Privacy policy.

Privacy Policy

Effective Date: 02/01/2025
Last Updated: 06/01/2025

Clin‑Sync Ltd ("Clin‑Sync," "we," "our," or "us") is committed to protecting your privacy.
This Privacy Policy explains what information we collect, how we use it, and the rights you have in relation to your personal data.

1. Who We Are

Clin‑Sync Ltd is a UK‑based health‑technology company that operates a secure referral and care‑coordination platform used by patients, clinicians, and medical clinics.

  • Clin‑Sync Referral Portal – enables patients, general practitioners (GPs), specialists, and allied‑health professionals to create and manage digital referrals, appointments, and clinical documentation.

  • Clin‑Sync Practice Hub – a web dashboard for clinics and clinicians to track incoming referrals, communicate with patients, and handle billing.

Clin‑Sync Ltd is incorporated in England and Wales (Company No. 16402962) with its registered office at 66 Ernest Road, Hornchurch, England, RM11 3JW.

Contact:
Email: privacy@clin‑sync.co.uk
Postal: Data Protection Officer, Clin‑Sync Ltd, 66 Ernest Road, Hornchurch, England, RM11 3JW, United Kingdom

2. What Information We Collect

CategoryDetailsExamplesA. Personal IdentificationBasic details used to create an account and verify identityName, postal address, email, telephone, NHS or hospital number, clinician GMC/NMC/GDC numberB. Health & Medical Information (Special Category Data)Data needed for referral triage, ongoing care, or payment of servicesReferral reason, medical history, test results, imaging, medications, allergies, consultation notes, care plansC. Appointment & Billing DataInformation required to schedule and pay for servicesAppointment dates, times, clinic location, billing address, insurer details, payment statusD. Technical & Usage DataAutomatically collected when you interact with our platformIP address, device & browser type, log files, cookies, session timestampsE. Verification DataData provided by healthcare organisations to verify professional or patient statusClinic affiliation records, proof of practice registration, user role/permissions

You may choose to provide additional information (e.g., preferred contact method, accessibility needs). Where required by law, we will ask for your explicit consent before collecting or processing special category data.

3. How We Use Your Data

We process personal data only for specified, lawful purposes, including to:

  1. Create and manage user accounts (patients, clinicians, clinic administrators).

  2. Facilitate referrals and care pathways between referrers, receiving clinicians, and clinics.

  3. Schedule appointments, issue reminders, and manage virtual or in‑person consultations.

  4. Generate and transmit clinical documentation (e.g., referral letters, discharge summaries) securely.

  5. Handle billing and insurance claims on behalf of clinics or patients.

  6. Verify professional credentials and clinic affiliations to protect patient safety.

  7. Communicate important updates about your care, platform changes, or security notices.

  8. Improve and secure our platform through analytics, audits, and threat detection.

  9. Comply with legal and regulatory obligations, including NHS Digital, CQC, and ICO requirements.

We do not use your data for automated decision‑making that produces legal or similarly significant effects without human oversight.

4. Legal Bases for Processing

Under the UK GDPR and Data Protection Act 2018, we rely on one or more of the following legal grounds:

Legal BasisWhen It AppliesExplicit Consent (Art. 6(1)(a); Art. 9(2)(a))You give clear, informed consent—for example, when you register an account or share sensitive health data with a clinician.Provision of Health Care (Art. 9(2)(h))Processing is necessary for medical diagnosis, provision of health or social care, or management of health‑care systems.Contractual Necessity (Art. 6(1)(b))We need the data to perform a contract with you—for example, booking an appointment you request.Legal Obligation (Art. 6(1)(c))We must comply with UK laws, NHS regulations, court orders, or reporting duties.Legitimate Interests (Art. 6(1)(f))To improve services, maintain platform security, or defend legal claims. We balance these interests against your rights.

5. How We Share Your Data

We never sell your personal data. We share it only in the circumstances below and subject to strict confidentiality and security controls:

  1. Treating Clinicians & Clinics – to provide direct care and manage referrals or follow‑up appointments.

  2. Healthcare Organisations & Insurers – such as NHS trusts or private insurers, where required for funding or treatment authorisation.

  3. Trusted Service Providers – cloud hosting, secure email/SMS gateways, analytics, and payment processors acting under data‑processing agreements.

  4. Regulators & Authorities – the Care Quality Commission (CQC), Information Commissioner’s Office (ICO), HMRC, courts, or law‑enforcement when legally mandated.

  5. Anonymised & Aggregated Data – for service improvement or research, never in a form that identifies you.

6. International Transfers

Patient data is stored on servers located in the United Kingdom or the European Economic Area (EEA). If we need to transfer data outside the UK/EEA, we will use approved safeguards (e.g., UK IDTA, EU SCCs) to ensure an equivalent level of protection.

7. How We Protect Your Data

  • End‑to‑End Encryption in transit (TLS 1.2+) and at rest (AES‑256).

  • Role‑Based Access Controls and multi‑factor authentication for clinicians and staff.

  • ISO 27001‑certified data‑centre hosting with 24/7 monitoring.

  • Regular penetration testing, audits, and vulnerability scans.

  • Data minimisation & pseudonymisation wherever possible.

8. Data Retention

Data CategoryRetention PeriodPatient medical recordsMinimum 8 years after the patient’s last contact (per NHS Records Management Code of Practice) unless a longer period is mandated.Referral correspondence & imaging8 years or linked to the underlying medical record, whichever is longer.Billing & financial data7 years to satisfy tax and audit requirements.Technical logsUp to 24 months, unless needed for security investigations.

Once retention periods expire, data is securely deleted or anonymised.

9. Your Rights

You have the following rights under UK data‑protection law:

  1. Access – request a copy of your personal data.

  2. Rectification – correct inaccuracies in your data.

  3. Erasure – have your data deleted (the "right to be forgotten"), subject to clinical and legal limitations.

  4. Restriction – ask us to limit how we process your data.

  5. Data Portability – receive your data in a structured, machine‑readable format or have us transmit it to another controller.

  6. Object – to processing based on legitimate interests or direct marketing.

  7. Withdraw Consent – at any time, where processing relies on consent.

  8. Complain to the ICO – if you believe we are mishandling your data.

To exercise any right, email privacy@clin‑sync.co.uk or write to the Data Protection Officer at the address above. We will respond within one month (subject to extensions for complex requests).

10. Children’s Privacy

Clin‑Sync services are not intended for individuals under 16 years old. If we learn that we have collected personal data from a child without appropriate consent, we will delete it promptly.

11. Cookies & Tracking Technologies

Our website and applications use cookies and similar technologies to:

  • Keep you signed in and maintain session security.

  • Remember your preferences.

  • Analyse site usage to improve performance.

You can manage cookies through your browser settings. For details, see our separate Cookie Notice.

12. Changes to This Policy

We may update this Privacy Policy periodically. Any material changes will be highlighted on our platform, and where required, we will seek your consent. The “Last Updated” date at the top indicates the most recent revision.

13. Contact Us

If you have questions or concerns about this Privacy Policy or how we process your data, please contact:

Data Protection Officer
Clin‑Sync Ltd
66 Ernest Road, Hornchurch, England, RM11 3JW
United Kingdom
✉️ privacy@clin‑sync.co.uk

© 2025 Clin‑Sync Ltd. All rights reserved.