1. Introduction

MediFlow ("we", "our", or "us") is committed to protecting and respecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our medical scheduling application.

We comply with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable data protection laws.

For any privacy-related queries, please contact us at kieran@mediflowgroup.co.uk

2. Information We Collect

We collect the following categories of personal data:

2.1 Staff Information

• Name, email address, and contact details
• Employment role and work schedule
• Home address (for route planning)
• Check-in/check-out times and location data
• Mileage records for reimbursement

2.2 Patient Information (Special Category Data)

• Name, NHS number, date of birth
• Address and contact information
• Medical conditions and care needs
• Treatment notes and assessments
• Next of kin details
• Visit history and care documentation

3. Legal Basis for Processing

We process personal data under the following legal bases:

• Contract: To fulfil our employment contracts with staff
• Legal Obligation: To comply with healthcare regulations and NHS requirements
• Vital Interests: To protect patient health and safety
• Legitimate Interests: For operational efficiency and service improvement
• Explicit Consent: For processing special category health data

4. How We Use Your Information

• Schedule and manage patient visits
• Plan efficient travel routes for care staff
• Track and reimburse staff mileage
• Maintain patient care records and documentation
• Send notifications about schedule changes
• Generate reports for operational management
• Comply with NHS and CQC requirements

5. Data Sharing

We may share your data with:

• NHS and Healthcare Partners: As required for patient care continuity
• Regulatory Bodies: CQC, ICO, and other authorities as required by law
• Service Providers: Cloud hosting (encrypted), email services (for notifications)
• Emergency Services: When necessary to protect vital interests

We do not sell your personal data to third parties.

6. Data Retention

We retain personal data for the following periods:

• Patient Records: 8 years after last treatment (NHS guidance)
• Staff Employment Records: 6 years after employment ends
• Mileage/Financial Records: 7 years (HMRC requirements)
• Audit Logs: 3 years

7. Your Rights (GDPR)

Under UK GDPR, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate personal data
• Erasure: Request deletion of your data (where legally permissible)
• Restriction: Limit how we use your data
• Portability: Receive your data in a portable format
• Object: Object to certain processing activities
• Withdraw Consent: Where processing is based on consent

To exercise these rights, please contact us at kieran@mediflowgroup.co.uk or use the data export/deletion features in your account settings.

8. Data Security

We implement appropriate security measures including:

• Encryption of data in transit (TLS/HTTPS) and at rest
• Secure password hashing (bcrypt)
• Role-based access control
• Regular security audits and monitoring
• Staff training on data protection
• Audit logging of data access

9. Cookies

We use essential cookies for authentication and session management. We also use localStorage to save your preferences (e.g., dark mode setting). These are necessary for the application to function and do not track you across websites.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

11. Complaints

If you have concerns about how we handle your data, please contact us first at kieran@mediflowgroup.co.uk. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO):