Privacy Policy

Policy document updated 9th January 2024

DrOnline Ltd (“DrOnline”) is an online GP platform offering online GP and medical services including online video consultations, mens’ health and other related services. It is a company with company number 14539523 and its registered office is 20-22 Wenlock Road London, England N1 7GU.

To provide such services DrOnline needs to use and keep personal data about our customers. We are required to provide information about how we will use personal data, the safeguards to ensure that the personal data will not be used or shared inappropriately and an individual’s rights in respect of their personal data.

Data Controller

An organisation that holds personal data and decides how it should be used is a controller. An organisation that holds personal data but processes it only in accordance with documented instructions from a controller is a processor. In almost all cases, DrOnline will be a controller because we have to decide how to use the data for the delivery of services requested by the data subject.

Incident Communication

DrOnline Ltd has appointed a Data Protection Officer (“DPO”) and has implemented measures in the field of data protection, privacy, and information security.

Data Protection Officer:

Zarah Ahmed

In the event that data subjects wish to report any personal data breach that accidentally or unlawfully causes the destruction, loss, alteration, disclosure, or unauthorized access to personal data transmitted, stored, or otherwise processed, they may contact the DPO using the contact information provided above.

Collection and Processing of Personal Data

The personal data collected by DrOnline Ltd are processed electronically, with protection, privacy and security assured under the current legislation.

The purposes for which we may hold your personal data:

  • because you are a customer for the provision of medical services and advice;
  • to meet our legal and regulatory duties, including our duties to know our patients and protect against fraud and money laundering;
  • for administrative reasons to enable us to provide our services;

How we collect this information:

We mainly collect information direct from you when you contact us through our chat function, telephone 07893947543, social media channels (Facebook or LinkedIn) or email, when you visit our website or you enter into a contract with us.  [We receive third party data from [PARTYS].]

The legal basis for processing:

The collection, use, sharing and storage of personal data are all termed “processing”.  There must be a legal basis for any processing, which we have set out below.


The Purpose of the Processing


 The Legal Basis for the Processing.

If you are a patient, we will require proof of your identity to satisfy Care Quality Commission (CQC) requirements.

Proof of your identity is necessary to comply with a legal and regulatory obligation upon us.

If you are a patient, we will require personal data, particularly contact information, in order to discuss the medical advice and services that you require and to provide legal advice and services in accordance with the letter of engagement between us. We will also need your personal data to carry out the retainer, the administration of your account with us and to enable us to perform conflict of interest checks within our client database.

The data is necessary to perform the contract for medical advice and services between us.

If you are a patient it may be necessary to process special category or more sensitive personal data in order to provide medical advice and services to you.  Special category data includes data about racial or ethnic origins, political opinions, religious or philosophical beliefs, trade union membership, genetic or biometric data, health records or information about a person’s sex life or sexual orientation, or information about criminal convictions and offences.

We will process special category or sensitive personal data where:
(a)  the processing is necessary for the provision of health and social care; or
(b) you explicitly consent to the processing has been obtained.

We will store the files or a copy of the files relating to a patient.

It is in our legitimate interests to retain files or a copy of files in order to deal with any queries that may arise after services have been provided.

We may use your name, address, email address and telephone numbers for marketing purposes.

We will only use your name, address, email address and telephone numbers for marketing purposes if we have your consent to do so.

We may use a third-party name, address and contact information supplied by you when we provide the services.

It is in our patients’ legitimate interests that the personal data of other parties or third parties be processed.

We may need to use data to comply with audit and statutory regulations.

The processing is necessary for compliance with a legal obligation to which we are subject.

It is in our legitimate interest to comply with the requirements of audits.

Communication of Data to Other Entities and Recipients of your Personal Data:

We may need to provide personal data to other people in order to provide medical advice and services to our patients. The recipients of such data may include:

  • Semble, our online platform host;
  • Signature Rx, our e-prescription platform;
  • Hlthmanage, our governance system;
  • Slack, our messenger system;
  • Talkdesk, our help desk system;
  • other professionals providing services to our patients, for example Pathology partners or Imaging partners.

We are subject to professional obligations of confidentiality and will always discuss and agree any disclosure of personal data with our patients unless we are obliged to disclose it by law.  Where appropriate, with other professionals, we will enter into a Data Sharing Agreement with them to ensure that the data is protected.

We may use external service providers for IT, fileshare and communication services.  We use external providers to take card payments. All our external service providers are required to take appropriate security measures to protect your data.

DrOnline will only contract entities that present sufficient guarantees of implementing appropriate technical and organizational measures to meet applicable standards, with such guarantees formalized in a contract between DrOnline and each of these third party entities.

International Transfers:

In most cases, there will be no need to transfer your Personal Data to a country outside the UK.

If there is a need to transfer your Personal Data outside the UK, we will ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:

  • The country has been deemed to provide an adequate level of protection for Personal Data by the UK;
  • We may use specific contracts approved by us in the UK which give Personal Data the same protection that it has in Europe;
  • We adopt safeguard mechanisms to protect the data, e.g. use encryption, put in place standard contractual clauses.

If there are no appropriate safeguards in place, we may transfer data outside the UK where the transfer is necessary for:

  • the performance of the contract between us for the provision of medical services or advice, or for taking steps, at your request, prior to entering into such a contract;
  • the conclusion or performance of a contract concluded in your interest between us and someone else;
  • the transfer is necessary for the establishment, exercise or defence of legal claims; or
  • you explicitly consent to the transfer.

Security Measures

Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, all entities contracted by DrOnline implement the necessary technical and organizational measures to ensure a level of security appropriate to the risk.

Various security measures may be adopted to protect personal data against dissemination, loss, misuse, alteration, unauthorised processing or access, and against any other form of unlawful processing.

How long will your data be kept:

Personal data will be kept for the period necessary for the purposes that motivated their collection or subsequent processing, to ensure compliance with all applicable legal norms concerning archiving.

The data collected for the ID verification and patient and/or third party due diligence checks will be kept for a minimum of 10 years after the end of the business relationship with our patient.

Patient related data will be kept until the completion of the services or the provision of the advice for which it was collected. We will keep our files and that data for as long as is necessary to fulfil the purposes of satisfying any legal, accounting or regulatory requirements and, where necessary, as long as is required for us to assert or defend legal claims. In most instances patient related data will be retained by us for a period of between [7 years and 15 years].

We will keep any data that we hold for marketing purposes whilst we have your consent to do so.


If we ask for your consent to use your personal data for marketing purposes, you have the right to withdraw your consent at any time. The form of consent and a subsequent marketing communication will tell you how to withdraw your consent. In addition, you can withdraw consent by email to 

The withdrawal of consent will not affect our provision of medical advice and services in any way.

Other Rights in Relation to Your Personal Data:

Under certain circumstances, you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are processing it lawfully.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on our legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example, if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact us by writing to Data Protection Officer, 20-22 Wenlock Road, London, England, N1 7GU or by email to

Prior to actioning your request, we may ask you to validate your identity and we will only carry out any request by you when we are satisfied that we have validated your identity appropriately.

If you are dissatisfied with the way in which we have dealt with your personal data, you have the right to make a complaint at any time to the Information Commissioner’s Office (“ICO”), the UK supervisory authority for data protection issues.

Telephone number: 0303 123 1113.

Website address: https://ico/

Changes to the Privacy Policy:

DrOnline may, at any time, make changes deemed appropriate to this Data Protection and Privacy Policy to ensure its ongoing update, development, and continuous improvement. Any such changes will be duly announced publicly to ensure transparency and information.