Privacy Policy

Last updated: 30.12.2025

1. Who We Are

The GP Clinic Ltd (“we”, “us”, “our”) is an online GP service providing medical consultations, advice, and related healthcare services via secure digital platforms.

Company number: 15350289
Registered / Contact address:
124 City Road
London
EC1V 2NX
United Kingdom

To provide our services, we need to collect and process personal data. This Privacy Policy explains how we use personal data, how we protect it, and your rights under UK data protection law.

2. Data Controller

For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, The GP Clinic Ltd is the Data Controller. This means we decide how and why your personal data is processed.

3. Data Protection Officer (DPO)

We have appointed a Data Protection Officer to oversee compliance with data protection law.

Data Protection Officer:
Dr Mohammed Sulaiman Shah
The GP Clinic Ltd
124 City Road
London EC1V 2NX
United Kingdom

If you believe there has been a data breach or you have concerns about how your personal data is handled, you may contact the DPO using the details above.

4. Collection and Processing of Personal Data

Personal data collected by The GP Clinic Ltd is processed electronically. Appropriate technical and organisational measures are in place to ensure security, confidentiality, and compliance with applicable legislation.

Purposes for which we process personal data:

We may process your personal data:

Because you are a patient or user of our online GP services
To provide medical consultations, advice, diagnosis, and treatment
To meet legal, regulatory, and professional obligations (including Care Quality Commission requirements)
For administrative and operational purposes
To prevent fraud and ensure patient safety
For audit, governance, and quality assurance purposes
For marketing purposes (where you have given consent)

5. How We Collect Personal Data

We primarily collect personal data directly from you when you:

Register on our website
Book or attend an online consultation
Communicate with us via email, telephone, web forms, or secure messaging
Provide medical history, identity documents, or payment information
Interact with our website or digital platforms

We may also receive limited personal data from third parties where necessary to provide healthcare services (e.g. laboratories, pharmacies, or referral partners).

6. Legal Basis for Processing

Under UK GDPR, we must have a lawful basis to process your personal data.

Purpose of Processing	Legal Basis
Verifying patient identity	Legal and regulatory obligation
Providing medical consultations and services	Performance of a contract
Processing health and medical data	Provision of health or social care and/or explicit consent
Retaining medical records	Legitimate interests and legal obligations
Marketing communications	Consent
Audit and regulatory compliance	Legal obligation

7. Special Category (Sensitive) Data

To provide medical care, we may need to process special category personal data, including health information.

We process such data only where:

It is necessary for the provision of healthcare, or
You have given explicit consent, or
Processing is required by law

8. Sharing of Personal Data

We may share personal data with trusted third parties where necessary to provide our services, including:

Secure clinical software and consultation platforms
IT, hosting, and communications service providers
Payment processing providers
Other healthcare professionals involved in your care (e.g. laboratories, imaging providers, pharmacies)

All third parties are required to implement appropriate security measures and process personal data only in accordance with our instructions and contractual obligations.

We are bound by professional duties of medical confidentiality and will not share your personal data without justification unless required by law.

9. International Transfers

In most cases, your personal data will be processed within the UK.

Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

Transfers to countries deemed adequate by the UK
Standard contractual clauses
Encryption and other technical safeguards

If no safeguards are available, data will only be transferred where legally permitted or with your explicit consent.

10. Security Measures

We take data security seriously and implement appropriate technical and organisational measures to protect personal data against:

Unauthorised access
Loss or destruction
Disclosure or misuse

Measures include secure systems, access controls, encryption, and staff training.

11. How Long We Keep Your Data

We retain personal data only for as long as necessary.

Identity verification and regulatory records: minimum 10 years after the end of the patient relationship
Medical records: typically 7–15 years, in line with NHS and professional guidance
Marketing data: retained only while we have your consent

12. Consent

Where we rely on consent (e.g. for marketing), you may withdraw your consent at any time.
Withdrawing consent will not affect your access to medical services.

13. Your Rights

Under UK GDPR, you have the right to:

Access your personal data
Request correction of inaccurate data
Request erasure (in certain circumstances)
Object to processing
Request restriction of processing
Request data portability

To exercise your rights, contact:

Data Protection Officer
The GP Clinic Ltd
124 City Road
London EC1V 2NX

We may need to verify your identity before responding.

14. Complaints

If you are unhappy with how we handle your data, you have the right to complain to the Information Commissioner’s Office (ICO).

Telephone: 0303 123 1113
Website: https://ico.org.uk

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect legal, regulatory, or operational changes. Any updates will be published on our website.