Privacy Policy

1. Information We Collect

We collect different kinds of personal data from different sources. This may include:

a) Data you provide directly

Registration data: name, email address, phone number, job title/role, organisation.

Payment & billing data: payment method, billing address, transaction history.

Profile data: where relevant, settings you configure, preferences, usage choices.

Content / User-generated data: anything you upload or enter into the system (documents, communications, patient data or case data, notes, messages) if your use involves those.

b) Data from usage

Log data: information about your activity on the Services — pages accessed, time spent, features used.

Device & technical data: IP address, browser type/version, operating system, device-type, time/date stamps.

Cookies and tracking technologies: cookies, web beacons, pixel tags relating to usage analytics, performance, marketing.

c) Data from third parties

If you integrate with third-party services (e.g. payment processors, analytics tools, external APIs), data coming through those integrations.

If you allow import of data from other services.

Marketing data from partners, if you agree.

2. Legal Basis for Processing

Under the UK GDPR / Data Protection Act 2018, we rely on one or more of the following legal bases:

Performance of a contract: to provide, maintain and deliver the Services.

Legitimate interests: for internal business-purposes, analytics, improving our product, fraud prevention, ensuring security.

Consent: where we ask for your consent (e.g. for marketing communications, non-essential cookies).

Legal obligation: when required by law.

3. How We Use Your Data

We use personal data for the following purposes:

To create and manage your account and subscription.

To process payments and billing.

To provide, maintain, and improve the Services.

To communicate with you (customer support, updates, notices).

To perform analytics, monitoring, and performance measurement.

To send marketing or promotional communications (where permitted / consented).

To enforce our Terms & Conditions, and to detect / prevent fraud or misuse.

To comply with legal obligations.

4. Sharing Your Data

We may share personal data with:

Service providers / partners who help us deliver the Services (payment processors, hosting providers, email & messaging providers, analytics).

Affiliates or subsidiaries, if relevant for corporate structure.

Law enforcement, regulators or authorities when required by law or to protect rights or safety.

Business transfers: if we are acquired, merge, or sell assets, data may be transferred as part of that.

We do not sell your personal data.

5. International Data Transfers

Some of our processing partners or infrastructure may be located outside the UK / EEA. When personal data is transferred outside the UK/EEA:

We ensure adequate protections, such as standard contractual clauses (SCCs), binding corporate rules, or other lawful mechanisms.

Data is transferred only to jurisdictions with equivalent or acceptable protections, or with your consent where needed.

6. Data Retention

We retain your personal data only as long as necessary to fulfil the purposes described, including to comply with legal, accounting, or reporting obligations.

When the data is no longer needed, we will securely delete or anonymise it.

Retention periods may vary depending on:

The type of data (billing data may be kept longer for financial / tax laws).

Whether there's an ongoing contractual relationship.

7. Security

We take appropriate technical and organisational measures to protect your personal data from unauthorised access, loss, misuse, alteration or destruction, including but not limited to:

Encryption in transit (e.g. via HTTPS) and at rest where feasible.

Access controls, limiting who in our organisation can see or process certain data.

Regular security reviews, audits, and monitoring.

Secure infrastructure via trusted providers.

However, no system is completely secure. We cannot guarantee absolute security of all data.

8. Your Rights

Under UK GDPR / Data Protection Act you have certain rights regarding your personal data. These include:

Right of Access – you can request a copy of what data we hold about you.

Right to Rectification – you can ask us to correct inaccurate or incomplete data.

Right to Erasure (“right to be forgotten”) – in certain circumstances you can ask us to delete data.

Right to Restrict Processing – to limit how we use your data in certain cases.

Right to Data Portability – obtain and re-use your data across services.

Right to Object – to certain processing (e.g. for marketing).

Right to withdraw consent – where processing is based on your consent.

To exercise your rights, contact us using the details below. We may ask you to verify your identity.

You also have the right to lodge a complaint with the Information Commissioner’s Office (ICO) or other relevant supervisory authority if you believe we have mishandled your data.

9. Cookies & Tracking Technologies

We use cookies and similar technologies to:

Enable core functionality.

Improve user experience.

Analyse usage and performance.

Serve marketing / advertising where applicable.

You will be presented with a cookie notice / banner (or similar) when you first visit, giving you the option to accept or manage non-essential cookies. Our Cookie Policy provides more details.

10. Children & Sensitive Personal Data

If applicable, we do not knowingly collect personal data from children under [16 / 13 depending on jurisdiction]. If you believe we have, contact us to have it deleted.

We may process sensitive personal data (health-related, patient data) only where necessary and where we have appropriate legal basis, and always ensuring special protections under applicable law.

11. Updates to this Policy

From time to time we may update this Privacy Policy. When we do, we will:

Provide the date of last update.

Notify users of material changes (by email or via notice in the Services).

Make the updated policy available via our website.

Continued use of the Services after the changes constitutes acceptance of the updated policy (if legally permitted).

12. Contact Us

If you have any questions, concerns, or requests about this Privacy Policy or our data practices, please contact:

Practice Autopilot Ltd

830 Newport Road Cardiff CF3 4LH

[email protected]

02922600900