Privacy Policy

How Medflow Dynamics Ltd collects, uses, stores, and protects your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Version 1.0 · Effective 7 September 2025

1. Data Controller

Medflow Dynamics Ltd (Company No. registered in England & Wales) is the Data Controller for personal data collected through this website, marketing activities, and contractual relationships.

Registered Office: Feverells Lodge, Roe End Lane, Markyate, St Albans, AL3 8AQ

Data Protection Officer: Dr Reza Chowdhury
Email: privacy@medflowdynamics.co.uk

For clinical services delivered through the Medflow platform, the GP practice, PCN, or ICB typically remains the Data Controller, with Medflow Dynamics acting as a Data Processor under a formal data processing agreement.

2. Categories of Data We Collect

Website & Sales Data

Name, email address, phone number
Job title and organisation
Enquiry details and correspondence
Website usage data (via cookies, with consent)

Medflow Platform — Staff Data

Role, qualifications, and training records
Rota and availability information
User IDs and audit logs

Medflow Platform — Operational Data

Correspondence metadata
Pathology result metadata
Task and queue data
Protocol settings and compliance evidence

Medflow Platform — Patient Data (Special Category)

Patient data is only collected when configured by the Data Controller (the healthcare organisation). This may include:

NHS number and demographics
Clinical codes and summaries
Results and correspondence
Prescribing requests and recalls

3. Lawful Basis for Processing

Medflow relies on different lawful bases depending on context:

Contract: Processing necessary for the performance of a contract with the customer organisation
Public Task: Processing necessary for the provision of healthcare services in the public interest
Vital Interests: Where necessary to protect the vital interests of a patient
Legitimate Interests: For website analytics, improving our services, and business development (where not overridden by individual rights)
Consent: For marketing communications and optional analytics cookies

For patient data processed through the Medflow platform, the lawful basis is confirmed by the Data Controller (the healthcare organisation) and recorded in a Register of Processing Activities (RoPA).

4. How We Use Your Data

To respond to enquiries and provide customer support
To deliver and maintain the Medflow platform
To manage contracts, billing, and account administration
To improve our services through analytics and user feedback
To send marketing communications (with your consent, which you can withdraw at any time)
To comply with legal and regulatory obligations

5. Data Sharing

Data is shared only when necessary and lawful:

Within Medflow: With trained staff and subcontractors under confidentiality and least-privilege access
Trusted Sub-processors: For hosting, monitoring, email delivery, and support tooling
Legal Requirements: Where required by law, regulation, or court order

All data sharing is governed by controller–processor or processor–sub-processor agreements with UK GDPR terms and confidentiality clauses. Data sharing is limited to defined purposes tied to care delivery, safety, operations, governance, or legal requirements.

6. Data Retention

Website enquiries & sales CRM: Normally retained for 24 months after last meaningful interaction
Contracts & billing: Retained for 7 years due to legal obligations
Platform operational data: Retained per customer contract and retention policy
Patient data: Retention set by the Data Controller (the healthcare organisation)
Audit & security logs: Typically retained for 12–24 months, adjustable for safety and forensics

Data is securely deleted or anonymised when no longer needed for its original purpose.

7. Security Measures

Medflow implements technical and organisational measures aligned to NHS DSPT and DTAC standards, including:

Encryption in transit and at rest with key management
Role-based access control (RBAC) with multi-factor authentication (MFA) and conditional access
Network segregation with vulnerability management, logging, and monitoring
Backups with disaster recovery and business continuity testing
Clinical safety management systems (DCB0129 and DCB0160)
Staff training, confidentiality agreements, and access reviews

8. International Transfers

Medflow primarily processes data within the UK and EEA. If transfer outside the UK/EEA is necessary (for example, via a global support provider), we use:

UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs) with UK Addendum
Transfer risk assessments
Additional safeguards including encryption in transit and at rest, and strict access controls

9. Cookies

Our website uses:

Necessary cookies: Required for the website to function correctly (no consent needed)
Analytics cookies: Optional, used with your consent to help us understand how visitors use our site

You can manage your cookie preferences at any time through the cookie consent controls on our website.

10. Your Rights

Depending on the context and your relationship with us, you may have the following rights under UK GDPR:

Right of access: Request a copy of the personal data we hold about you
Right to rectification: Request correction of inaccurate or incomplete data
Right to erasure: Request deletion of your data where there is no compelling reason for continued processing
Right to restrict processing: Request that we limit how we use your data
Right to object: Object to processing based on legitimate interests or direct marketing
Right to data portability: Request your data in a structured, machine-readable format
Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, please contact us at privacy@medflowdynamics.co.uk.

11. Breach Notification

Medflow maintains comprehensive audit trails and breach notification procedures per UK GDPR Articles 33 and 34. We have documented incident response playbooks for reporting notifiable breaches to the Information Commissioner's Office (ICO) and affected customers without undue delay.

12. Changes to This Policy

We may update this privacy notice from time to time to remain compliant and transparent. Significant changes will be notified via our website or by email. We encourage you to review this page periodically.

13. Contact & Complaints

For questions about this privacy policy or how we handle your data:

Email: privacy@medflowdynamics.co.uk
Post: Privacy, Medflow Dynamics Ltd, Feverells Lodge, Roe End Lane, Markyate, St Albans, AL3 8AQ

If you are not satisfied with our response, you have the right to complain to the Information Commissioner's Office (ICO):

Website: ico.org.uk
Telephone: 0303 123 1113