Privacy Policy

Last updated: April 2026

MedX ("we", "us", "our") is committed to protecting your personal data. This policy explains how we collect, use, and safeguard your information.

1. Data Controller

MedX is the data controller. Contact: [email protected]

2. Data We Collect

• Account data: Name, email, phone (at registration)
• Booking data: Name, email, phone, preferred dates, patient notes (at booking)
• Reviews: Name, rating, text (at submission)
• Usage data: Device info, IP address (automatically)

3. How We Use Your Data

• Processing consultation requests and managing your account
• Sending booking confirmations and clinic responses
• Aggregated analytics to improve our service
• Meeting legal obligations

4. Legal Basis (UK GDPR)

• Contract: Processing necessary to provide our service
• Legitimate interest: Security, fraud prevention
• Consent: Marketing communications (withdrawable)

5. Special Category Data

Medical information you provide in consultation requests is Special Category Data (Article 9). We process this on the basis of your explicit consent when you submit the request.

6. Data Sharing

We share data with clinics (when you submit a consultation request), our email service provider, and Google (Places API for reviews). We do not sell your data.

7. International Transfers

When you request a consultation with a clinic abroad, your data transfers to that country. We use UK IDTAs and Standard Contractual Clauses where applicable.

8. Your Rights

Access, rectify, erase, restrict, port, object, and withdraw consent. Email [email protected]. We respond within 30 days.

9. Data Retention

• Account data: while active, deleted within 30 days of deletion
• Booking data: 6 years (legal compliance)
• Server logs: 90 days

10. Security

HTTPS encryption, bcrypt password hashing, rate limiting, input sanitisation, regular security audits.

11. Complaints

Lodge a complaint with the ICO at ico.org.uk.