DRAFT — pending legal review, not yet approved for publication. The content below is a template scaffold; placeholders must be completed and the whole document verified by a qualified adviser before this page goes live.
Legal
Privacy Policy
This Privacy Policy explains how TRT Platform (“we”, “us”) collects, uses, and protects personal data, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).
1. Who we are (data controller)
The data controller responsible for your personal data is [PLACEHOLDER: registered legal entity name and company number], registered at [PLACEHOLDER: registered office address]. We are registered with the UK Information Commissioner’s Office (ICO) under registration number [PLACEHOLDER: ICO registration number].
Data Protection Officer / contact for data protection matters: [PLACEHOLDER: DPO name / role, or confirm none required] (chanikul@googlemail.com).
2. What personal data we collect
- Account & identity data — name, email, contact details, authentication identifiers.
- Special category (health) data — clinical information such as blood-test results, prescriptions, treatment plans and consultation records. This is “special category data” under Article 9 UK GDPR and is treated with additional safeguards.
- Usage & technical data — log data, device/browser information, and cookies (see our Cookie Policy).
- Payment data — processed by our payment provider; [PLACEHOLDER: confirm what, if any, payment data we store vs. our processor].
3. Our lawful basis for processing
We rely on the following lawful bases under Article 6 UK GDPR: [PLACEHOLDER: confirm bases — e.g. contract, legitimate interests, consent, legal obligation].
For special category (health) data, we additionally rely on a condition under Article 9(2) UK GDPR, expected to be [PLACEHOLDER: confirm Article 9 condition — e.g. 9(2)(a) explicit consent, or 9(2)(h) provision of health/social care under contract with a health professional], together with an applicable condition in Schedule 1 of the Data Protection Act 2018.
4. How we use your data
To provide and operate the platform and clinical services, to communicate with you, to meet legal, clinical-safety and regulatory obligations, and to secure and improve the service. [PLACEHOLDER: confirm full list of purposes].
5. Who we share data with
We use third-party processors to deliver the service (for example: authentication, payments, email, hosting, file storage). A complete, verified list of processors and the safeguards in place is: [PLACEHOLDER: named processors and roles — to be confirmed by legal review; do not publish unverified].
6. How long we keep your data
We retain personal data only as long as necessary for the purposes above and to meet legal and clinical record-keeping requirements. Specific retention periods: [PLACEHOLDER: retention schedule per data category, incl. statutory clinical-records retention — to be confirmed].
7. International transfers
Where personal data is transferred outside the UK, we put appropriate safeguards in place. [PLACEHOLDER: confirm whether transfers occur and the safeguard used — e.g. UK IDTA / adequacy].
8. Your rights
Under UK data protection law you have the right to:
- access your personal data;
- rectify inaccurate data;
- erase data (“right to be forgotten”) in certain circumstances;
- restrict or object to processing;
- data portability;
- withdraw consent at any time where processing is based on consent;
- lodge a complaint with the ICO (ico.org.uk).
To exercise any right, contact chanikul@googlemail.com.
9. How we protect your data
We use technical and organisational measures appropriate to the sensitivity of the data, including access controls, audit logging and multi-tenant data isolation. [PLACEHOLDER: confirm security measures to disclose].
10. Contact
Questions about this policy or your data: chanikul@googlemail.com.