top of page

Privacy Notice

​

Controller and contact details

Controller: HealthTap UK Ltd trading as MediTapRx, company number 16597038, 71–75 Shelton Street, Covent Garden, London WC2H 9JQ.
General enquiries admin@meditaprx.co.uk.
Data Protection Officer admin@meditaprx.co.uk, HealthTap UK Ltd, 71–75 Shelton Street, Covent Garden, London WC2H 9JQ; tel: +44 7933-310401.


If you have questions about this Notice or how we use your personal data, please contact us at the addresses above. If you do not agree, please do not use our website or services.

​

Scope

This Notice explains how we collect, use, share, store and protect personal data processed by HealthTap UK Ltd in connection with MediTapRx.co.uk and associated services. It applies only to data processed by us and does not cover third‑party websites or services linked from our platform. Where we link to external sites you should check their privacy notices.

​

Categories of personal data we collect

We collect categories of personal data necessary to deliver healthcare services and operate our website and business.

 

Examples include:

  • Identity data: name; date of birth; gender; unique user identifiers.

  • Contact data: email address; telephone number; postal address.

  • Health data: consultation responses; medical history; allergies; symptoms; clinical notes; prescribing records.

  • Technical data: IP address; browser type and version; operating system; device identifiers.

  • Usage data: page visits; clicks; navigation patterns; error logs.

  • Financial data: payment card tokens (we do not store full card numbers unless needed and we operate or use PCI DSS compliant payment processors).

  • Communications data: call logs, messaging and customer support records.
    This list is illustrative; we may process additional data where necessary for the purposes described below.

 

How we collect personal data

  • Directly from you when you register an account, complete online forms, take part in a consultation, make a payment, contact customer support, or opt in to marketing.

  • From third parties and partners such as identity verification providers, payment processors, clinical advisers, and analytics providers.

  • Automatically via cookies and similar technologies when you use our website and services. See our Cookie Policy for details.

 

Purposes of processing and lawful bases

We only process personal data where we have a lawful basis under UK data protection law. The main purposes and lawful bases are:

  • Provision of healthcare and clinical services — to deliver consultations, clinical assessments and prescriptions; lawful basis: performance of a contract and processing necessary for healthcare purposes and clinical management.

  • Identity verification and safe prescribing — to verify age, identity and eligibility and to prevent misuse of medicines; lawful basis: legal obligation and legitimate interests where necessary for safety and regulatory compliance.

  • Payments and financial administration — to process payments and invoicing; lawful basis: performance of a contract and compliance with legal obligations.

  • Service improvement and analytics — to monitor and improve our services and website functionality; lawful basis: legitimate interests balanced against individual rights.

  • Marketing and direct communications — to send service updates and, where you have consented, marketing messages; lawful basis: consent for marketing where required, legitimate interests for non‑marketing service communications.

  • Regulatory, legal and safeguarding obligations — to comply with laws, regulatory requests and protect life; lawful basis: compliance with a legal obligation and vital interests where required.

 

When we process special category data such as health information we rely on specific lawful bases in addition to the above, described in the next section.

 

Special category data and sensitive processing

We may process health and other special category data. We will only do so where there is a specific lawful justification, for example:

  • Provision of healthcare and clinical management where processing is necessary for the provision of health or social care and treatment.

  • Explicit consent where required for particular processing not covered by clinical necessity.

  • Regulatory compliance where needed to comply with legal obligations applicable to healthcare providers.

 

We apply appropriate safeguards, minimise the amount of sensitive data processed, and retain such data only for as long as necessary for clinical or legal reasons.

 

Automated decisions and clinical decision support

We use automated checks and clinical decision support tools to assist clinicians with eligibility checks, prescribing safety and fraud prevention. Final clinical decisions are always made or reviewed by a qualified clinician. If you are affected by an automated decision and would like human review, contact admin@meditaprx.co.uk and we will explain the process and arrange a review where appropriate.

 

Data sharing and third‑party processors

We share personal data only where necessary and under contractual safeguards:

  • Internal teams including clinicians, clinical advisers and authorised staff who need data to provide the service.

  • Third‑party processors such as hosting providers, payment processors, identity verification suppliers, analytics providers and IT sub‑contractors. All processors are subject to written agreements requiring appropriate security and lawful processing. A list of our major processors is available on request to admin@meditaprx.co.uk.

  • Regulatory and law enforcement bodies when required by law or to protect public safety.

  • Other healthcare professionals or organisations with your consent or where necessary for your care or public interest.

We do not sell your personal data.

 

International transfers

Where personal data is transferred outside the UK we will do so only with appropriate safeguards such as UK adequacy arrangements, UK standard contractual clauses, or other lawful transfer mechanisms. Contact dpo@meditaprx.co.uk for details of transfers and safeguards.

 

Data retention

We retain personal data only as long as necessary for the purpose for which it was collected and to meet legal, tax, clinical and regulatory obligations. The table below summarises typical retention periods.

​

(Ordered as follows)

Data category:

Examples:

Purpose:

Retention period:

Legal basis:

​

Account and identity data

Name; DOB; ID checks

Account management; identity verification

While account active; plus 6 years for legal and tax obligations

Contract; legal obligation

​

Clinical consultation records

Consult notes; prescriptions; test results

Clinical care and medical record keeping

8 years from last contact for adults; until age 25 for records begun in childhood

Healthcare purpose; legal obligation

 

Financial records

Payment receipts; invoices; tax records

Billing; accounting; tax

7 years for HMRC and accounting

Legal obligation

 

Technical and usage data

IP; logs; analytics

Security; service improvement

Up to 2 years for analytics; logs may be retained for up to 7 years if required for legal reasons

Legitimate interests; legal obligation

 

Communications and support records

Emails; call recordings; messages

Customer support; complaints handling

1–7 years depending on nature and regulatory needs

Contract; legitimate interests

​

Where particular legal or regulatory requirements dictate longer retention we will retain data for the minimum period required. If you wish to know the retention period for a specific dataset contact admin@meditaprx.co.uk.

 

Security measures

We implement appropriate technical and organisational measures to protect personal data including:

  • Encryption in transit (TLS) and at rest where feasible.

  • Access controls with role based access and strong authentication for staff accounts.

  • Secure development and testing practices, vulnerability scanning and regular penetration testing.

  • Logging and monitoring of critical systems and privileged access.

  • Staff training on data protection and clinical safety.

  • Processor contracts requiring security, confidentiality and the right to audit.

 

Despite these measures no system is completely secure; if you have concerns about security please contact admin@meditaprx.co.uk.

 

Data Protection Impact Assessments and privacy by design

We carry out Data Protection Impact Assessments for high‑risk processing activities such as online consultations, identity verification, automated prescribing checks and cross‑border transfers. Data protection and clinical safety considerations are included in procurement and project governance.

 

Cookies and similar technologies

We use cookies and similar technologies to operate the website, remember preferences and provide analytics and advertising where you consent. We publish a Cookie Policy that explains the kinds of cookies we use, their purpose and how to manage cookie preferences. Our cookie banner obtains and records consent where required.

 

Children and capacity

Our services are designed for adults. You must be at least 18 years old to register and use the clinical services unless we state otherwise. Where a service is provided to a younger person, we will obtain any required parental or guardian consent and carry out appropriate identity checks in line with safeguarding and clinical guidance.

 

Your rights

You have rights under UK data protection law, subject to statutory conditions:

  • Right of access to a copy of your personal data.

  • Right to rectification of inaccurate or incomplete data.

  • Right to erasure where processing is no longer necessary or based on consent and you withdraw consent.

  • Right to restrict processing in certain circumstances.

  • Right to object to processing based on legitimate interests or direct marketing.

  • Right to data portability where processing is by automated means and based on consent or contract.

  • Right to withdraw consent where consent is the basis for processing.

 

To exercise any right, contact admin@meditaprx.co.uk or dpo@meditaprx.co.uk. We will normally respond within one month; where requests are complex, we may extend by up to a further month and will notify you of the extension and the reasons.

 

If you remain dissatisfied, you may complain to the Information Commissioner’s Office.

 

Data breaches

If we become aware of a personal data breach that is likely to result in a risk to individuals’ rights and freedoms we will notify the Information Commissioner’s Office within 72 hours where required and affected individuals without undue delay where there is a high risk. We will provide information on the nature of the breach, likely consequences and mitigation steps.

 

Changes to this Notice

We may update this Notice to reflect changes in our practices or legal requirements. We will publish revised versions on MediTapRx.co.uk with a revised “Last reviewed” date. Significant changes will be highlighted where appropriate.

 

Additional information and requests

For further information, to request the list of our processors, to ask for copies of DPIA summaries or the safeguards used for international transfers, or to exercise your rights, contact admin@meditaprx.co.uk.

 

Useful practical steps for users

  • Review our Cookie Policy and accept or adjust cookie preferences via the cookie banner.

  • Keep your account details secure and notify us of any suspicious activity.

  • If you want a copy of your full clinical record or a portability export, contact admin@meditaprx.co.uk and we will advise on secure transfer options.

​

Last reviewed 28 October 2025

bottom of page