Privacy Policy

Effective Date: 17 March 2026

1. Introduction

MyDoctors360 (“we”, “our”, or “us”) operates a healthcare marketplace connecting patients with private medical practitioners. This Privacy Policy explains how we collect, use, store, and protect your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Data Controller

MyDoctors360 is the data controller for personal data processed through our platform. For questions about this policy, contact us at privacy@mydoctors360.com.

3. Data We Collect

3.1 Account Information

Name, email address, phone number, and password (hashed) when you create an account.

3.2 Medical Information

Health conditions, allergies, medications, blood type, and other medical information you voluntarily provide in your medical profile or during consultations. This constitutes “special category data” under UK GDPR.

3.3 Booking & Payment Data

Appointment details, consultation notes, and payment information processed securely via Stripe. We do not store full credit card numbers on our servers.

3.4 Technical Data

IP address, browser type, device information, and usage analytics (subject to your cookie preferences).

4. Legal Basis for Processing

  • Contract performance — To provide our booking and marketplace services.
  • Explicit consent — For processing medical/health data (Article 9(2)(a) UK GDPR).
  • Legitimate interests — For platform security, fraud prevention, and service improvement.
  • Legal obligation — To comply with healthcare regulations and tax requirements.

5. How We Use Your Data

  • Facilitate appointment bookings between patients and doctors.
  • Process payments via Stripe Connect.
  • Send appointment reminders and booking confirmations.
  • Enable doctors to provide medical care with your health context (with your consent).
  • Improve our platform and resolve support queries.

6. Data Sharing

We share your data only with:

  • Healthcare providers — Doctors you book with (medical profile shared only with your explicit consent).
  • Stripe — Payment processing (PCI DSS compliant).
  • Resend — Email delivery service.
  • Supabase — Database hosting (EU/UK data centres).
  • Sentry — Error monitoring (anonymised data only).

We do not sell your data to third parties.

7. Data Retention

  • Account data — Retained while your account is active, deleted on account deletion.
  • Booking records — Retained for 8 years (UK medical records retention requirement).
  • Medical data — Retained for 8 years from last interaction, or until you request deletion.
  • Payment records — Retained for 7 years (tax obligations).
  • Pending bookings — Automatically deleted after 15 minutes (patient) or 48 hours (admin-created) if payment is not completed.

8. Your Rights

Under UK GDPR, you have the right to:

  • Access your personal data (available via Dashboard > Settings > Export Data).
  • Rectification — correct inaccurate data via your profile settings.
  • Erasure — delete your account (Dashboard > Settings > Delete Account).
  • Restrict processing — contact us to limit how we use your data.
  • Data portability — export your data in JSON format.
  • Object — to processing based on legitimate interests.
  • Withdraw consent — for medical data sharing at any time.

9. Data Subject Access Requests (DSAR)

How to Submit a DSAR

To exercise any of the rights listed above, email us at privacy@mydoctors360.com with the subject line “Data Subject Access Request”.

What to Include

  • Your full name.
  • The email address associated with your MyDoctors360 account.
  • A description of your request (e.g., access, deletion, rectification, data portability).

Identity Verification

To protect your personal data, we may ask you to provide proof of identity before processing your request. This is a security measure and does not affect your rights.

Response Time

We will respond to your verified request within 30 calendar days, as required by UK GDPR Article 12. In complex cases or where we receive a high volume of requests, we may extend this period by a further 60 days. If an extension is necessary, we will inform you within the initial 30-day period and explain the reason for the delay.

Self-Service Options

You can also manage your data directly from your account. Go to Dashboard > Settings > Data & Privacy to export your data or delete your account without submitting a formal request.

Cost

DSAR requests are provided free of charge. We reserve the right to charge a reasonable fee for requests that are manifestly unfounded or excessive, or to refuse to act on such requests, in accordance with UK GDPR Article 12(5).

Complaints

If you are unsatisfied with our response to your DSAR, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

10. Cookies

We use essential cookies for authentication and optional analytics cookies (subject to your consent). See our cookie consent banner for granular control.

11. Security

We protect your data with HTTPS/TLS encryption in transit, row-level security policies in our database, multi-factor authentication options, and regular security audits.

12. International Transfers

Your data is primarily stored in the EU/UK. Where transfers outside the UK are necessary (e.g., for email delivery), we ensure adequate safeguards are in place under UK GDPR.

13. Children

Our services are not directed to individuals under 16. We do not knowingly collect data from children.

14. Changes to This Policy

We may update this policy periodically. Significant changes will be notified via email or in-app notification. Continued use after changes constitutes acceptance.

15. Contact & Complaints

For privacy queries: privacy@mydoctors360.com

You have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

Command Palette

Search for a command to run...