Data Privacy Policy

Summary

‍

We only collect the information needed to care for you, like your contact details, health information, and how you use our service, or to facilitate your visit to our website, for marketing or communication purposes, or to allow a representative of a healthcare provider to contract with us, or for our general business activities.

How we use your data will depend on the circumstances in which we collect it and your role as a data subject (i.e. it will depend on whether you provide your data as a patient, visitor to our website, or a representative of a contracted or prospective healthcare provider). We use it to monitor your health, update your healthcare provider, contact you when needed, meet legal requirements, provide our services to you and improve our services.

Your data is kept safe with strict security measures and shared only when required for your care or by law — never sold. We may also use your data to improve services, to support research and for statistical and historical purposes; however such data will be anonymised and/or aggregated such that the data is not linked to you and you cannot be identified from the data.

You have rights over your data, including seeing it, correcting it, deleting it, limiting its use, or transferring it (see paragraph 10 below). Questions: dpo@doccla.com

‍

Full Version

‍

1. Who We Are

We are Doccla UK Limited (referred to as Doccla, we, us and our in this Data Privacy Policy), a company incorporated in England and Wales with company registration number 12206481 and whose registered office address is 184 Shepherds Bush Road, Hammersmith, London, England, W6 7NL. 

If applicable, we provide remote health monitoring services to help you manage your health from home. We work closely with your healthcare provider and other members of your care team to make sure you receive safe, effective, and personalised care.

The information set out in this Data Privacy Policy is provided to individuals whose personal data we process (you or your), in compliance with our obligations under the Data Protection Act 2018 and the UK GDPR (as defined in the as defined in the Data Protection, Privacy and Electronic Communications Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations SI 2019/419) (GDPR). 

2. Data Controller Details

We are the data controller in relation to the processing of the personal data that you provide to us. In some circumstances, we are the data processor in relation to the processing of your personal data that is provided by your healthcare provider. Our contact details are as follows:

• Address: 184 Shepherds Bush Road, Hammersmith, London, W6 7NL.
• Email address: dpo@doccla.com (please include “Personal Data Request” in your subject heading to ensure it receives the correct attention).

3. The Information We Collect and How it is Collected

We only collect the information we need to look after you properly. This may include:

• Who you are — name, date of birth, healthcare number (if applicable)

• How to contact you — address, phone number, email

• Your health information — medical history, medications, vital signs, and care notes

• How you use our service — data from the Doccla app, call records, and feedback you give us

Generally, the information we hold about you comes from your healthcare provider or from you directly by the way that you engage with us, for example by doing any of the following:

• through engaging with us via our website or the Doccla app;

• providing us with information in the course of using our service;

• contacting us offline, for example by telephone, SMS, email or by post; and

• interacting with us using social media.

We may also obtain information from publicly available sources, including public databases, registers and records.

Other than health data, we do not collect any special categories of personal data about you (this includes details about your race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, and genetic and biometric data). Nor do we collect any information about criminal convictions and offences.

4. How We Use Your Information, the Purpose and Lawful Grounds for Processing

We use your information for the following (including the purpose and legal grounds for processing your personal information):

• Monitor your health and keep your healthcare provider up to date (Legal basis: If it is necessary for the performance of our contract or for the purposes of entering into a contract);

• Contact you if your results need attention (Legal basis: If it is in our legitimate interests to do so);

• Improve the safety and effectiveness of your care (Legal basis: If it is in our legitimate interests to do so);

• Meet legal requirements for health services (Legal basis: Compliance with a legal obligation); 

• Improve our services using anonymous feedback (Legal basis: If it is in our legitimate interests to do so); and

• For analytics purposes in order to (a) improve patient experience by understanding app usage, (b) ensure safe and reliable service delivery (error tracking, engagement monitoring), and (c) support development of new features that benefit patients (Legal basis: If it is in our legitimate interests to do so).

In respect of any health data concerning you that is processed by us for the purposes above, we are required by law to have a further lawful basis for such processing in addition to the legal ground identified above. In such scenarios, we will rely on the following additional legal grounds applicable to the situation which requires the processing of your health data:

• Consent: where you have given your explicit consent to the processing of your health data for one or more specified purposes. Such consent may be collected by us or by your healthcare provider; or

• Provision of health care: where processing is necessary for the purposes of preventive or occupational medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services pursuant to contract with a health professional.

‍

5. How We Keep Your Information Safe

We take great care to protect your information. We handle your data in line with data protection laws and follow recognised industry best practices, including by taking appropriate technical and organisational measures to guard against unauthorised or unlawful processing, accidental loss, destruction or damage. For example:

• ISO 27001, Cyber Essentials Plus, and NHS DSPT: we have obtained such security and privacy certifications to ensure that we have appropriate safeguards in place to protect your personal information;
• Access Controls: we have implemented safeguards in relation to access and confidentiality such that only authorised staff can access your records, and we use secure systems to keep your information safe at all times;
• Encryption: whenever possible, we remove or code details so you cannot be identified, which also protects your data during storage and transmission;
• Secure IT infrastructure: is in place with monitoring and threat detection; and
• Staff training: to ensure compliance with data protection best practices.

However, while we will do our best to protect your personal information, we cannot guarantee the security of your information which is transmitted via an internet or similar connection. 

6. When We Share Your Information

We share your personal data only when it’s necessary for your care, or when the law requires it. This may include sharing with:

• Your healthcare provider or care team;

• Technology partners who securely support our platform; 

• Business partners for contractual and operational purposes; and

• Government health regulators or other legal authorities (if required by law).

However, in certain circumstances we may need to share your personal data with the following groups:

• any member of our group, which means our subsidiaries, our ultimate holding company and its subsidiaries, as defined in section 1159 of the UK Companies Act 2006; 
• regulators, fraud prevention agencies or other third parties for the purposes of monitoring and/or enforcing our compliance with any legal and regulatory obligations, including statutory or regulatory reporting or the detection or prevention of unlawful acts;
• our professional advisers and auditors for the purpose of seeking professional advice or to meet our responsibilities;
• other service providers and agents (including their subcontractors) or third parties which process information on our behalf (e.g. internet service and data storage and security platform providers, and those organisations we engage to help us send communications to you) so that they may help us to provide you with the applications, products, services and information you have requested; and
• another organisation to whom we may transfer our agreement with you or if we sell or buy (or negotiate to sell or buy) our business or any of our assets (provided that adequate protections and safeguards are in place).

‍

7. How We Use Anonymised and/or Aggregated Data

We may use your data in an anonymised and/or aggregated format — information that cannot identify you — to:

• Improve our services and patient experience;

• Help develop new healthcare tools and features;

• Analyse trends in patient outcomes; and

• Support research that benefits patient care.

Such data will be anonymised and/or aggregated such that the data is not linked to you and you cannot be identified from the data.

8. International Transfers

We will not transfer personal data relating to you to a country which is outside the UK and EEA unless:

• the country or recipient is covered by an adequacy decision under GDPR Article 45;

• appropriate safeguards have been put in place which meet the requirements of GDPR Article 46 (for example using the approved International Data Transfer Agreement or International Data Transfer Addendum for transfers of personal data outside the UK); or

• one of the derogations for specific situations under GDPR Article 49 is applicable to the transfer.  These include (in summary):

• the transfer is necessary to perform, or to form, a contract to which we are a party with you or with a third party where the contract is in your interests;

• the transfer is necessary for the establishment, exercise or defence of legal claims;

• you have provided your explicit consent to the transfer; or

• the transfer is of a limited nature, and is necessary for the purpose of our compelling legitimate interests.

9. Retention of Personal Data

We have systems in place to periodically review and delete data that is no longer being used by us for the purposes set out in this Data Privacy Policy. Unless we are required or permitted by law to hold on to your data for a specific retention period, we will hold your personal information within our systems only until we are no longer providing services to you, except that we will retain your data to the extent necessary to provide you with information on similar products and services once your care ends but only if you have not opted out to receiving such information.

If services are being provided to you pursuant to an agreement between us and your healthcare provider, we will retain your personal information for the duration of our contract with your healthcare provider.

In relation to your health data, where we have an obligation to retain this data (for example, for health and safety purposes) we will retain such data for the duration required by our obligation.

Where we no longer need your personal information, we will dispose of it in a secure manner.

In some circumstances you can ask us to delete your data: see the Your Rights section at paragraph 10 below for further information.

In some circumstances we will anonymise and/or aggregate your personal data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this anonymised and/or aggregated information indefinitely without further notice to you.

‍

10. Your Rights

In respect of the personal data about you that we are processing in accordance with the Data Protection Act 2018 and the GDPR, in certain circumstances (and provided that exemptions do not apply) you will have the following rights over your personal information: 

• right to access: the right to request certain information about, access to and copies of the personal information about you that we are holding (please note that you are entitled to request one copy of the personal information that we hold about you at no cost, but for any further copies, we reserve the right to charge a reasonable fee based on administration costs); 

• right to rectification: the right to have your personal information rectified if it is inaccurate or incomplete; 

• right to erasure/“right to be forgotten”: the right to withdraw your consent to our processing of the data (if the legal basis for processing is based on your consent) and the right to request that we delete or erase your personal information from our systems;

• right to restriction of use of your information: the right to stop us from using your personal information or limit the way in which we can use it;

• right to data portability: the right to request that we return any information you have provided in a structured, commonly used and machine-readable format, or that we send it directly to another company, where technically feasible; and

• right to object: the right to object to our use of your personal information including where we use it for our legitimate interests or for marketing purposes.

‍

If you are receiving marketing communications from us, you have the right to unsubscribe from such communications at any time by following the link in the footer of the last email you received from us or by sending your request with detailed instructions to us (see contact details above).

Please note that if you withdraw your consent to the use of your personal information for the purposes set out in our Data Privacy Policy, we may not be able to provide you with all or certain parts of our service.

If you consider our use of your personal information to be unlawful, you have the right to lodge a complaint with the UK’s supervisory authority, the Information Commissioner’s Office. Please see further information on their website: www.ico.org.uk.   

If you want to use any of these rights, please email: dpo@doccla.com

11. Automatic Decision Making

We do not make decisions based solely on automated data processing, including profiling.

12. Changes to this Data Privacy Policy

We may amend this Data Privacy Policy from time to time, for example to keep it up to date, to implement minor technical adjustments and improvements or to comply with legal requirements. We will always update this Data Privacy Policy on our website, so please try to read it when you visit the website (the “last updated” reference tells you when we last updated our Data Privacy Policy). 

************

Website Visitors and Healthcare Providers

If you are not a patient we are providing services to and you are merely a visitor to our website (at www.doccla.com/) or a representative of a healthcare provider contracting or potentially contracting with us, the following clauses will apply to you in additional to certain clause above (as applicable, see paragraph 6 below):

1. The Information We Collect and How it is Collected

We collect and process the following types of personal data when you interact with us on the website or otherwise with a view to entering into a business relationship:

• Identity Data: Your name, job title, employer details.

• Contact Data: Your email address, phone number, and postal address.

• Technical Data: Your IP address, browser type, device details, and data collected via cookies (see our Cookie Policy for more information).

• Usage Data: Information about how you interact with our website, emails, and services.

• Marketing & Communication Data: Your preferences, feedback, and survey responses.

• Business & Contractual Data: Details related to contracts, partnerships, and service interactions.

‍

2. How We Use Your Information, the Purpose and Lawful Grounds for Processing

We process your personal data for the following purposes:

• To operate and improve our website and online services.

• To communicate with you, respond to enquiries, and provide customer support.

• To send marketing communications (where legally permitted and based on your preferences).

• To improve our services through analytics, research, and product development.

• To comply with legal and regulatory obligations.

We process your personal data under the following legal bases:

• Legitimate Interests: For business operations, service improvements, and non-intrusive marketing.

• Legitimate Interests: Where legally permitted for marketing communications (you can withdraw at any time)

• Consent: Where required for marketing communications (you can withdraw at any time).

• Contractual Necessity: To fulfil service agreements and business contracts.

• Legal Obligations: Compliance with laws and regulations.

‍

3. Retention of Personal Data

Unless we are required or permitted by law to hold on to your data for a specific retention period, we will only hold your personal information within our systems for a period of 12 months since your last interaction with us.  

4. Cookies

We use cookies to enhance website functionality and gather analytics. A cookie is a small file of letters and numbers that is sent to your device when you visit our website, allowing our website to recognise your browser if you revisit it. Cookies may store your online preferences and other information about the interaction you make in the site. Please refer to our Cookie Policy (https://www.doccla.com/cookie-policy) for more information about the type of cookies used and how we use cookies/tracking technologies within our site.

5. Additional provisions

The provisions of the Who We Are, Data Controller Details, How We Keep Your Information Safe, When We Share Your Information, 7. How We Use Anonymised and/or Aggregated Data, International Transfers, Your Rights, Automatic Decision Making and Changes to this Data Privacy Policy sections set out above also apply to Website Visitors.

‍

Version 1.2: September 2025