important to note, however, that certain rights may not always be applicable because of legal obligations that we must comply with or certain exemptions that apply. For example, there may be situations where we are required to continue to retain or process your personal data, where disclosure is not required or where particular rights may not apply at all. We will tell you when any of these instances apply.

Here are your rights under this Privacy Notice:

Access - you may request access to the personal data we hold about you. In some instances, reasonable charges may apply for Updoc to provide copies of such data.
Correction - you have the right to request that we correct any personal data that we hold about you which you believe is inaccurate.
Erasure - you have the right to request that we delete your personal data.
Restriction of processing - you have the right to request that Updoc restrict the processing of your personal data.
Object to processing - you have the right to object to the processing of your personal data (for example, you can object to the use of your personal data for direct marketing purposes).
Data portability – you can request that we send the data that we have collected to another organisation, or directly to you, under certain conditions and in a format that can be read by a computer.
Withdrawal of consent - if you have given us your consent for the processing of your personal data you may withdraw your consent at any time with future effect. It is important to note, however, that the withdrawal of your consent does not affect the lawfulness of processing done based on the consent before its withdrawal. If you withdraw your consent, we will promptly delete the relevant data unless there is another legal ground permitting or requiring us to retain and continue processing such data.

If you make any one or more of the requests above, you will be required to verify your identity. Please send a description of your personal data in writing stating your name and your relationship with us to privacy@updoc.uk. We may require proof of identity to verify your request and to protect personal data from unauthorised access. We will carefully consider your request and will deal with your request without undue delay and within the time limits provided under Data Protection Laws, which is generally one calendar month and up to three calendar months from the date we receive your request).

If you feel that we have not complied with this Privacy Notice or with applicable Data Protection Laws, please send your complaint to our Privacy Officer at privacy@updoc.uk. You also have the right to make a complaint to the ICO as directed on their website (www.ico.org.uk).

11. Changes to this Privacy Notice

From time to time, we may make changes to this Privacy Notice, including how we process your personal data – taking into account new laws, regulations and technology. Please visit our website (www.updoc.co.uk) to obtain a copy of the latest version of this Privacy Notice at any time.