Privacy Policy

Last updated July, 2025

1. Introduction

1.1 Purpose of the Privacy Policy

This Privacy Policy outlines how pH7 ("we," "our," or "us") collects, processes, stores, and protects personal data in connection with the use of the pH7 platform (the "Platform"). We are committed to safeguarding the privacy and rights of all users, including Medical Professionals, patients, and other individuals who interact with the Platform.

By using the Platform, you agree to the terms of this Privacy Policy. If you do not agree with this policy, you must refrain from using the Platform.

1.2 Scope of the Policy

This Privacy Policy applies to:

  • All personal data collected or processed through the Platform, including:

    • Data provided by Medical Professionals during registration and use of the Platform.

    • Data provided by patients during consultations and interactions with Medical Professionals.

    • Data collected from pharmacies or other third-party integrations connected to the Platform.

  • Users of the Platform, including:

    • Medical Professionals (individual General Practitioners or practices).

    • Patients seeking consultations.

    • Any third parties interacting with the Platform.

  • All jurisdictions where pH7 operates, subject to applicable data protection laws, including but not limited to GDPR (General Data Protection Regulation) and other equivalent legislation.

    1.3 Definitions

    For the purposes of this Privacy Policy, the following terms shall have the meanings assigned to them:

    • "Personal Data": Any information relating to an identified or identifiable individual, including but not limited to names, contact details, health information, and IP addresses.

    • "Processing": Any operation or set of operations performed on Personal Data, whether automated or manual, including collection, recording, organisation, storage, modification, retrieval, use, disclosure, or deletion.

    • "Data Controller": The entity responsible for determining the purposes and means of processing Personal Data. For the purposes of this Privacy Policy, pH7 acts as the Data Controller.

      • "Data Processor": Any third party that processes Personal Data on behalf of the Data Controller, as instructed by the Data Controller.

        • "Platform": The proprietary software application and associated services developed and operated by pH7, facilitating secure consultations, prescription issuance, and pharmacy integration.

          • "User": Any individual or entity interacting with the Platform, including Medical Professionals, patients, and connected third parties.

            2. Data Controller Information

            2.1 Identity of the Data Controller

            The Data Controller responsible for the collection, processing, and storage of Personal Data through the pH7 platform (the "Platform") is:

            pH7
            [Insert Legal Entity Name, if different from the trading name]
            [Insert Registered Business Address]
            [City, State/Province, Country, Postal Code]

            As the Data Controller, pH7 determines the purposes and means of processing Personal Data collected through the Platform. However, pH7 acts solely as a technology facilitator and does not assume responsibility for the clinical or professional decisions of Medical Professionals who use the Platform.

            2.2 Contact Details for Privacy-Related Queries

            • pH7 acts solely as a facilitator of communication and interaction between Medical Professionals, patients, and pharmacies. Any data collected, shared, or processed by Medical Professionals during consultations is managed independently by them and is outside pH7's direct control.

            • pH7 is not responsible for ensuring compliance by Medical Professionals or third parties with their respective data protection obligations. Each Medical Professional is independently responsible for complying with the data protection laws applicable in their jurisdiction concerning their interactions on the Platform.

            3. Data Collection & Processing

            3.1 Types of Data Collected and Purpose of Processing

            The table below summarises the types of data collected by pH7 and the purposes for which the data is processed:

            Category of Data Data Being Processed Purpose of Processing
            Medical Professionals’ Data Full name, contact details, medical license details, practice information, payment details. - Verification of credentials to ensure compliance with regulatory requirements.
            - Facilitation of consultations and Platform services.
            - Communication regarding Platform updates, compliance matters, and operational changes.
            - Billing and payment processing.
            Patient Data Full name, date of birth, contact details, medical history, health data, prescriptions. - Facilitation of secure consultations between patients and Medical Professionals.
            - Storage of consultation history for continuity of care.
            - Communication regarding consultation schedules and updates.
            - Compliance with legal and regulatory requirements related to patient records.
            Technical Data IP address, device information, browser type, geolocation (if permitted). - Ensuring secure and efficient operation of the Platform.
            - Identifying and resolving technical issues.
            - Improving user experience through analytics and performance tracking.
            - Fraud prevention and security monitoring.
            Data from Third Parties - Regulatory bodies: Licensing and credential verification.
            - Pharmacies: Prescription fulfilment updates.
            - Service providers: Payment processing, analytics.             		- Verification of Medical Professionals' compliance with licensing and regulatory standards.
            - Facilitation of prescription fulfilment and tracking.
            - Enhancing operational efficiency and analytics through third-party integrations.
            [ ] [ ] [ ]

            3.2 Methods of Data Collection

            • Direct Data Collection:

              • Data provided by users during registration, consultations, and account management.

              • Patients’ health information shared during interactions with Medical Professionals.

            • Automated Data Collection:

              • Technical data collected using cookies, log files, and other tracking tools to ensure Platform security and optimise performance.

              • Interaction data collected to enhance user experience and provide analytics for improvement.

            • Data from Third Parties:

              • Regulatory Bodies: Verifying the professional credentials of Medical Professionals to ensure compliance.

              • Pharmacies: Receiving updates on prescription fulfilment and delivery status.

              • Service Providers: Collecting payment and analytics data to ensure secure and efficient Platform operations.

            4. Legal Basis for Data Processing

            4.1 Consent

            • Explicit Consent:

              • pH7 relies on the explicit consent of users where required by law, particularly for:

                • Collecting and processing sensitive health data from patients for consultations and prescriptions.

                • Sending marketing or promotional communications to users (if applicable).

              • Users may withdraw their consent at any time by contacting pH7 through the provided contact details.

            4.2 Performance of a Contract

            Contractual Necessity:

            Processing Personal Data is necessary for the performance of a contract with the user, such as:

            • Enabling Medical Professionals to provide consultations and issue prescriptions via the Platform.

            • Facilitating secure communication between patients, Medical Professionals, and pharmacies.

            • Managing user accounts, including billing and payment processing.

            4.3 Compliance with Legal Obligations

            Regulatory Compliance

            pH7 processes Personal Data to fulfil its legal and regulatory obligations, such as:

            • Verifying the credentials and licensure of Medical Professionals.

            • Retaining records of consultations, prescriptions, and transactions as required by law.

            • Disclosing data to regulatory authorities when legally mandated to do so.

            4.4 Legitimate Interests

            Business and Operational Necessities

            pH7 processes Personal Data to pursue its legitimate business interests, provided such interests are not overridden by the rights and freedoms of users. This includes:

            • Maintaining and improving the functionality, security, and performance of the Platform.

            • Conducting analytics to enhance user experience and operational efficiency.

            • Preventing fraud, unauthorised access, and misuse of the Platform.

            • Responding to user inquiries and providing customer support.

            Proportionality and Safeguards:

            pH7 ensures that processing under legitimate interests is proportionate and includes appropriate safeguards to protect user data and rights.

            5. Data Sharing and Disclosure

            pH7 respects the confidentiality of Personal Data and ensures that it is only shared or disclosed where necessary and in compliance with applicable laws. This section outlines the circumstances under which data may be shared and the safeguards in place to protect user information.

            5.1 Internal Access

            • Authorised Personnel:

              • Access to Personal Data is restricted to pH7 employees and authorised personnel who require the information to perform their job functions, such as customer support, technical maintenance, or compliance monitoring.

              • All personnel with access to Personal Data are bound by strict confidentiality obligations and undergo regular training on data protection practices.

            5.2 Sharing with Third Parties

            5.2.1 Pharmacies

            Prescription Fulfilment:

            • Patient data, including prescriptions issued by Medical Professionals, may be shared with pharmacies connected to the Platform to facilitate the fulfilment and delivery of prescribed medications.

            • Pharmacies operate independently of pH7 and are responsible for complying with applicable data protection laws regarding the handling of patient data.

            5.2.2 Regulatory Authorities

            Legal and Regulatory Compliance:

            • pH7 may disclose Personal Data to regulatory or licensing authorities to verify the credentials of Medical Professionals or to comply with legal obligations.

            • In cases where disclosure is legally required, such as during inspections or audits, pH7 will ensure the request is valid and proportionate.

            5.2.3 Service Providers

            Third-Party Processors:

            • pH7 engages trusted third-party service providers to support Platform operations, including:

              • Payment processors for handling financial transactions.

              • IT service providers for hosting, maintenance, and security.

              • Analytics providers to improve the functionality and user experience of the Platform.

            • All service providers are subject to strict data protection agreements, ensuring that Personal Data is processed securely and only for specified purposes.

            5.3 Legal Disclosures

            Compliance with Legal Processes:

            • pH7 may disclose Personal Data to law enforcement agencies, courts, or other legal authorities when required to:

              • Comply with a subpoena, court order, or other legal process.

              • Respond to legal investigations or regulatory inquiries.

              • Protect the rights, safety, or property of pH7, its users, or the public.

            Safeguards for Legal Requests:

            • pH7 will evaluate the validity of all legal requests and disclose only the minimum amount of data necessary to comply with the legal requirement.

            6. International Data Transfers

            6.1 Explanation of Data Transfers Outside the Jurisdiction

            • Cross-Border Processing:

              • Personal Data collected through the Platform may be transferred to and processed in jurisdictions outside the country in which it was originally collected. This may include countries where pH7 operates or where its service providers are located.

              • Such transfers are necessary for the operation of the Platform, including hosting, analytics, and customer support services.

            • Data Protection Standards:

              • Any transfer of Personal Data to jurisdictions outside the user’s country of residence will be conducted in compliance with applicable data protection laws, ensuring that the data remains secure and protected.

            6.2 Safeguards in Place

            • Standard Contractual Clauses (SCCs):

              • For transfers to countries outside the European Economic Area (EEA) or other jurisdictions with similar requirements, pH7 relies on Standard Contractual Clauses approved by relevant regulatory authorities to ensure an adequate level of protection.

            • Adequacy Decisions:

              • Where applicable, data is transferred to jurisdictions that have been recognised as providing an adequate level of protection under relevant data protection laws.

            • Other Safeguards:

              • Encryption during transfer to protect data integrity.

              • Contractual obligations for third-party processors to comply with data protection standards equivalent to those in the originating jurisdiction.

            7. Data Retention

            7.1 Retention Periods for Different Types of Data

            • Medical Professionals’ Data:

              • Licensing and credential information: Retained for the duration of the account’s active status and for a period of [ ] years thereafter to comply with regulatory obligations.

            • Patient Data:

              • Consultation records and health information: Retained for a period of [ ] years, or as required by applicable medical record retention laws.

            • Technical Data:

              • Log files and usage data: Retained for a period of [ ] months to support analytics and improve Platform functionality.

            7.2 Criteria Used to Determine Retention Periods

            • Legal and regulatory requirements for data retention in the jurisdictions where pH7 operates.

            • Business needs for operational purposes, such as customer support and dispute resolution.

            • Statutory limitations for legal claims or investigations.

            7.3 Data Deletion and Anonymisation Policies

            • Data Deletion:

              • At the end of the retention period, Personal Data is securely deleted unless required to be retained for legal or regulatory purposes.

            • Anonymisation:

              • In some cases, data may be anonymised instead of deleted, ensuring it cannot be linked to an individual while still being used for analytics or research purposes.

            8. Data Security

            8.1 Technical and Organisational Measures to Protect Data

            • Encryption:

              • All Personal Data transmitted through the Platform is encrypted using industry-standard protocols (e.g., TLS) to prevent unauthorised access.

            • Access Controls:

              • Access to Personal Data is restricted to authorised personnel only, based on role-specific permissions.

              • Multi-factor authentication (MFA) is implemented for accessing sensitive systems.

            • Data Storage:

              • Data is stored on secure servers located in data centres with physical and technical safeguards, including firewalls, intrusion detection systems, and 24/7 monitoring.

            8.2 Procedures for Handling Data Breaches

            • Detection and Response:

              • pH7 employs real-time monitoring tools to detect potential breaches promptly.

              • A dedicated incident response team is tasked with investigating and mitigating any security incidents.

            • Notification of Affected Parties:

              • In the event of a data breach that poses a risk to users, pH7 will notify affected individuals and relevant regulatory authorities within the timeframes specified by applicable laws.

            • Corrective Actions:

              • Steps will be taken to contain the breach, minimise damage, and implement additional safeguards to prevent future incidents.

            9. Data Subject Rights

            pH7 respects the rights of individuals whose Personal Data is processed through the Platform. This section outlines the rights granted under applicable data protection laws and how users can exercise these rights.

            9.1 Right to Access

            • What This Means:

              • Users have the right to request confirmation about whether their Personal Data is being processed by pH7.

              • Users can access the Personal Data held by pH7, as well as information about the purposes of processing, categories of data processed, and any third parties with whom the data has been shared.

            9.2 Right to Rectification

            • What This Means:

              • Users have the right to request the correction or update of inaccurate or incomplete Personal Data held by pH7.

            9.3 Right to Erasure (Right to Be Forgotten)

            • What This Means:

              • Users can request the deletion of their Personal Data when:

                • The data is no longer necessary for the purposes for which it was collected.

                • The user withdraws their consent, and no other legal basis for processing exists.

                • The data has been processed unlawfully or must be erased to comply with legal obligations.

            • Exceptions

              • This right may not apply if data retention is required by law or for the establishment, exercise, or defence of legal claims.

            9.4 Right to Restriction of Processing

            • What This Means:

              • Users can request a temporary halt to the processing of their Personal Data in specific circumstances, such as:

                • Contesting the accuracy of the data.

                • When the processing is unlawful, but the user prefers restriction over erasure.

            9.5 Right to Data Portability

            • What This Means:

              • Users can request a copy of their Personal Data in a structured, commonly used, and machine-readable format.

              • Users may also request that pH7 transfer this data directly to another data controller, where technically feasible.

            9.6 Right to Object

            • What This Means:

              • Users can object to the processing of their Personal Data for:

                • Legitimate interests pursued by pH7, unless overriding legal grounds exist.

                • Direct marketing purposes, including profiling related to such marketing.

            9.7 Right to Withdraw Consent

            • What This Means:

              • Users who have provided consent for specific data processing activities may withdraw their consent at any time.

              • Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.

            9.8 Subject Rights Requests

            If you wish to exercise any of your above rights, please submit a written request to [Insert Email Address]. In your request, please include:

            • The specific right(s) you wish to exercise.

            • Any relevant details or supporting information.

            pH7 may request additional information to verify your identity before processing your request. All rights requests will be acknowledged and responded to within [ ] days, in accordance with applicable law.

            If you are dissatisfied with our response, you have the right to lodge a complaint with the relevant data protection authority in your jurisdiction.

            10. Cookies and Tracking Technologies

            The Platform uses cookies and similar tracking technologies to enhance user experience, improve functionality, and ensure secure access to the Platform. Below is an overview of the types of cookies used and their purposes.

            10.1 Use of Cookies on the Platform

            Cookies are small text files stored on your device that enable the Platform to function effectively and provide a personalised experience. The Platform may use cookies for purposes such as:

            • Maintaining secure login sessions.

            • Enhancing navigation and functionality.

            • Collecting usage data for analytics and performance improvements.

            • Customising user preferences and delivering relevant content.

            10.2 Types of Cookies

            Type of Cookie Purpose What Data It Collects Duration Third Parties Involved
            Essential Cookies [Description of purpose] [Examples of data collected] [Session/Persistent] [Yes/No + details]
            Functional Cookies [Description of purpose] [Examples of data collected] [Session/Persistent] [Yes/No + details]
            Analytics Cookies [Description of purpose] [Examples of data collected] [Session/Persistent] [Yes/No + details]
            Advertising Cookies [Description of purpose] [Examples of data collected] [Session/Persistent] [Yes/No + details]
            Performance Cookies [Description of purpose] [Examples of data collected] [Session/Persistent] [Yes/No + details]

            10.3 Managing Cookie Preferences

            • Cookie Banner and Consent:

              • Upon accessing the Platform, users are presented with a cookie banner providing an option to accept or customise cookie preferences.

              • Users must provide explicit consent for non-essential cookies, such as analytics or advertising cookies.

            • Customising Cookie Preferences:

              • Users can manage their cookie preferences at any time through the cookie settings available on the Platform.

              • This includes enabling or disabling specific types of cookies according to personal preferences.

            • Browser Settings:

              • Users may also manage cookies through their browser settings, where they can block or delete cookies.

              • Disabling certain cookies may impact the functionality or user experience of the Platform.

            • Cookie Policy Updates:

              • The types of cookies used and their purposes may change over time as the Platform evolves. Updates to this section will be communicated via the Platform or the cookie banner.

            11. Third-Party Websites, Links, and Privacy Policy Updates

            11.1 Third-Party Websites and Links

            • Disclaimer for External Links:

              • The Platform may include links to third-party websites, tools, or services that are not owned or controlled by pH7. These links are provided for convenience or to enhance the user experience.

              • pH7 does not endorse, verify, or assume responsibility for the content, privacy practices, or functionality of third-party websites or services accessed via the Platform.

              • Users are advised to review the privacy policies and terms of use of any third-party website or service before providing Personal Data or engaging with such services.

            • Limitation of Liability:

              • pH7 is not liable for any damages, losses, or issues arising from the use of third-party websites or services. Any interactions with such services are at the user's own risk.

            11.2 Updates to the Privacy Policy

            • Notification of Changes:

              • pH7 reserves the right to update or modify this Privacy Policy at any time to reflect changes in legal, regulatory, or operational requirements.

              • Users will be notified of material changes to the Privacy Policy through one or more of the following methods:

                • A prominent notice on the Platform.

                • An email to the registered email address associated with the user’s account.

                • Direct communication via the Platform’s user interface.

            • Effective Date of Changes:

              • Updates to the Privacy Policy will become effective on the date specified in the notice provided to users.

              • Continued use of the Platform after the effective date of an updated Privacy Policy constitutes acceptance of the revised terms.

            12. Contact Information

            12.1 How to Contact pH7 for Privacy Concerns

            If you have any questions, concerns, or requests regarding this Privacy Policy or the processing of your Personal Data, please contact pH7 using the following details:

            • Email: privacy@ph7platform.com

            • Mailing Address:
              pH7 Privacy Officer
              [Insert Address]
              [City, State/Province, Country, Postal Code]

            We encourage you to contact us directly so we can address any concerns promptly and effectively.

            12.2 Contact Details for Data Protection Officer (if applicable)

            If required by applicable law, pH7 has appointed a Data Protection Officer (DPO) to oversee compliance with data protection obligations. To contact the DPO, please use the following details:

            • Data Protection Officer Email: dpo@ph7platform.com

            • Mailing Address:
              Data Protection Officer
              pH7
              [Insert Address]
              [City, State/Province, Country, Postal Code]

            If no DPO is mandated by law, privacy-related inquiries can be directed to the Privacy Officer at the details provided above.

            13. Complaints and Regulatory Contact

            13.1 Right to File a Complaint with a Supervisory Authority

            If you believe that your rights under applicable data protection laws have been violated or that your Personal Data has been processed unlawfully, you have the right to lodge a complaint with a supervisory authority.

            We recommend contacting us first at privacy@ph7platform.com so we can address your concerns directly. However, you also have the option to escalate your complaint to the relevant authority.