Legal

Privacy policy

Plain-English explanation of how we handle your data. Last updated 14 May 2026.

1. Who we are

Practice Digital is registered in England and Wales. Our registered address is [ADDRESS — to be confirmed]. For all privacy questions you can email [email protected].

For UK GDPR purposes, we are the data controller for the personal data we collect about you as a website visitor, applicant or customer.

2. What data we collect

We only collect what we need.

  • Audit and contact form submissions — name, role, practice name, email, phone (optional), website URL, the notes you choose to include.
  • Onboarding application — practice details, current setup, goals, look-and-feel preferences, optional team and patient information, any photos and assets you choose to upload.
  • Customer account & messaging — your name, email, role, and the content of messages you send through the portal.
  • Direct Debit details — handled by GoCardless; we never see or store your bank details ourselves.
  • Technical data — server logs containing IP addresses and user-agent strings, for security and abuse prevention.

We do not knowingly collect any patient-identifying clinical data through this website. The websites we build for clients are designed not to route patient PII through third-party trackers or analytics.

3. Lawful basis for processing

We process your data under one of the following lawful bases:

  • Contract — to deliver the website and ongoing service you've paid for.
  • Legitimate interests — to respond to enquiries, run audits, secure our platform, and improve our service. We balance this against your rights.
  • Legal obligation — to comply with HMRC, financial-services regulation, and other UK law.
  • Consent — for non-essential cookies and marketing communications, which you can withdraw at any time.

4. Who processes your data on our behalf

The following organisations process some of your data, all under written Data Processing Agreements and all hosted within the UK or EU:

  • Supabase — database, authentication and file storage (eu-west-2, London).
  • Cloudflare — hosting and content delivery (UK PoPs).
  • GoCardless — Direct Debit processing (UK-regulated, FCA-authorised).
  • Resend / Postmark — transactional email delivery.
  • Google Fonts — typography. Note that loading a Google Font involves a single request to Google's servers; no cookies are set.

5. How long we keep your data

We keep customer data for the duration of your contract plus seven years (HMRC and clinical-records-adjacent retention norms). Enquiry data we keep for two years. Server logs we retain for 30 days. You can ask us to delete your data sooner — see "Your rights" below — except where we have a legal obligation to retain it.

6. Your rights

Under UK GDPR you have the right to access your data, correct it, erase it (where legally possible), restrict how we process it, port it, and object to certain processing. To exercise any of these rights, email [email protected] — we will respond within one month.

If you're unhappy with how we've handled your data, you can complain to the Information Commissioner's Office at ico.org.uk.

7. Security

All data is transmitted over TLS and stored encrypted at rest. Customer database access is gated by Row Level Security and tied to your authenticated session. Admin access is restricted, logged and reviewed. We're aligned with Cyber Essentials principles and happy to support customers' DSP Toolkit submissions.

8. Cookies

See our cookie policy for the full list of cookies we use. In short: essential cookies only, no third-party tracking, no advertising cookies.

9. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top tells you when. We'll email customers in advance of any material change.

Note for the legal team: this is a draft starting point. Before going live, fill in the company name and registered address in section 1, double-check the processor list in section 4 against what's actually in production, and ideally have this reviewed by a UK solicitor familiar with healthcare-adjacent SaaS.