Privacy Policy

Effective Date: 28th January 2025

Table of Contents

1.          Introduction

2.          Information We Collect

3.          How We Use Your Information

4.          Legal Basis for Processing

5.          Obtaining Explicit Consent

6.          Child Safety

7.          Data Sharing

8.          Data Security

9.          Data Retention

10.        Your Rights

11.        Contact Us

12.        ICO Registration

13.        Changes to This Policy

14.        Additional Information

1. Introduction

Med Automation Ltd (“we”, “our”, “us”) is dedicated to protecting and respecting your privacy. This Privacy Policy outlines how we collect, use, and safeguard your personal data when you use our AI voice solutions, appointment management services, and interact with our website, in partnership with both public and private sector clients, including but not limited to the NHS, in accordance with the UK General Data Protection Regulation (UK GDPR).

Scope: This policy applies to all users of our services and website, including patients, healthcare providers, and clients in both the public and private sectors.

Contact Information: If you have any questions or concerns about your privacy, please contact our Data Protection Officer using the details provided in the Contact Us section below.

2. Information We Collect

To provide our appointment management services (“our services”), we collect and store the following personal information:

1. Personal Identification Information

• Name
• Date of Birth
• Mobile Number

2. Appointment Details

• Doctor’s Name
• Type of Scan or Procedure
• Appointment Date and Time

3. Communication Data

• Call Recordings: Includes audio data and transcripts related to your interactions with our AI voice system.

4. Website Contact Information

If you choose to be contacted via our website, we collect:

• Name
• Phone Number
• Email Address
• Workplace

5. Technical Data

• IP Addresses
• Browser Type
• Device Information
• Cookies and Similar Tracking Technologies

3. How We Use Your Information

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

1. Performance of Contract

• Service Provision: To provide and manage our services, including appointment booking, rescheduling, and cancellations.

2. Legitimate Interests

• Communication: To communicate with you and healthcare providers.
• Service Improvement: To improve our website, services, and patient experience.
• Marketing: To contact interested prospects for product demonstrations and services.

Our legitimate interests include enhancing our services to better serve you and ensuring efficient operation of our business. We ensure that these interests are balanced against your privacy rights.

3. Consent

• Marketing Communications: When you have given explicit consent for specific purposes, such as receiving marketing communications.

4. Legal Basis for Processing

We process your personal data based on the following legal bases under the UK GDPR:

1. General Data Processing

• Consent (Article 6(1)(a)): When you have given us explicit consent for specific purposes, such as receiving marketing communications.
• Contractual Necessity (Article 6(1)(b)): To fulfill a contract with you, including providing and managing our services.
• Legal Obligation (Article 6(1)(c)): To comply with legal requirements, such as data retention laws and healthcare regulations.
• Legitimate Interests (Article 6(1)(f)): For our legitimate business interests, including improving our services and communicating with you, provided these interests do not override your privacy rights.

2. Special Category Data Processing

For processing special category data (e.g., health information) related to appointment bookings, we rely on:

• Explicit Consent (Article 9(2)(a)): When you have given us explicit consent to process your health-related data for specific purposes.
• Necessity for Healthcare Purposes (Article 9(2)(h)): Processing is necessary for providing healthcare services or managing healthcare appointments in accordance with NHS and other public or private sector requirements.

5. Obtaining Explicit Consent

We may request explicit consent verbally, including via our voice-based system. To ensure compliance, we follow these steps:

1. Clear Information

• The system will inform you about the data being collected, the purpose of collection, and how it will be used.

2. Affirmative Action

• You will be required to provide an unambiguous affirmative response (e.g., saying “I consent”) to indicate your consent.

3. Recording Consent

• Your response and the information provided will be recorded and documented for future reference.

4. Withdrawal of Consent

• Right to Withdraw: You have the right to withdraw your consent at any time. To do so, please contact our Data Protection Officer at [email protected] or through our website’s contact form.

5. Accessibility

• We ensure that the consent process is accessible to all users, including those with disabilities, by providing alternative methods of obtaining consent upon request.

6. Child Safety

Protecting the safety of children is important to us. Our services are intended for use only by individuals who are at least 18 years of age. By using our Services, you confirm that you meet this requirement.

For Users Under 18:

• Parental Permission: If you are under the age of 18, you must have permission from a parent or guardian before using our Services or providing us with personal information.
• Under 13: If you are under the age of 13, your parent or guardian must provide consent on your behalf when we request consent for processing your information.

Reporting Unauthorized Use:

If you believe that a child under 18 is using our appointment management services and providing personal data without parental or guardian consent, please contact our Data Protection Officer at [email protected]. We will promptly investigate and remove or delete the unauthorized data as necessary.

7. Data Sharing

We may share your personal data with the following categories of third parties:

1. Service Providers and Business Partners

• Types of Providers: Companies that provide IT services, data storage, customer support, and other operational functions necessary to deliver our services.
• Compliance: Only with third parties who comply with data protection laws and provide sufficient guarantees to implement appropriate technical and organizational measures.

2. Healthcare Providers

• Entities Involved: Hospitals, GP surgeries, and other healthcare professionals involved in managing your appointments and providing patient care.

3. Public and Private Sector Clients

• Client Types: We serve customers in both the public and private sectors, including but not limited to the NHS, ensuring that data sharing complies with the specific requirements and regulations of each sector.

4. Legal Authorities

• Circumstances: Government bodies, regulatory agencies, or law enforcement entities when required by law or to protect our legal rights.

5. Affiliates and Subsidiaries

• Group Companies: Other companies within the Med Automation Ltd group, ensuring they adhere to similar data protection standards.

6. International Transfers

• Data Transfers: If we transfer your data outside the UK, we ensure appropriate safeguards are in place, such as standard contractual clauses or adherence to UK-recognized adequacy decisions.

Conditions for Data Sharing:

• Compliance: We only share your data with third parties who comply with data protection laws and implement appropriate technical and organizational measures.
• Minimal Data: Data sharing is limited to the minimum necessary to achieve the intended purpose.

8. Data Security

We take the security of your personal data seriously and implement appropriate technical and organizational measures to protect it from unauthorized access, alteration, disclosure, or destruction. These measures include:

1. Technical Measures

• Encryption: All sensitive data is encrypted both in transit and at rest.
• Access Controls: Strict access controls ensure that only authorized personnel can access your data.
• Secure Infrastructure: We use secure servers and regularly update our software to protect against vulnerabilities.
• Regular Security Audits: We conduct periodic security assessments and audits to identify and address potential risks.

2. Organizational Measures

• Staff Training: Our employees receive regular training on data protection and privacy best practices.
• Data Protection Policies: We maintain comprehensive internal policies to ensure compliance with data protection laws.
• Incident Response Plan: In the event of a data breach, we have a robust incident response plan to promptly address and mitigate the impact, including notifying affected individuals and relevant authorities as required by law.

9. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, including to comply with legal, regulatory, and reporting requirements. Our data retention periods are as follows:

1. Personal Identification Information and Appointment Details

• Retention Period: 5 years after the last interaction or appointment.

2. Call Recordings

• Retention Period: 2 years to ensure quality control and compliance with regulatory standards.

3. Website Contact Information

• Retention Period: 3 years unless you request deletion sooner.

4. Technical Data

• Retention Period: 1 year to improve our services and website functionality.

Data Deletion:

Once the retention period has expired, your data is securely deleted or anonymized to prevent any unauthorized access or use.

10. Your Rights

Under the UK GDPR, you have the following rights regarding your personal data:

1. Right to Access

• What It Means: You can request access to your personal data that we hold.
• How to Exercise: Contact our Data Protection Officer at [email protected].

2. Right to Rectification

• What It Means: If your data is inaccurate or incomplete, you can request correction.
• How to Exercise: Contact us with the necessary details to update your information.

3. Right to Erasure (Right to be Forgotten)

• What It Means: You can request the deletion of your personal data under certain circumstances, such as when it is no longer necessary for the purposes collected.
• How to Exercise: Submit your request to our Data Protection Officer.

4. Right to Restrict Processing

• What It Means: You may request that we limit the processing of your data, for example, if you contest its accuracy.
• How to Exercise: Contact us to apply this right.

5. Right to Object

• What It Means: You can object to the processing of your data for specific purposes, such as direct marketing.
• How to Exercise: Reach out to us via email.

6. Right to Data Portability

• What It Means: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transfer it to another controller.
• How to Exercise: Request this by contacting our Data Protection Officer.

7. Rights Related to Automated Decision-Making and Profiling

• What It Means: If we engage in automated decision-making or profiling that affects you, you have the right to obtain human intervention, express your point of view, and contest the decision.
• How to Exercise: Contact our Data Protection Officer to discuss your concerns.

Exercising Your Rights:

To exercise any of these rights, please contact our Data Protection Officer using the details provided in the Contact Us section below. We will respond to your request within the statutory time frame as required by the UK GDPR.

11. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your rights, please contact our Data Protection Officer:

• Email: [email protected]
• Mailing Address:
  41 Oldfields Road, Sutton, Surrey, England, SM1 2NB
• Phone: +44 20 7946 0958
• Contact Form: Available on our Contact Page.

12. ICO Registration

We are registered with the Information Commissioner’s Office (ICO) under registration reference: ZB645385. You can verify our registration and find more information on the ICO website.

13. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. Any changes will be posted on this page, and where appropriate, we will notify you via email or through our website’s notification system.

Effective Date: 28th January 2025

14. Additional Information

a. Cookie Policy

We use cookies and similar tracking technologies to enhance your experience on our website. For detailed information about the types of cookies we use, their purposes, and how you can manage your preferences, please refer to our Cookie Policy.

b. Automated Decision-Making

Our AI voice solutions may involve automated decision-making or profiling to improve service delivery. If you are subject to such processes, you have the rights outlined in the Your Rights section to obtain human intervention, express your point of view, and contest the decision.

c. Third-Party Integrations

We integrate with third-party services and platforms to enhance our service offerings. These integrations are carefully selected to ensure they adhere to strict data protection standards. For more information about our third-party partners and their data handling practices, please contact us directly.

d. User Consent for Marketing

We respect your preferences regarding marketing communications. You can opt-in or opt-out of receiving marketing emails at any time by contacting us directly through the Contact Us section.

e. Accessibility and Language

We strive to make our Privacy Policy accessible to all users, including those with disabilities. The policy is written in clear and straightforward language to ensure that everyone can understand how their data is handled. If you require the information in an alternative format, please contact us, and we will accommodate your request.

© OTUA 2025. All Rights Reserved.