Privacy Policy

Novamedica Limited (company no. 16437130) trades as "The GP Service" and operates an online marketplace that connects patients with independent healthcare providers. We are the data controller for the personal data described in this notice (except clinical records created by healthcare providers, who act as separate controllers).

Our registered address is The Dock, 75 Exploration Drive, Leicester, England, LE4 5NU. You can contact our Data Protection Officer (DPO) at dpo@thegpservice.co.uk.

We process personal data in line with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. Until any future reforms take effect, these remain the primary UK data-protection laws.

GOV.UK

This policy covers personal data we collect through:

• our website www.thegpservice.co.uk and any related apps or web portals;
• phone, email or live-chat interactions with our support team; and
• business operations (e.g. provider onboarding, finance, marketing).

It does not cover clinical notes, prescriptions or diagnostic records generated by healthcare providers. Those providers are independent controllers and will issue their own privacy notices.

*UK GDPR Articles 6 (1)(a)–(f). Where we process special-category data (e.g. health information) the additional condition is Article 9 (2)(h) (healthcare), (c) (vital interests) or (a) (explicit consent).

• Healthcare providers you select (to deliver care).
• Payment processors (card schemes, PSPs) to take fees.
• Cloud hosting and IT suppliers (ISO 27001-certified).
• Staff and contractors in the UK, Sri Lanka and other approved locations (see Section 7).
• Regulators, insurers, professional advisers or law-enforcement agencies where required by law or to defend legal claims.
• Successors if all or part of our business is merged, sold or reorganised (you will be notified in advance where legally required).

We never sell your personal data.

Novamedica runs a global operations model. Some authorised employees, contractors and sub-processors are based outside the UK/EEA, including in Sri Lanka. Whenever personal data is accessed from, or processed in, such locations we rely on:

• the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, or any replacement mechanism approved by the UK Information Commissioner's Office (ICO);
• strong technical and organisational measures (encryption in transit and at rest, least-privilege access, MFA, continuous monitoring); and
• rigorous supplier due-diligence and annual audits.

By using our Services you acknowledge and consent to these safeguarded international transfers.

We will then delete or irreversibly anonymise the data unless longer retention is required by law or to defend legal rights.

We employ industry-standard safeguards, including:

• TLS 1.3 encryption for data in transit
• AES-256 encryption for data at rest
• Zero-trust architecture with strict RBAC
• Annual penetration testing and 24/7 intrusion monitoring
• GDPR-compliant incident-response and breach-notification procedures

Subject to legal conditions, you can:

• Request access to your data.
• Request correction of inaccurate data.
• Request erasure ("right to be forgotten").
• Request restriction of processing.
• Object to processing based on legitimate interests or direct marketing.
• Receive data in a portable format.
• Withdraw consent at any time (does not affect past processing).
• Lodge a complaint with the UK Information Commissioner's Office (ICO).

To exercise any right, email dpo@thegpservice.co.uk. We aim to respond within one month.

We use essential, analytical and marketing cookies. For full details (including individual cookie lifespans and how to change your preferences) please see our separate Cookie Policy.

Our platform is intended for users aged 18 or over. We do not knowingly collect data from children. Parents or guardians who believe a child has provided us with personal data should contact us to request deletion.

We may update this Privacy Policy occasionally to reflect changes in our services, legal obligations or best practice. Any significant changes will be notified via email or an in-app banner. Please check this page for the latest version.