Privacy Policy - HealSuite

Medical Directory Limited (“we”, “us”, “our”) is a UK-based company providing HealSuite AI, an integrated Electronic Patient Record (EPR), Customer Relationship Management (CRM), and billing software platform.

We are committed to protecting personal and special category (health) data in compliance with:

UK General Data Protection Regulation (UK GDPR)
Data Protection Act 2018
Health Insurance Portability and Accountability Act (HIPAA) – where applicable to U.S.users
NHS Data Security & Protection Toolkit (DSPT)
ISO/IEC 27001:2022 – Information Security Management

1. Data Controller and Contact

Data Controller: Medical Directory Limited (trading as HealSuite AI)
Company Registration: England and Wales | Company No: [Insert]
Registered Address: 85 Great Portland Street, First Floor, London, W1W 7LT, UK
Data Protection Officer (DPO): [Insert Name/Email]
Contact: info@heal-private.com | +44 (0)203 538 8014

2. Scope of This Policy

This Privacy Policy applies to:

Users of the HealSuite AI platform (patients, clinicians, admin staff, partners)
Visitors to our website and mobile apps
APIs, integrations, and AI-powered decision support tools
Patient portals and professional dashboards

We will also share your personal information:

3. What Data We Collect

A. Special Category (Health) Data

Patient identifiers (e.g., name, DOB, NHS number)
Clinical notes, diagnoses, prescriptions, allergies
Test results, imaging, referrals, treatment history
Insurance, invoicing, and payment details

B. Professional & Operational Data

Usernames, credentials, registration numbers
Access control logs, role-based permissions
CRM interaction logs (calls, emails, follow-ups)
Billing, reconciliation, and audit records

C. Technical & Website Data

IP addresses, browser/device type, session metadata
AError logs and diagnostic information
Website visitor analytics (cookies, traffic logs, referral sources)
Cookies include essential, functional, and analytics. Users may disable cookies via browser settings.

4. How We Use Data

We process data for:

Provision of healthcare record management
CRM, billing, and operational support
Patient portal services (appointments, communications, test results)
Security, fraud prevention, and audit logging
Regulatory and legal compliance
Service improvement, analytics, and platform optimisation

5. Legal Basis for Processing

Contractual necessity (platform services to healthcare providers)
Legal obligations (clinical record-keeping, NHS/DSPT compliance)
Vital interests (urgent healthcare provision)
Consent (optional features, marketing communications)
Legitimate interests (platform analytics, fraud detection)

Special category (health) data is processed in compliance with Article 9 UK GDPR and Section 11 of the Data Protection Act 2018.

6. Patient Portal & User Rights 5. Legal Basis for Processing

Patients and users may:

Access and download personal records
Correct or update inaccurate data
Request account deactivation or deletion (where legally possible)
Restrict or object to certain processing
Request data portability (transfer to another provider)
Withdraw consent for optional features or marketing

Requests can be made via the portal or by emailing info@heal-private.com

7. NHS DSPT & UK Compliance

We maintain full compliance with the NHS Data Security & Protection Toolkit, including:

Annual DSPT submissions
Caldicott Principles adherence
Secure NHS mail usage (@nhs.net)
Contracts with processors and subprocessors (DPA compliant)

8. HIPAA (U.S. Users)

For U.S. providers/patients, we comply with HIPAA, including:

Business Associate Agreements (BAAs) where required
Minimum necessary access controls
De-identification of data (45 CFR §164.514)
Breach notifications and audit logs

9. Security Standards (ISO/IEC 27001)

We operate an Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022, including:

AES-256 encryption at rest, TLS 1.2+ in transit
Multi-factor authentication and role-based access
Daily encrypted backups and disaster recovery
Endpoint protection, penetration testing, vulnerability scanning
Continuous monitoring and audits

10. Data Sharing & Subprocessors

We share data only with trusted partners essential to service delivery:

NHS trusts or authorised healthcare professionals
Hosting and infrastructure providers (ISO 27001 certified)
Payment processors (PCI-DSS certified)
AI model developers (DPA and confidentiality bound)

International transfers (outside UK/EEA) are protected via:

UK Addendum to Standard Contractual Clauses (SCCs)
Transfer Risk Assessments (TRAs)
Encryption and other supplementary safeguards

A current list of subprocessors is available on request.

11. Google API Integrations

When using Google APIs (e.g., Calendar, Gmail):

Access is limited to specific requested data
Use complies with the Google API Services User Data Policy and Limited Use requirements
No Google API data is sold or used for unrelated purposes

12. Data Retention

Clinical and billing data: retained in line with NHS records management and statutory healthcare retention standards
Account and CRM data: retained for the duration of the service plus statutory requirements
Website analytics data: retained in anonymised form for no longer than 24 months

13. Children’s Data

We only process children’s data where legally required for care provision and with guardian/parental consent, in line with NHS safeguarding standards.

14. Breach Notification

If a data breach occurs, we will notify affected Controllers (clinics/customers) and regulators within required legal timeframes (24–72 hours under UK GDPR).

15. Updates to This Policy

We may update this policy periodically. Significant changes will be communicated by email or platform notification.

16. Contact Information

Medical Directory Limited (trading as HealSuite AI)
85 Great Portland Street, First Floor
London, W1W 7LT, UK
info@heal-private.com | +44 (0)203 538 8014