Privacy Policy

1. Introduction

Praxo Ltd ("we", "us", or "our") is committed to protecting the privacy and security of personal data. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our practice management platform ("Service").

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws. As our Service is designed for healthcare providers, we take particular care with health data and other special category data.

2. Data Controller and Data Processor

2.1 Our Role

Our role depends on the type of data being processed:

Data Controller: We act as the Data Controller for data relating to our business relationship with medical practices, including account administrators, billing contacts, and website visitors.
Data Processor: We act as a Data Processor when processing Patient Data on behalf of medical practices (who are the Data Controllers for their patients' data).

2.2 Contact Details

Praxo Ltd
Data Protection Officer: [email protected]
London, United Kingdom

We are registered with the Information Commissioner's Office (ICO) as a data controller and data processor.

3. Information We Collect

3.1 Practice and User Data (as Data Controller)

We collect information directly from medical practices and their staff:

Account Information: Practice name, address, contact details, billing information, and regulatory registration numbers
User Information: Names, email addresses, job roles, and authentication credentials of authorised users
Usage Data: Login times, features accessed, actions performed (for audit and security purposes)
Technical Data: IP addresses, browser type, device information, and error logs
Communication Data: Support requests, feedback, and correspondence

3.2 Patient Data (as Data Processor)

When medical practices use our Service to manage patient information, we process Patient Data on their behalf. This may include:

Identity Data: Names, titles, dates of birth, NHS numbers, and other identifiers
Contact Data: Addresses, phone numbers, email addresses, and emergency contacts
Health Data: Appointment records, clinician notes, medical history references, and treatment information
Administrative Data: Insurance information, billing records, and consent records

Important: Health data is "special category data" under UK GDPR and is subject to additional protections. The medical practice (as Data Controller) is responsible for ensuring appropriate legal basis and patient consent for processing this data.

3.3 Waitlist and Marketing Data

If you join our waitlist or request information, we collect:

Email address
Name (if provided)
Practice name (if provided)
Source of referral

4. Legal Basis for Processing

4.1 Practice and User Data

We process this data based on:

Contract: Processing necessary to provide the Service and fulfil our contractual obligations
Legitimate Interests: Processing for security, fraud prevention, service improvement, and business administration
Legal Obligation: Processing required to comply with legal and regulatory requirements
Consent: For marketing communications (where required)

4.2 Patient Data

As a Data Processor, we process Patient Data solely on the documented instructions of the medical practice (Data Controller). The practice is responsible for establishing the legal basis for processing, which typically includes:

For health data: Explicit consent, or processing necessary for medical diagnosis, treatment, or healthcare management under Article 9(2)(h) UK GDPR
For other personal data: Contract with the patient, legitimate interests, or legal obligation

5. How We Use Personal Data

5.1 Service Provision

Providing and maintaining the Service
Authenticating users and managing access permissions
Processing transactions and sending service notifications
Providing customer support

5.2 Security and Compliance

Maintaining comprehensive audit logs of all system activity
Detecting and preventing fraud, abuse, and security incidents
Complying with legal and regulatory requirements
Responding to law enforcement requests (where legally required)

5.3 Service Improvement

Analysing usage patterns to improve the Service (using aggregated data)
Developing new features and functionality
Training AI models (using anonymised or synthetic data only)

5.4 Communication

Sending service-related communications
Responding to enquiries and support requests
Marketing communications (with consent)

6. Data Sharing and Disclosure

6.1 Service Providers (Sub-processors)

We engage trusted third-party service providers to help deliver our Service. These include:

Cloud Infrastructure: UK-based data centres for hosting and storage
Authentication: Microsoft Azure Active Directory for secure user authentication
Communication: Email and SMS providers for transactional notifications
Payment Processing: PCI-DSS compliant payment processors

All sub-processors are bound by data processing agreements that require them to protect personal data to standards equivalent to our own. A current list of sub-processors is available upon request.

6.2 Legal Disclosures

We may disclose personal data if required by law or if we believe disclosure is necessary to:

Comply with legal obligations or valid legal processes
Protect our rights, property, or safety
Prevent fraud or security threats
Respond to emergency situations involving patient safety

6.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, personal data may be transferred. We will provide notice and ensure continued protection of personal data.

6.4 No Sale of Personal Data

We do not sell personal data to third parties. We do not share Patient Data for marketing purposes or with advertisers.

7. International Data Transfers

All Patient Data is stored and processed exclusively within the United Kingdom. We do not transfer Patient Data outside the UK unless:

The practice has given explicit written consent
Appropriate safeguards are in place (such as Standard Contractual Clauses)
The destination country provides adequate protection

Some operational data (such as email communications) may be processed by service providers in countries with adequate data protection or under appropriate safeguards.

8. Data Security

We implement comprehensive technical and organisational measures to protect personal data:

8.1 Technical Measures

Encryption: All data encrypted at rest (AES-256) and in transit (TLS 1.3)
Access Controls: Role-based access control with principle of least privilege
Authentication: Multi-factor authentication required for all users
Monitoring: Real-time security monitoring and intrusion detection
Audit Logging: Comprehensive logs of all data access and modifications
Vulnerability Management: Regular security assessments and penetration testing

8.2 Organisational Measures

Staff security training and confidentiality agreements
Data protection policies and procedures
Incident response and breach notification procedures
Regular security reviews and audits
Vendor security assessments

9. Data Retention

9.1 Patient Data

Patient Data is retained for as long as the medical practice maintains an active account, plus the period required to meet clinical record retention requirements:

Adult patient records: Minimum 8 years from last contact
Children's records: Until patient's 25th birthday or 8 years after last contact (whichever is longer)
Mental health records: 20 years from last contact

The medical practice (as Data Controller) is responsible for determining appropriate retention periods based on their regulatory requirements.

9.2 Account and User Data

Active accounts: Retained while the account is active
Terminated accounts: Deleted within 90 days, unless retention is required for legal or audit purposes
Audit logs: Retained for 7 years for compliance purposes

9.3 Marketing Data

Waitlist: Retained until you subscribe or request removal
Marketing preferences: Retained until withdrawn

10. Your Rights

10.1 Rights for Practice Users and Website Visitors

Under UK GDPR, you have the following rights regarding your personal data:

Access: Request a copy of your personal data
Rectification: Request correction of inaccurate data
Erasure: Request deletion of your data (subject to legal retention requirements)
Restriction: Request restriction of processing
Portability: Request your data in a portable format
Objection: Object to processing based on legitimate interests
Withdraw Consent: Withdraw consent at any time (where processing is based on consent)

To exercise these rights, contact us at [email protected]. We will respond within one month.

10.2 Rights for Patients

If you are a patient whose data is processed through our Service, please contact the medical practice directly to exercise your data protection rights. The practice is the Data Controller for your health data and is responsible for responding to your requests.

We will assist medical practices in fulfilling their obligations to respond to patient requests.

10.3 Right to Complain

You have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire SK9 5AF
Tel: 0303 123 1113
Website: ico.org.uk

11. AI and Automated Processing

11.1 How We Use AI

Our Service includes AI-powered features to assist with administrative tasks. These features:

Help staff find available appointments and suggest optimal times
Assist with data entry and record management
Provide administrative recommendations based on practice workflows

11.2 Human Oversight

All AI actions that would modify Patient Data require explicit human approval. AI does not make autonomous decisions about patient care or treatment.

11.3 AI Training

We do not use Patient Data to train AI models. Any model training uses only anonymised or synthetic data that cannot be linked to real patients.

11.4 Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects on individuals without human involvement.

12. Cookies and Tracking

Our website and Service use cookies and similar technologies:

12.1 Essential Cookies

Required for the Service to function, including authentication and security. These cannot be disabled.

12.2 Analytics Cookies

Help us understand how visitors use our website. We use privacy-focused analytics that do not track individuals across sites.

12.3 Managing Cookies

You can manage cookie preferences through your browser settings. Disabling certain cookies may affect Service functionality.

13. Data Breach Procedures

In the event of a personal data breach:

We will notify affected medical practices (Data Controllers) within 72 hours of becoming aware of a breach involving Patient Data
We will provide information necessary for practices to assess the breach and fulfil their own notification obligations
We will notify the ICO directly for breaches where we are the Data Controller, if required
We will take immediate steps to contain and remediate the breach

14. Children's Privacy

Our Service may be used by medical practices to manage records for patients of all ages, including children. The medical practice is responsible for:

Obtaining appropriate consent for processing children's data
Ensuring age-appropriate privacy notices where required
Complying with regulations specific to children's health data

15. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified via:

Email to account administrators
Notice within the Service
Updated "Last updated" date on this page

Continued use of the Service after changes take effect constitutes acceptance of the updated policy.

16. Contact Us

For questions about this Privacy Policy or to exercise your rights, contact us:

Praxo Ltd
Data Protection Officer
Email: [email protected]
London, United Kingdom

We aim to respond to all enquiries within 5 working days and to formal data protection requests within one month.