Privacy Policy
How we handle personal data and medical information.
Because this service involves sensitive medical information, we aim to be clear about what we collect, why we collect it, how we use it, and how we protect it.
Controller
Second Opinion Medic Ltd
Contact
support@secondopinionmedic.com
1. Introduction
Second Opinion Medic Ltd ("Second Opinion Medic", "we", "us", or "our") is committed to protecting your privacy and handling personal data responsibly, lawfully, and transparently.
This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our website and services, including when you create an account, contact us, upload medical records, or request a second opinion.
Because our service involves medical information, some of the data we process is special category personal data under data protection law.
2. The personal data we collect
- Identity and contact data, including name, email address, telephone number, postal address if provided, and account login details.
- Patient and case data, including date of birth, symptoms, diagnoses, medications, test results, scans, referral letters, discharge summaries, and other medical records you submit.
- Account and service data, including communications with us, support requests, case status information, and report delivery records.
- Transaction data, including payment status and invoice information. Full card details are not stored by us. Payments are processed via Stripe.
- Technical and usage data, including IP address, browser type, device information, security logs, and website usage information.
- Marketing data, including communication preferences and records of consent or opt-out choices where marketing is used.
3. How we use your personal data
We use personal data to register and manage your account, receive and organise your case, arrange specialist review, deliver a written second opinion where available, process payments, communicate with you, manage support and complaints, operate and improve the platform, maintain security, and comply with legal, regulatory, and accounting obligations.
4. Lawful bases for processing
- performance of a contract, where processing is necessary to provide the service you request;
- legitimate interests, where processing is necessary for the safe, secure, and efficient operation of our business and platform, provided those interests are not overridden by your rights;
- legal obligation, where we must process data to comply with the law;
- consent, where consent is required or relied upon, including for certain marketing activities.
5. Special category health data
Because our service involves medical records and health information, we process special category personal data. We do so only where it is necessary for the provision and administration of the health-related service requested, for appropriate case handling, or where it is otherwise permitted or required by applicable law.
By using our service and submitting medical information, you acknowledge that such information is necessary for us to assess and handle your request for a second opinion.
6. Who we share your data with
- specialists or consultants involved in reviewing your case;
- service providers supporting hosting, storage, website operations, payment processing, communications, security, and technical support;
- professional advisers, insurers, or legal representatives where necessary;
- regulators, courts, law enforcement bodies, or public authorities where required by law or where necessary to protect legal rights or safety.
We do not sell your personal data.
7. Payment processing
Payments are processed through Stripe. Stripe acts as an independent payment processor in relation to the payment information it handles, and your use of payment functionality may also be subject to Stripe's own terms and privacy practices.
8. International transfers
Our hosting infrastructure is located in Los Angeles, California, United States. As a result, your personal data may be transferred to, stored in, or accessed from locations outside the United Kingdom.
Where personal data is transferred internationally, we take steps intended to ensure that appropriate safeguards are in place and that personal data receives an adequate level of protection consistent with applicable data protection law.
9. Data retention
We retain different categories of personal data for different periods depending on the nature of the information, the purpose for which it was collected, and our legal, regulatory, operational, accounting, and security obligations.
| Data category | Typical retention period | Reason |
|---|---|---|
| Enquiry form submissions that do not become a case | 12 months | To respond, manage follow-up, and keep a short record of pre-engagement communications |
| Patient account information | While the account remains active and for 24 months afterwards | To manage access, security, and service records |
| Uploaded medical records and case documents | 7 years after case closure | To provide the service, handle follow-up, and maintain appropriate records |
| Specialist opinion reports | 7 years after case closure | To preserve the clinical output and related service record |
| Payment and invoice records | 6 years | Accounting, tax, and legal compliance |
| Customer support correspondence | 3 years | Service quality, complaints, and dispute handling |
| Marketing consent records | Until consent is withdrawn, with limited archival record where needed | To demonstrate consent preferences |
| Technical and security logs | 6 to 12 months | Security monitoring, fraud prevention, and system integrity |
We may retain personal data for longer where required by law, where necessary to resolve disputes, where reasonably needed for legal or regulatory purposes, or where deletion is not technically or operationally immediate. Where appropriate, we may instead anonymise data.
10. Your rights
- request access to your personal data;
- request correction of inaccurate or incomplete data;
- request erasure in certain circumstances;
- request restriction of processing in certain circumstances;
- object to certain processing;
- request transfer of certain data;
- withdraw consent where processing is based on consent.
To exercise your rights, contact support@secondopinionmedic.com. These rights are not absolute and may be limited where legal, clinical, regulatory, security, or contractual reasons apply.
11. Complaints, security, and updates
If you have concerns about how we use your personal data, please contact us first so we can try to resolve the matter. If you remain dissatisfied, you may have the right to complain to the UK Information Commissioner's Office.
We take appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, unauthorised access, and other unlawful forms of processing.
We may update this Privacy Policy from time to time. The latest version published on our website will apply.
Related policies