top of page
medflow logo 003.png

1. Who We Are (Data Controller / Processors)

  • Data Controller (website, marketing, contracts): Medflow Dynamics Ltd, Registered office: Feverells Lodge, Roe End Lane, Markyate, St Albans, AL3 8AQ
     

  • Data Controller (clinical services): Typically the GP practice/PCN/ICB remains the Data Controller; Medflow acts as a Data Processor. Roles are defined in the contract and Data Processing Agreement (DPA)
     

  • Data Protection Officer (DPO): Dr Reza Chowdhury, Email: info@medflowdynamics.co.uk
     

  • Clinical Safety Officer (DCB0129/0160): Dr Reza Chowdhury, Email: info@medflowdynamics.co.uk
     

  • Contact: privacy@medflowdynamics.co.uk; Postal: Privacy, Medflow Dynamics Ltd, Feverells Lodge, Roe End Lane, Markyate, St Albans, AL3 8AQ

2. What Data We Collect

 We collect only what is needed for clear purposes. Categories may include:

   A. Website & Sales

  • Identification and contact: name, email, phone, job title, organisation 

  • Usage data: pages viewed, device, IP address (short‑term), referrer, session telemetry

         

  • Marketing: preferences and event registrations                                                                                                                             

  B. Medflow Platform (Practice Operations)                                                                                                                                     

  • Staff data: role, qualifications, training, rota/availability, user IDs, audit logs

  • Operational data: correspondence metadata, pathology result metadata, task/queue data, protocol settings, compliance evidence

  • Patient data (special category): Only when configured: NHS number, demographics, clinical codes/summaries, results, correspondence, prescribing requests, recalls. Access is role‑based and minimised         

                             

  C. Support & Security

  • Tickets, call recordings (where lawful), error logs, access logs, audit trails, security telemetry

  • We do not intentionally collect children's data via the public website

Compliance & Certifications

GDPR
Compliant

HIPPA
Compliant

ISO 27001
Certified

NHS DSP
Toolkit

Privacy Notice & Data Sharing Policy

Medflow Dynamics Ltd — We are a GP‑led UK healthtech company. We respect patient confidentiality and protect personal data in line with UK GDPR, DPA 2018, NHS DSP Toolkit, DTAC, and Caldicott Principles.

3. Sources of Data

  • You: web forms, emails, events, procurement portals

  • Your organisation: onboarding files, configuration exports

  • NHS systems and vendors: only under contract/integration agreements and customer instruction

  • Automated collection: cookies and similar technologies (see Cookie Notice)

4. Purposes & Lawful Bases

  • We rely on different lawful bases depending on context. Key examples are below.

  • Purpose

  • Typical Data

  • Lawful Basis

  • Website enquiries, demos, events

  • Contact details, organisation

  • Legitimate interests to respond and manage B2B sales; Consent where required for marketing

  • Account creation & authentication

  • Name, email, organisation, role

  • Contract (to provide services); Legitimate interests (security)

  • Delivering platform features for practices

  • Staff & patient data per module

  • Contract (with customer) and Public task/Vital interests/Legitimate interestsas determined by the Controller; Medflow acts as Processor

  • Safety, audit & clinical risk management

  • User actions, audit logs

  • Legal obligation(DCB0129/0160), Legitimate interests (safety & quality)

  • Billing & compliance

  • Organisation & finance contacts

  • Legal obligation, Contract

  • Service analytics (product improvement)

  • Pseudonymised usage data

  • Legitimate interests with safeguards and opt‑outs where applicable

  • Security & fraud prevention

  • IP, access logs, telemetry

  • Legitimate interests; Legal obligation

  • Marketing communications

  • Email, preferences

  • Consent (opt‑in); unsubscribe anytime

  • We do not use patient data for marketing or unrelated analytics. We do not sell personal data.

5. Special category & criminal data

Where clinical modules are used, special category data (health) may be processed under Article 9(2) of UK GDPR as determined by the Controller (e.g., provision of health/social care). Medflow’s DPA ensures appropriate safeguards (encryption, access control, audit, retention limits). We do not routinely process criminal convictions data.

6. Automated decision‑making & profiling

Medflow modules use decision support, rules, and AI‑assisted automation with human oversight. We do not carry out solely automated decisions producing legal or similarly significant effects about individuals without a human in the loop. Customers can configure thresholds, approval steps, and audit trails.

7. Sharing & recipients

We share data only when necessary and lawful: - Within Medflow: trained staff and subcontractors under confidentiality and least‑privilege access. - Sub‑processors: trusted vendors for hosting (e.g., UK/EU cloud regions), monitoring, email delivery, support tooling. A current list is maintained at /subprocessors. - Integrations: EMIS, SystmOne, Vision and other NHS systems, strictly under customer instruction and approved routes (e.g., IM1 Pairing, GP Connect). - Legal & safety: regulators, auditors, insurers, legal advisors, or law enforcement where required by law.

We require contracts and DPAs with all recipients and audit them proportionately (DSPT/DTAC alignment).

8. International transfers

We prefer UK/EEA data residency. If transfer outside the UK/EEA is necessary (e.g., global support provider), we use UK IDTA or EU SCCs with UK Addendum, plus transfer risk assessments and additional safeguards (encryption in transit/at rest, access controls).

9. Retention

We keep data only as long as needed: - Website enquiries & sales CRM: normally 24 monthsafter last meaningful interaction. - Contracts & billing: 7 years (legal obligation). - Platform operational data: per customer contract/retention policy; patient data retention is set by the Controller. - Audit & security logs: typically 12–24 months, adjustable for safety/forensics.

Data is securely deleted or anonymised when no longer needed.

10. Security

We implement technical and organisational measures aligned to NHS DSPT and DTAC, including: - Encryption in transit and at rest; key management. - Role‑based access control, MFA, conditional access. - Network segregation, vulnerability management, logging & monitoring. - Backups, disaster recovery, and business continuity testing. - Clinical safety management system (DCB0129 manufacturer / DCB0160 deployment). - Staff training, confidentiality, and access reviews.

11. Your rights (data subjects)

Depending on the context, you may have the right to access, rectify, erase, restrict, object, portability, and to withdraw consent where processing is based on consent. For patient records handled via a GP practice, please contact your practice as the Controller. For website/contract data, contact Medflow at privacy@medflowdynamics.co.uk.

You also have the right to complain to the Information Commissioner’s Office (ICO): ico.org.uk; Tel: 0303 123 1113; Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF. We’d appreciate the chance to address your concerns first.

12. Cookies & similar technologies

We use necessary cookies for site operation and optional analytics cookies with consent controls. See our Cookie Notice at /cookies for full details and preferences management.

13. Data Sharing Policy (how we share responsibly)

This policy supplements section 7 and applies particularly to health and operations data:

1. Purpose limitation: We share only for defined purposes tied to care delivery, safety, operations, governance, or legal requirements.2. Minimum necessary: We minimise fields and pseudonymise where possible.3. Legal basis: Confirmed by the Controller for patient data; recorded in a Register of Processing Activities (RoPA).4. Contracts & DPAs: All sharing governed by controller–processor or processor–sub‑processor agreements with UK GDPR terms and confidentiality.5. Security assurances: DSPT/DTAC‑aligned controls; right to audit for significant suppliers.6. International transfers: Only with IDTA/SCCs and risk assessments.7. Transparency: Customer‑facing sharing maps and data‑flow diagrams provided during onboarding.8. Access & audit: Role‑based access, comprehensive audit trails, breach notification SLAs per UK GDPR Articles 33/34.9. Retention & deletion: Per contract and clinical obligations; controlled deletion on exit with verifiable certificates.10. Incident response: Documented playbooks; report notifiable breaches to ICO and customers without undue delay.

A high‑level list of routine recipients and sub‑processors is maintained at /subprocessors. Customer‑specific sharing (e.g., with PCN hubs) is documented in the Statement of Work and DPA Schedules.

14. AI & model governance

  • Design principles: Human‑in‑the‑loop, explainability where feasible, bias monitoring, and clinical safety sign‑off before release.

  • Data for AI: Training on synthetic, de‑identified, or customer‑approved datasets with documented provenance. No patient‑identifiable data used for model training without explicit written Controller approval and safeguards.

  • Evaluation: Scenario testing, drift monitoring, and post‑market surveillance metrics. 

15. How to contact us

16. Changes to this notice

We may update this notice to remain compliant and transparent. Significant changes will be notified via the website or email.

Change log:
- 1.0 (7 Sep 2025): Initial consolidated Privacy & Data Sharing Policy published.

 

Appendix A – Standard DPA Headline Terms (Public Summary)

• Roles & scope; processing instructions; confidentiality; sub‑processing by consent and flow‑down terms; technical/organisational measures; assistance with data subject rights; breach notification; audit rights; international transfers; exit & deletion; liability and insurance; UK law & jurisdiction.

bottom of page