Privacy Policy

1. Who We Are

Data Controller: The MedTech Incubator LTD - 16240488 (trading as SkinWell)

ICO Registration Number: Available Soon

Contact:
Email: info@skinwell.uk
Address: 1st Floor, 21 Poland Street, London, United Kingdom, W1F 8QG
Data Protection Officer: dpo@skinwell.uk

SkinWell is a teledermatology platform that connects patients with GMC-registered practitioners through secure video consultations, AI-powered assessments, and medication delivery services.

2. Personal Data We Collect

2.1 Account and Identity Information

Full name, date of birth, gender
Email address, phone number and password (encrypted)
NHS number (if provided)
Postal address for medication delivery
Profile photo (optional)

2.2 Medical and Health Information

Medical history, current medications (if needed), and allergies
Skin condition descriptions and symptoms
Photographs of affected skin areas
Consultation notes and clinical assessments
Prescriptions and treatment plans
AI analysis results and diagnostic support data
GP practice information

2.3 Payment and Billing Information

Payment card details (processed by Stripe - we don't store full card numbers)
Billing address
Transaction history and invoices
Insurance information (if applicable)

2.4 Technical and Usage Data

IP address, browser type, device information
App usage data and feature interactions
Cookies and similar tracking technologies
Login times and session duration
Diagnostic and crash reports

2.5 Communications Data

Messages exchanged with dermatologists and support staff
Customer service enquiries and correspondence
Feedback, reviews, and survey responses
Notification preferences

3. Legal Basis for Processing

Contract Performance (Article 6(1)(b) GDPR)

Processing necessary to provide our teledermatology services, consultations, prescriptions, and medication delivery as agreed in our Terms of Service.

Legal Obligation (Article 6(1)(c) + Article 9(2)(h) GDPR)

Healthcare providers must maintain medical records for regulatory compliance, including CQC regulations, MHRA requirements, GMC standards, and NHS Digital guidelines.

Vital Interests (Article 9(2)(c) GDPR)

In emergencies where patient health requires immediate action and consent cannot be obtained.

Medical Purposes (Article 9(2)(h) GDPR)

Processing health data for medical diagnosis, healthcare provision, treatment management, and healthcare system management by qualified healthcare professionals.

Explicit Consent (Article 9(2)(a) GDPR)

For specific processing activities including AI analysis, marketing communications, consultation recordings, and research participation (always optional and withdrawable).

Legitimate Interests (Article 6(1)(f) GDPR)

For service improvement, fraud prevention, security measures, and business analytics (with appropriate safeguards and balancing of interests).

4. How We Use Your Data

4.1 Clinical Services

Facilitating video consultations with dermatologists
AI-powered preliminary skin condition analysis
Creating and maintaining electronic medical records
Issuing prescriptions and coordinating medication delivery
Follow-up care and treatment monitoring
Sharing relevant information with your GP (with consent)
Referrals to specialists when necessary

4.2 Platform Operations

Account management and authentication
Appointment scheduling and reminders
Processing payments and managing subscriptions
Customer support and enquiry handling
Sending transactional notifications (appointment confirmations, prescription updates)
Technical support and troubleshooting

4.3 Safety and Compliance

Regulatory compliance (CQC, MHRA, ICO)
Clinical governance and quality assurance
Fraud detection and prevention
Security monitoring and threat prevention
Safeguarding and patient safety protocols
Audit trails for clinical and regulatory purposes

4.4 Service Improvement

Improving AI diagnostic algorithms (with pseudonymized data)
Platform analytics and user experience optimization
Quality monitoring and clinical outcome analysis
Research and development (with appropriate consent)

4.5 Marketing (With Consent)

Promotional emails about services and features
Educational content about skin health
Service updates and improvements
You can opt-out at any time via email preferences

5. Who We Share Your Data With

5.1 Healthcare Providers

Dermatologists: GMC-registered practitioners providing your care
Your GP: With your explicit consent for care coordination
Pharmacies: For prescription fulfillment and medication delivery
Specialist Referrals: When your condition requires additional expertise

5.2 Essential Service Providers

Cloud Hosting: AWS (UK/EU data centers) for secure data storage
Payment Processing: Stripe for secure payment handling
Video Platform: NHS-approved video consultation provider
Email Services: For transactional and service emails
SMS Provider: For appointment reminders and notifications
Courier Services: For medication delivery (address only)

All service providers are bound by Data Processing Agreements compliant with Article 28 GDPR.

5.3 Regulatory and Legal Authorities

CQC: For healthcare quality inspections
MHRA: For medication safety reporting
ICO: If required for data protection investigations
NHS Digital: For national healthcare statistics (anonymized)
Law Enforcement: When legally required by court order
GMC: For professional conduct matters

5.4 Business Partners (With Consent)

Analytics Providers: Google Analytics (anonymized data only)
Customer Support: For handling enquiries and technical support
Insurance Companies: If you're claiming through insurance

5.5 Who We Never Share With

We will never sell your personal or health data to third parties. We do not share your data with advertisers or marketing companies without your explicit consent.

6. How Long We Keep Your Data

Medical Records

Adult Records: 8 years after last consultation (NHS standard)
Child Records: Until age 25, or 8 years after last contact, whichever is longer
Maternity Records: 25 years
Prescription Data: 2 years minimum (MHRA requirement)

Account and Transaction Data

Account Information: Duration of account plus 2 years
Payment Records: 7 years (tax and accounting requirements)
Marketing Consents: Until withdrawn or 3 years of inactivity

Technical Data

Cookies: As specified in cookie settings (up to 24 months)
Server Logs: 90 days
CCTV (if applicable): 30 days

Account Deletion

When you delete your account, we archive medical records as required by law but immediately remove marketing data and non-essential personal information. Your account becomes inaccessible, but legal retention requirements for medical records remain in effect.

7. Your Rights Under UK GDPR

Right to Access (Subject Access Request)

Request a copy of all personal data we hold about you. We will respond within 30 days. Access your data via your account dashboard or contact privacy@skinwell.co.uk.

Right to Rectification

Correct inaccurate personal data via your account settings or contact us. Medical records require verification for clinical safety.

Right to Erasure ("Right to be Forgotten")

Request deletion of your data. Important: Medical records must be retained for legal and regulatory periods even after account deletion. Non-essential data will be deleted immediately.

Right to Restrict Processing

Request that we limit how we use your data in certain circumstances, such as during disputes or verification of accuracy.

Right to Data Portability

Receive your data in a machine-readable format (CSV/JSON) or request transfer to another provider where technically feasible.

Right to Object

Object to processing based on legitimate interests, direct marketing, or research purposes. Marketing opt-outs are always honored immediately.

Rights Related to Automated Decision-Making

Our AI analysis is for preliminary assessment only. All clinical decisions are made by qualified dermatologists. You have the right to human review of any AI-generated assessment.

Right to Withdraw Consent

Withdraw consent for specific processing activities (marketing, AI analysis, recordings) at any time via account settings or by contacting us. This does not affect processing based on other legal grounds.

How to Exercise Your Rights

Email: privacy@skinwell.co.uk
Account Dashboard: Privacy & Data Settings
Post: Data Protection Officer, [Company Address]

We will respond within 30 days (extendable to 90 days for complex requests). We may require identification verification to protect your data.

8. How We Protect Your Data

Technical Security Measures

Encryption: AES-256 encryption at rest, TLS 1.3 in transit
Infrastructure: NHS-compliant cloud hosting (AWS UK/EU regions)
Authentication: Multi-factor authentication for practitioners
Network Security: Firewalls, intrusion detection, DDoS protection
Database Security: Encrypted databases with access controls
Secure Video: End-to-end encrypted consultations
Vulnerability Management: Regular security testing and patching

Organizational Security Measures

Access Controls: Role-based access, need-to-know principle
Staff Training: Mandatory data protection and information governance training
Confidentiality Agreements: All staff and contractors sign NDAs
Audit Logging: Comprehensive activity logs for accountability
Incident Response: 24/7 security monitoring and breach protocols
Backup and Recovery: Daily encrypted backups with disaster recovery plans
Compliance Certifications: ISO 27001, Cyber Essentials Plus

Clinical Governance

CQC-registered service with regular inspections
Clinical audit and quality assurance procedures
GMC-compliant medical record keeping
Caldicott principles for information sharing

Data Breach Procedures

In the unlikely event of a data breach, we will notify the ICO within 72 hours (if required) and affected individuals without undue delay. We have incident response plans and cyber insurance in place.

9. International Data Transfers

Your data is primarily stored and processed in the United Kingdom. Where we use service providers located outside the UK/EU, we ensure adequate protection through:

UK Adequacy Decisions: Transfers to countries with equivalent data protection
Standard Contractual Clauses (SCCs): UK ICO-approved contract terms
Adequacy Assessments: Transfer Impact Assessments for all international data flows
Vendor Compliance: All international vendors must meet UK GDPR standards

Current International Transfers:

Email services (Sendgrid - US, protected by SCCs)
Analytics (Google Analytics - anonymized data only)
Customer support (Zendesk - EU data residency option)

Medical data remains in UK/EU data centers only.

10. Cookies and Tracking Technologies

Strictly Necessary Cookies

Essential for the platform to function. Cannot be disabled.

Session authentication and security tokens
Load balancing and performance routing
Security and fraud prevention

Functional Cookies

Enable enhanced features and personalization.

User preferences and settings
Language selection
Accessibility settings

Analytics Cookies (With Consent)

Help us understand how users interact with the platform.

Google Analytics (anonymized IP addresses)
Page view tracking
Feature usage statistics

Marketing Cookies (With Consent)

Used to deliver relevant advertising and measure campaign effectiveness.

Retargeting pixels (if enabled)
Conversion tracking
Third-party advertising (opt-in only)

Managing Cookie Preferences

You can manage cookie preferences through:
- Cookie consent banner on first visit
- Account Settings → Privacy → Cookie Preferences
- Browser settings (may affect functionality)

Mobile App Data Collection

Our mobile app may collect:

Device identifiers (for authentication)
App usage analytics
Crash reports (for debugging)
Push notification tokens
Location data (only with explicit permission)

Manage app permissions through your device settings.

11. Children's Privacy

Under 18s: SkinWell can provide services to patients under 18 with parental/guardian consent. The account holder must be over 18.

Under 13s: All processing requires explicit parental consent. We may request verification of parental authority.

Gillick Competence: In accordance with UK law, we may provide confidential services to children deemed competent to consent to treatment without parental knowledge, following GMC guidelines.

Safeguarding: We have robust safeguarding procedures. If we identify child protection concerns, we may need to breach confidentiality and contact appropriate authorities.

Data Retention: Children's medical records are retained until age 25 or 8 years after last contact, whichever is longer (NHS standard).

12. AI-Powered Analysis

How AI is Used: SkinWell uses AI to provide preliminary analysis of skin condition photos to assist dermatologists. AI does not make final diagnoses or treatment decisions.

Human Oversight: Every case is reviewed by a qualified GMC-registered dermatologist. You have the right to request that decisions are not based solely on automated processing.

Consent: AI analysis requires your explicit consent, which can be withdrawn at any time without affecting your access to human practitioner consultations.

Transparency: When AI is used in your care, you will be informed. AI-generated assessments are clearly marked in your consultation notes.

Training and Improvement: With your consent, anonymized/pseudonymized data may be used to improve AI algorithms. You can opt out of this at any time.

Bias Mitigation: We regularly audit our AI systems for fairness and bias across diverse populations and skin types.

13. Third-Party Services and Links

Our platform may contain links to third-party websites, services, or apps:

Pharmacy partners for medication delivery
NHS websites for additional information
Medical information resources
Payment processors

Important: We are not responsible for the privacy practices of third-party websites. Please review their privacy policies before providing personal information. This privacy policy applies only to SkinWell services.

14. GP Communication and NHS Integration

GP Sharing: We can share consultation summaries and treatment plans with your GP to ensure coordinated care. This requires your explicit consent and can be managed in your account settings.

What We Share: When authorized:

Diagnosis and treatment plan
Prescriptions issued
Follow-up recommendations
Relevant medical history updates

NHS Spine Access: We do not currently connect to NHS Spine but may implement this in future with appropriate patient consent and technical safeguards.

Referrals: If we refer you to NHS services, we will share relevant clinical information with your consent.

15. Changes to This Privacy Policy

We may update this privacy policy to reflect:

Changes in laws or regulations
New features or services
Improved data protection practices
Feedback from regulators or audits

Notification: We will notify you of material changes via:

Email to your registered address
In-app notification
Prominent notice on our website

Your Rights: If you disagree with changes, you have the right to close your account (subject to medical record retention requirements).

Version History: Previous versions of this policy are available upon request.

Last Updated: 23 December 2025

16. Complaints and Regulatory Contact

Contact Us First

If you have concerns about how we handle your data:

Data Protection Officer: dpo@skinwell.co.uk
Privacy Team: privacy@skinwell.co.uk
Post: Data Protection Officer, [Company Address]
Phone: [Privacy Team Number]

We will investigate and respond within 30 days.

Information Commissioner's Office (ICO)

You have the right to lodge a complaint with the UK data protection regulator:

Website: https://ico.org.uk

Helpline: 0303 123 1113

Address:
Information Commissioner's Office
Wycliffe House, Water Lane
Wilmslow, Cheshire
SK9 5AF

Clinical Complaints

For complaints about clinical care quality:

Care Quality Commission (CQC): 03000 616161
General Medical Council (GMC): For concerns about individual practitioners
MHRA: For medication safety concerns

17. Glossary of Terms

Personal Data

Any information relating to an identified or identifiable individual.

Special Category Data

Sensitive personal data including health information, requiring enhanced protection under GDPR.

Data Controller

The organization that determines how and why personal data is processed (SkinWell).

Data Processor

Third-party organizations that process data on behalf of the controller (e.g., cloud hosting providers).

Pseudonymization

Processing data so it can no longer be attributed to a specific individual without additional information.

Anonymization

Irreversibly removing identifying information so individuals cannot be identified.

Data Breach

Unauthorized access, loss, or disclosure of personal data.

UK GDPR

UK General Data Protection Regulation - the UK's version of GDPR post-Brexit.

DPA 2018

Data Protection Act 2018 - supplements UK GDPR with additional UK-specific provisions.

Contact Information

For Privacy and Data Protection Matters:
Email: privacy@skinwell.co.uk
Data Protection Officer: dpo@skinwell.co.uk
Phone: [Privacy Team Number]

For General Enquiries:
Email: support@skinwell.co.uk
Phone: [Support Number]
Live Chat: Available in app and website

Registered Address:
MedTech Inc (trading as SkinWell)
[Company Address]
Company Number: [Companies House Number]
ICO Registration: [ICO Registration Number]
CQC Registration: [CQC Registration Number]