How Medocta collects, processes, stores, and protects your personal and health information in compliance with UK GDPR and healthcare regulations.
Governed by UK data protection law and GDPR regulations
All data encrypted in transit and at rest with industry-standard protocols
Compliant with NHS Data Security and Protection Toolkit
Full rights to access, correct, delete, and port your data
Medocta is committed to protecting your privacy and ensuring the security of your personal and health data. This Data Privacy Notice explains how we collect, use, store, and protect your information when you use our healthcare marketplace platform, including our weight management, dietitian, and care coordination services. We process your data in accordance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and applicable NHS information governance standards.
This Data Privacy Notice is governed by English law. We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations (PECR) to ensure your personal data is handled lawfully, fairly, and transparently.
Where our services are provided through or funded by the National Health Service (NHS), we also comply with the NHS Data Security and Protection Toolkit, the Caldicott Principles, and the Common Law Duty of Confidentiality.
Medocta acts as the Data Controller for personal data processed through our platform unless otherwise stated. Where we process data on behalf of healthcare organisations or NHS bodies, we may act as a Data Processor under a Data Processing Agreement.
Medocta is registered with the Information Commissioner's Office (ICO) under registration reference C1898621.
We may collect and process the following categories of personal data depending on the services you use:
We use your personal data for the following purposes:
We may share your personal data with the following parties only where there is a lawful basis and legitimate need to do so:
Important: We will never sell your personal data to third parties. We will never share your health data for marketing purposes. All third-party processors are contractually bound to process your data only on our instructions and in compliance with UK GDPR.
Your personal data is stored on secure servers hosted within the United Kingdom and the European Economic Area (EEA). We use industry-leading cloud infrastructure providers that maintain ISO 27001 certification and comply with NHS information governance requirements.
Where it is necessary to transfer data outside the UK/EEA (for example, to provide technical support), we ensure that appropriate safeguards are in place, including:
All data is encrypted in transit using TLS 1.2+ and encrypted at rest using AES-256 encryption. Database backups are also encrypted and stored in geographically separate UK/EEA data centres for disaster recovery.
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. Specific retention periods include:
| Data Type | Retention Period | Basis |
|---|---|---|
| Clinical/health records | 8 years after last treatment | NHS Records Management Code of Practice |
| Account information | Duration of account + 2 years | Legitimate interest |
| Payment and billing records | 7 years | HMRC tax obligations |
| Communication records | 3 years after last interaction | Legitimate interest / complaint resolution |
| Technical/cookie data | 13 months maximum | PECR / consent |
| Safeguarding records | 25 years or indefinitely | NHS safeguarding retention guidance |
When retention periods expire, data is securely deleted or anonymised so that it can no longer be linked to you.
Where you are referred to Medocta through the NHS or use NHS-funded services, we may use your NHS number to identify you accurately and coordinate your care. The NHS number is a unique 10-digit identifier used across the health and social care system in England.
We may access the Personal Demographic Service (PDS) — a national electronic database maintained by NHS England — to verify and update your demographic details (such as name, address, date of birth, and GP registration) to ensure accuracy in your care records.
You have the right to opt out of your data being shared for purposes beyond your direct care through the NHS National Data Opt-Out programme. You can register your opt-out preference at nhs.uk/your-nhs-data-matters or by contacting our Data Protection Officer.
Where clinically appropriate and with proper authorisation, Medocta clinicians may use GP Connect — a secure NHS service — to access relevant information from your GP medical record. This may include your medications, allergies, and medical conditions to ensure safe and informed care.
GP Connect access is strictly limited to authorised healthcare professionals providing your direct care. Access is logged, audited, and compliant with NHS information governance requirements. It is only used when necessary for the safe delivery of your treatment.
If you do not wish your GP record to be accessed via GP Connect, please inform your clinician or contact our Data Protection Officer.
We process your personal data under one or more of the following legal bases as set out in UK GDPR:
Where you have given clear, informed consent for us to process your data for specific purposes, such as marketing communications, optional research, or sharing data with third parties beyond your direct care.
Processing necessary to deliver the services you have signed up for, including account management, appointment scheduling, and subscription billing.
For platform security, fraud prevention, service improvement, and analytics — where our interests do not override your rights and freedoms.
Where we are required by law to process your data, such as tax reporting, safeguarding duties, or responding to court orders.
In rare circumstances where processing is necessary to protect your life or the life of another person, such as a medical emergency.
For the processing of special category health data, where necessary for the provision of health treatment by or under the responsibility of a registered health professional.
We take the security of your personal data seriously and implement appropriate technical and organisational measures to protect against unauthorised access, alteration, disclosure, or destruction.
Under UK GDPR, you have the following rights in relation to your personal data. You can exercise any of these rights by contacting our Data Protection Officer.
You have the right to request a copy of the personal data we hold about you (Subject Access Request). We will respond within one calendar month.
You have the right to request correction of any inaccurate or incomplete personal data we hold about you.
You may request deletion of your personal data where there is no compelling reason for continued processing. Note: clinical records may need to be retained for legal or safety reasons.
You can request that we limit the processing of your data in certain circumstances, such as while a complaint or accuracy dispute is being resolved.
You have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to have it transferred to another controller.
You can object to processing based on legitimate interest or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
You have the right not to be subject to decisions based solely on automated processing that produce legal or significant effects. We do not currently use automated decision-making for clinical purposes.
If you are unhappy with how we handle your data, you have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.
How to exercise your rights: Submit a request to our Data Protection Officer by email at privacy@medocta.com or by post to the address below. We may ask you to verify your identity before processing your request. We aim to respond to all requests within one calendar month.
We may update this Data Privacy Notice from time to time to reflect changes in our practices, legal requirements, or service offerings. Where changes are significant, we will notify you via email or through a prominent notice on our platform. We encourage you to review this notice periodically.
The "Last Updated" date at the top of this page indicates when this notice was last revised.
You have the right to lodge a complaint with the UK's data protection authority:
