This is the umbrella privacy policy for the MedPal group. It explains how we collect, use and share personal data when you use our wellness/app services and when you use our clinic/pharmacy services.

Some services (especially regulated clinic/pharmacy services) may have a service-specific privacy notice. If there is a difference, the service-specific notice applies for that service.

•    Personal data: information that identifies you (directly or indirectly).Name, email address, phone number
•    Special category data: extra-sensitive data such as health information.
•    Controller: the organisation that decides how and why personal data is used.
•    Processor: an organisation that processes personal data on a controller’s instructions (for example, an IT supplier).
•    Overseas access / international transfer: personal data is accessed from, or transferred to, a country outside the UK.

Service: Wellness / App services
Controller: MedPal AI plc
Company number: 13578804
Registered office: Hill Dickinson LLP, 8th Floor The Broadgate Tower, 20 Primrose Street, London, United Kingdom, EC2A 2EW

Service: Clinic / Pharmacy services (regulated care)
Controller: MedPal Limited
Company number: 16679407
Registered office: Hill Dickinson LLP, 7th Floor, The Broadgate Tower, 20 Primrose Street, London, United Kingdom, EC2A 2EW

Some MedPal group companies provide platform services to other group companies. Where one group company processes personal data on behalf of another (for example, platform hosting or technical support), this is governed by a written data processing agreement.

In limited circumstances, MedPal AI plc and MedPal Limited may act as joint controllers for a specific activity. Where this applies, we will explain it and provide the essence of the arrangement.

How to contact us

- Data Protection Officer (DPO): dpo@medpal.co.uk
- Wellness/app support: support@medpal.ai
- Clinic support: support@medpal.clinic
- If you contact us by post, use the registered office address for the relevant controller above.

The data we collect depends on the service you use and the choices you make (for example, which integrations you enable). We aim to collect only what we need for the purposes below.

Wellness / App (examples)4.1 Identity and contact details
- Identity and contact details (such as name, email, phone number).
- Account and profile data (such as preferences and settings).
- Device and usage data (such as device identifiers, app activity, crash logs, and security logs).
- Wellness metrics you choose to provide or connect (for example activity, sleep, heart rate/HRV, respiratory rate, and derived indicators).
- Messages you send us (support requests and feedback).

Clinic / Pharmacy (examples)4.2 Health and prescription information
- Identity and contact details.
- Appointment and communications data.
- Clinical information you provide (symptoms, history, questionnaires).
- Consultation notes and clinical decisions.
- Prescriptions and medication records where applicable.
- Safeguarding notes where necessary for safety.

UK GDPR requires us to have a lawful basis for processing personal data. Where we process health data, we also need an additional condition under Article 9 UK GDPR.

We do not rely on blanket consent as the legal basis for core clinic care delivery. We use consent only where it is appropriate for optional processing (for example, optional integrations or optional product research where offered).

Typical purposes and lawful bases

Service / purpose: Wellness/App: Provide your account, core app features, and customer support
Personal data (Article 6 UK GDPR): Contract (Art 6(1)(b))
Health data (Article 9 UK GDPR), if applicable: Explicit consent (Art 9(2)(a)) where you connect/provide health data
Notes: You can withdraw optional permissions/consents in-app (for example by disconnecting an integration).

Service / purpose: Wellness/App: App security, fraud prevention, and service reliability
Personal data (Article 6 UK GDPR): Legitimate interests (Art 6(1)(f))
Health data (Article 9 UK GDPR), if applicable: Not normally applicable
Notes: We use logs/monitoring to protect users and our services.

Service / purpose: Wellness/App: Optional analytics and product improvement (where enabled)
Personal data (Article 6 UK GDPR): Legitimate interests (Art 6(1)(f)) and/or Consent (Art 6(1)(a)) depending on the feature and settings
Health data (Article 9 UK GDPR), if applicable: Explicit consent (Art 9(2)(a)) where health data is included
Notes: We aim to use aggregated or de-identified data where feasible.

Service / purpose: Clinic/Pharmacy: Provide clinical consultations, prescribing and care delivery
Personal data (Article 6 UK GDPR): Contract (Art 6(1)(b)) and/or Legal obligation (Art 6(1)(c))
Health data (Article 9 UK GDPR), if applicable: Health or social care (Art 9(2)(h))
Notes: Care delivery requires accurate clinical records and appropriate professional safeguards.

Service / purpose: Clinic/Pharmacy: Clinical safety, quality assurance, and incident management
Personal data (Article 6 UK GDPR): Legal obligation (Art 6(1)(c)) and/or Legitimate interests (Art 6(1)(f))
Health data (Article 9 UK GDPR), if applicable: Health or social care (Art 9(2)(h)) and/or Substantial public interest where applicable
Notes: We share only what is necessary to keep services safe and compliant.

Service / purpose: All services: Handle complaints, legal claims, and regulatory requests
Personal data (Article 6 UK GDPR): Legal obligation (Art 6(1)(c)) and/or Legitimate interests (Art 6(1)(f))
Health data (Article 9 UK GDPR), if applicable: Health or social care (Art 9(2)(h)) where health data is involved
Notes: We keep appropriate records for accountability.

If you choose to share selected wellness metrics with your clinician to support your care, we will explain what is shared and you can control this through the relevant feature (this is optional).

We may share personal data with:

- Other MedPal group companies where needed to provide services safely and lawfully (for example, account administration, platform operations, clinical safety workflows).
- Clinicians, pharmacies, and healthcare partners involved in providing your care (clinic/pharmacy services).
- Service providers who act on our instructions (for example, hosting, software development/support, communications providers) under written contracts.
- Professional advisers (legal, audit, insurers) and regulators where required.
- Law enforcement where we are legally required or permitted to do so.

We do not sell your personal data.

When MedPal AI plc and MedPal Limited share data with each other as separate controllers, we do so under an internal data sharing arrangement and we share only the minimum necessary for the stated purpose.

Where we use suppliers to process personal data on our instructions, we require contractual and operational safeguards. These typically include:

- A written data processing agreement (DPA) covering confidentiality, security, breach notification, and assistance with rights requests.
- Controls on sub-processors (no new sub-processors without our authorisation and updated documentation).
- Access controls (named accounts, least privilege, multi-factor authentication for privileged access).
- Logging/monitoring and controlled emergency (“break-glass”) access procedures.
- Risk assessments where appropriate (including transfer risk assessments where overseas access applies).

A list of key suppliers and sub-processors can be provided on request.

We primarily host and operate our core systems in the UK. However, some approved service providers and support personnel may access personal data from outside the UK (for example, for software development or technical support, including from Ukraine).

Where personal data is accessed or transferred outside the UK and UK adequacy regulations do not apply, we use appropriate safeguards such as:

- the UK International Data Transfer Agreement (IDTA); or
- the UK Addendum to the EU Standard Contractual Clauses (EU SCCs).

We also apply technical and organisational measures (for example, access controls, MFA, logging and restrictions on exporting data).

We may use automated processing and AI to generate wellness insights and recommendations. Where AI-assisted features are used in clinic journeys (for example, navigation or drafting support), clinical decisions are made with appropriate human involvement.

We do not use solely automated decision-making that produces legal or similarly significant effects without appropriate safeguards and the ability to obtain human review.

We use technical and organisational measures designed to protect personal data, including access controls, least-privilege permissions, encryption, and security monitoring. Access to clinical data is restricted to authorised staff and clinicians who need it for their role.

Where feasible, we use separation and internal identifiers (pseudonymisation) to reduce risk.

We keep personal data only as long as necessary for the purposes described in this policy, including meeting legal, regulatory, and clinical record-keeping requirements.

- Wellness/app data: generally kept while your account is active and for limited periods afterwards for security, dispute resolution, and compliance.
- Clinic/pharmacy records: retained in line with healthcare record-keeping expectations and regulatory requirements.

If you request account deletion, we remove personal data from active systems without undue delay, subject to lawful retention requirements (for example, clinical record retention).

We maintain encrypted backups for continuity and security. Deleted data may remain in backups until those backups rotate and are overwritten. Backups are protected and are not used for routine access.

You have rights under UK data protection law, including the right to request access to your data, correct inaccurate data, request deletion (where applicable), restrict or object to certain processing, and data portability in some cases.

To exercise your rights, contact the DPO at dpo@medpal.co.uk. We may need to verify your identity before responding.

We aim to respond within one month. If a request is complex, we may extend the response period as permitted by law and we will explain why.

Where processing is based on consent, you can withdraw consent at any time. Withdrawal does not affect processing that has already taken place.

Our websites may use cookies and similar technologies. Where required, we provide choices through cookie banners or settings. App settings may also allow you to control certain analytics preferences.

MedPal services are intended for adults unless we state otherwise for a specific service. If we become aware we have collected personal data from a child without appropriate authority, we will take steps to delete it or otherwise comply with the law.

If you have concerns, please contact us at dpo@medpal.co.uk so we can try to resolve them. You also have the right to complain to the Information Commissioner’s Office (ICO).

- ICO postal address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
- ICO helpline: 0303 123 1113.

We may update this policy from time to time. We will show the latest revision date at the top. Where changes are material, we will take appropriate steps to notify you.