Your privacy at tapGP

At tapGP, our medical and technical teams collaborate closely to redefine the delivery of healthcare services. We place you, whether you’re approaching us as an individual seeking health advice or as a patient in need of care, at the centre of everything we do. This Privacy Policy is designed to transparently communicate how we manage your personal data from the moment you register and begin using our app, to every interaction you have with our healthcare services.

In this Privacy Policy, we delve into the workings of tapGP for you as both a user and a patient. We outline our responsibilities regarding the processing of your personal data in connection with the services we provide. We detail the types of personal data we collect during your use of our services, the methods and reasons behind our data processing activities, and the legal foundations that support these processes. We identify the external parties involved in handling your personal data to ensure the seamless provision of our services. This document also aims to inform you about your rights concerning your personal data and guides you on how to exercise these rights effectively.

Data handling

TAP GP Limited, the formal entity behind the tapGP platform, operates as the principal developer and provider of the tapGP application. As such, TAP GP Limited acts as the data controller for all personal data that you register within the app.

Healthcare service provision begins when you share your health status through initial assessments or questionnaires and continues through consultations, record-keeping, and the necessary administration of your care, as outlined in this Privacy Policy.

Account registration and third-party data at tapGP

When you register and use your account with tapGP, we collect personal data that you provide, such as:

• Your name and contact details (and those of your parent/guardian if applicable)
• Other information you provide on registration or otherwise such as reason for booking, gender, date of birth, identification documents, selfies, photos of body parts, health information;
• Account information such as your username and password;
• Details about your transactions on our service;
• Your medical information;
• Information that you include in communications with us including surveys and feedback; and contact or other information which you give or allow us to use for newsletters or other marketing.

There are instances where tapGP receives patient data from other sources not directly associated with tapGP, such as other healthcare providers, your employer, partnerships or your insurance company. This information, when relevant to your ongoing care within tapGP services, will be processed and integrated into your medical records by the clinician responsible for your treatment.

In each of these scenarios, tapGP is committed to managing your data with the utmost care and security, ensuring compliance with applicable data protection regulations and respecting your privacy and rights at every step of the healthcare provision process.

Data storage locations

tapGP places the utmost importance on the security and integrity of your personal data. All personal data is securely stored on Amazon Web Services (AWS) servers. tapGP has chosen AWS due to its robust security features, compliance certifications, and global infrastructure, which align with our commitment to safeguarding your data.

In keeping with our obligations to provide secure and compliant healthcare services, tapGP and our clinicians maintain detailed medical records as part of our service delivery. This data is stored on AWS servers, employing a medical record system that is specifically developed to meet the stringent requirements of applicable healthcare legislation. While tapGP oversees the management of this system, certain operations may be delegated to third-party service providers who are experts in managing healthcare data, ensuring that all patient data is treated with the utmost care and security.

Our choice to use AWS servers for storing all categories of personal data reflects our dedication to employing advanced technologies and services that meet our high standards for data protection, security, and compliance. AWS’s global reputation for reliability and security, combined with their commitment to data privacy, makes them an ideal partner in our efforts to provide secure, efficient, and compliant healthcare services.

 Processing of personal data

At tapGP, the collection and processing of data are integral to our operation and delivery of personalised healthcare services. We process your data for several key reasons:

• Account management: Managing the setup and closure of your tapGP account.
• Access and use: Facilitating your access to and use of the tapGP platform.
• Verification: Ensuring the accuracy of your identity, age, and, in applicable cases, your status as a guardian.
• Data integrity: Keeping your personal information accurate and up-to-date.
• Healthcare management: Allowing you to oversee and manage your healthcare engagements through tapGP.
• App improvement: Analysing how you use our app to enhance user experience and service quality.
• User preferences: Managing your settings and processing payments for services rendered.
• Service delivery: Providing comprehensive healthcare services as outlined in our Terms and Conditions.
• Contractual necessity: The primary basis for processing your data is the contractual relationship between you and tapGP, which necessitates handling your data to fulfil our service commitments to you as detailed in our Terms and Conditions.
• Legitimate interests: We also process your data based on our legitimate interests, which include analysing app usage patterns to improve our platform and services. This approach is designed to enhance the overall user experience and ensure that our services continually evolve to meet your needs.

Our commitment to your privacy and the careful handling of your personal data underpins every aspect of our service provision. We ensure that all data processing activities are transparent, secure, and aligned with both our service delivery goals and your rights as a user.

tapGP is committed to offering comprehensive support as an integral component of our services. This support is essential for fulfilling the contractual obligations between you and tapGP, encompassing a range of activities from addressing inquiries to resolving complaints and providing technical assistance through our support services, accessible via telephone or our digital platforms.

 Marketing and user experience improvement

tapGP uses your data to keep you informed with news, updates, and promotional content through various electronic communication channels, including email, text messages, push notifications, and in-app messages. Our communications strategy is tailored based on our understanding of your interactions with the app and the services, such as your usage patterns, previous communications preferences, searches, and basic demographic information like age, gender, and region. It’s important to note that your health data is only used for communication with your explicit consent.

Our basis for processing your personal data for marketing purposes aligns with our legitimate interests in providing an accessible online platform that connects you seamlessly with healthcare services. We may send you information about services like those you have previously engaged with, provided we obtained your contact details upon registration with the option for you to opt-out at any time.

This website is using Tidio, a chat platform that connects users with the customer support of tapGP. We are collecting email addresses and names only with the consent of the users, in order to start the chat. The messages and data exchanged are stored within the Tidio application. For more information, please refer to their Privacy Policy.
tapGP is not making use of these messages or data other than to follow up on users’ registered issues or inquiries. Your personal data will be processed and transmitted in accordance with the General Data Protection Regulation (GDPR).

 Legal obligations

tapGP may process your data as necessary to fulfil our legal obligations within the healthcare domain and other relevant legal requirements. This encompasses adherence to statutory regulations, court orders, or directives from public authorities related to healthcare provision and data protection.

 Service quality and development

Our aim to continuously enhance the quality and security of our services and the supporting IT infrastructure is grounded in legitimate interests. This involves processing User Data to develop and improve the app’s user-friendliness, such as optimising the user interface and enhancing features that are most valuable to our users, based on anonymised data.

 Data retention

At tapGP, we adhere to the guidelines provided by healthcare authorities and professional associations regarding the duration for which your information is stored, known as the ‘retention period’. We aim to balance the need for retaining medical records for continuity of care and legal requirements against our commitment to data minimisation and privacy.

We may retain anonymised information to enhance our services and business operations. In certain cases, legal obligations may necessitate keeping data for extended periods.

Below is an overview of how long different types of your information are retained by tapGP:

• GP records (Medical records and GP consultations): Our policy ensures that all patient records are retained securely for a period of 10 years following the patient’s death, in line with the established retention schedule for medical records in England and Wales.
• Video consultations: Stored according to the same guidelines as GP records, with the understanding that this period may adapt with changes to our services.
• Voice (Audio) consultations: Retention mirrors that of GP records, subject to adjustments aligned with service evolution.
• Customer support interactions (calls, emails, live chats): Stored for 1 year after service termination.
• Maternity records: These are kept for 25 years following the birth of your last child.
• Mental health treatment records: Retained for 20 years from the last consultation date or 10 years post-mortem, whichever is earlier.
• Pre-registered data: When you receive healthcare services through tapGP as part of an insurance plan, employer health program or one of our partner programs, we may receive certain personal information about you, including your name and email address. This information is considered “pre-registered data” and may be kept for a maximum of 2 years. 

 Sharing your personal data with third parties

While providing tapGP services, we collaborate with a variety of third parties to ensure you receive comprehensive and efficient healthcare. The following outlines the types of third parties with whom your personal data may be shared:

• tapGP engages with external suppliers who, in certain cases, process personal data on our behalf. These include IT service providers for operations and hosting, acting strictly as data processors for tapGP. Their processing of your personal data is exclusively for the purpose of delivering the services requested by tapGP and is carried out according to our precise instructions.
• We also work with suppliers who function independently and are therefore responsible for their own data processing activities. This category includes providers of payment solutions, among others. You might be required to enter into agreements directly with these independent suppliers. It is important to note that tapGP’s Privacy Policy does not extend to the processing activities of these third parties. For information on how they manage your personal data, please contact them directly.
• Patient data may be disclosed by the in the context of healthcare provision, such as when making referrals to other healthcare providers or pharmacies for treatment or medication. A discharge summary will be shared with your registered GP after a consultation. You have the option to request that a discharge summary is not sent, although this may limit the services that are be provided to you. You will always be informed about such data sharing during your consultation.
• When you receive healthcare services through tapGP as part of an insurance plan, employer health program, or one of our partner programs, tapGP may share non-health-related data with the respective insurance provider, employer, or partner to provide insights into your engagement with our service.
• Compliance with legal obligations: We may disclose your information as necessary to comply with applicable laws, regulations, legal processes, or governmental requests. This includes meeting national security or law enforcement requirements and responding to legal proceedings, such as court orders.
• Protection of rights: tapGP may share your information to assert our legal rights, defend against legal claims, or protect our operations. This includes enforcing our terms and conditions and investigating potential breaches of those terms.
• Safety and fraud prevention: To ensure the security of our services and protect the physical safety of our users and the public, we may need to process your information. This includes actions taken to prevent fraud, address security breaches, halt illegal activities or abuse of our services, and investigate suspicious transactions or behaviour.

 Your data protection rights

At tapGP, we recognise the importance of your privacy and are committed to ensuring the protection of your personal data. Below are the rights you hold regarding the data we collect and process:

• Timely response to your requests: We aim to address all requests concerning your rights within one month. Complex inquiries or high volumes of requests may necessitate an extension of up to two additional months. Should we find it impossible to meet your request, you will be informed about the reasons for this decision within one month.
• Cost-free procedure: Interacting with us regarding your data protection rights incurs no fees. Nevertheless, should your requests be clearly baseless, overly frequent, or excessive, we reserve the right to impose an administrative charge or decline your request.
• Access and insight: You have the right to request access to and details about the personal data we process related to your interaction with the app and services.
• Correction: If you find any personal data we hold about you to be inaccurate or incomplete, you can ask us to correct it.
• Erasure: You can request the deletion of your personal data. This right is not absolute and may be constrained by legal obligations or medical record-keeping requirements imposed on Healthcare Providers. We will delete all data not required to be retained by law upon your request.
• Restriction on processing: You may request us to halt the processing of your personal data under certain conditions, such as if you contest the accuracy of the data, if the processing is unlawful, or if the data is no longer needed for the original purpose but cannot yet be deleted.
• Objection to processing: You can object to our processing of your data based on our legitimate interests. Your request will be complied with unless there are overriding legitimate grounds for the processing or it is necessary for legal claims.
• Withdrawal of consent: Where processing is based on your consent, you have the right to withdraw that consent at any time. This withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
• Data portability: You have the right to receive your personal data in a standard electronic format, or have it directly transferred to another controller, provided the data was supplied by you and is processed by automated means.
• Automated decision-making: You have the right not to be subject to decisions based solely on automated processing, including profiling, which has legal or similar significant effects on you.

To exercise any of these rights or for inquiries related to the processing of your personal data by a third-party healthcare provider, please contact us directly through our website or at info@tapgp.co.uk. For third-party related requests, reaching out directly to the concerned provider is advised.

Please provide proof of identity when making a request. We are obliged by data protection laws to respond within one month.

tapGP adheres to regulations set by the Information Commissioner’s Office (ICO). If you have concerns about our data handling practices, you are entitled to lodge a complaint with the ICO at:

Telephone: +44 0303 123 1113

Email: casework@ico.org.uk

Website: www.ico.org.uk

Web-form: www.ico.org.uk/make-a-complaint/

Address: Water Lane, Wycliffe House, Wilmslow, Cheshire, SK9 5AF

 Updates to our Privacy Policy

At tapGP, we are continually refining our services and how we handle your data to better serve your healthcare needs. This may result in changes to our Privacy Policy.

Should there be any significant amendments to how we manage, process, or protect your personal data, we will proactively inform you through our app, website, or via email. This notification will provide you with the opportunity to review the changes.

By continuing to use tapGP’s services after these updates take effect, your acceptance of the revised policy is implied. We understand this as your agreement to the updated terms regarding our use of your data.

If, however, you find that you do not agree with the changes, please understand that your continued use of our services may not be possible. We respect your decision and rights in this matter and will provide options for managing or withdrawing your data in accordance with the new policy terms.