1. Important information and who we are

Privacy policy

This privacy policy explains how MediMo Ltd collects and uses your personal data when you use our website or services as a healthcare provider. This includes any data you provide when you register a provider account, submit an application to be listed, connect your clinic system, communicate with us, or opt in to receive provider communications or marketing.

This privacy policy applies only to healthcare professionals and clinics using the MediMo platform in a provider capacity. If you are a patient using MediMo to book an appointment, please refer to our [Patient Privacy Policy].

Controller

MediMo Ltd is the controller and responsible for your personal data (collectively referred to as "MediMo", "we", "us" or "our" in this privacy policy).

If you have any questions about this privacy policy, including any requests to exercise your legal rights, please contact us using the details set out in the Contact section (Section 11).

2. The types of personal data we collect about you

Personal data means any information about an individual from which that person can be identified.

We may collect, use, store and transfer different kinds of personal data about you when you apply to join MediMo, create a provider account, connect a booking system, use our dashboard, or otherwise interact with our platform. We have grouped these into the following categories:

• Identity Data includes your first name, last name, professional title, and (if applicable) your regulatory registration number (e.g. HCPC, GOsC, GCC, GMC, GDC).
• Contact Data includes your email address, business address, and (if provided) your phone number.
• Professional Data includes information you provide about your qualifications, specialisms, insurance coverage, clinic details, fees, availability, and practice management system.
• Technical Data includes your IP address, browser type and version, time zone setting and location, device type and operating system, and other technology used to access our platform.
• Transaction Data includes information relating to platform fees, payouts, and revenue generated via MediMo. When you connect your Stripe account, we are granted access to view your full transaction history in Stripe, including payments unrelated to MediMo. However, we do not access or use non-MediMo transactions unless necessary for account management, compliance or dispute resolution. We do not collect or store full card details.
• Profile Data includes your provider account credentials (e.g. login email and password), onboarding history, Stripe Connect status, dashboard usage, and responses to any optional onboarding forms.
• Usage Data includes information about how you interact with the MediMo provider dashboard or platform features, including page views, login activity, and session patterns.
• Marketing and Communications Data includes your preferences for receiving provider communications, updates, and marketing from us (if applicable).

We also collect, use and share aggregated data such as statistical or demographic information. This is not considered personal data as it does not directly or indirectly identify you. For example, we may aggregate Usage Data to understand how providers interact with our dashboard or tools and to improve our platform.

3. How is your personal data collected?

We use different methods to collect data from and about you, including through:

• Direct interactions. You may provide personal data by completing forms on our website or by corresponding with us by email, phone or other means. This includes when you:
  • submit a provider application or join the waiting list;
  • create or update a provider account;
  • connect your practice management system or Stripe account;
  • correspond with us regarding onboarding, listing, or support;
  • opt in to receive provider communications or marketing.
• Automated technologies or interactions. As you interact with the MediMo platform or provider dashboard, we automatically collect Technical Data about your device, browsing actions and usage patterns using cookies and similar technologies. Please see our [Cookie Policy] for more details.
• Third parties or publicly available sources. We may receive personal data about you from third parties, including:
  • Technical Data from analytics providers such as Google Analytics and Microsoft Clarity (both based outside the UK);
  • Transaction Data from our payment processor, Stripe (based outside the UK). When you connect your Stripe account, we may access information including transaction amounts, dates, payment status, and payout records. This includes visibility of your full Stripe transaction history, although we only access and process data related to transactions made through the MediMo platform, unless strictly required for compliance or fraud prevention purposes.
  • Business or Identity Data from public directories (e.g. Companies House), professional registers (e.g. HCPC, GOsC), or your own website, where relevant to verifying your application or listing.

4. How we use your personal data

Under UK data protection law, we must have a lawful basis to collect and use your personal data. The lawful basis we rely on depends on the specific purpose for which we are processing it. We may use one or more of the following:

• Performance of a contract: where we need to process your personal data to provide our services to you as a provider, such as creating your account, onboarding you to the platform, managing your listing, facilitating Stripe Connect setup, or sending you service-related communications.
• Legitimate interests: where we process your data to operate, support, and improve MediMo, and where our use does not override your fundamental rights. For example, we may use provider analytics to improve platform functionality or monitor usage patterns to prevent abuse or fraud.
• Legal obligation: where we are required to process certain data to comply with legal or regulatory requirements, such as retaining transaction data for tax or anti-fraud purposes.
• Consent: where you have clearly agreed to us processing your data for a specific purpose, such as receiving provider marketing communications or consenting to cookies for analytics. You can withdraw your consent at any time by updating your preferences or contacting us.

Purposes for which we will use your personal data

We have set out below how we use your personal data as a healthcare provider on the MediMo platform, along with the lawful bases we rely on. Where we rely on legitimate interests, we explain what those interests are.

Purpose/Use	Type of data	Legal basis
To process and review your application to join the platform	Identity, Contact, Professional	Legitimate interests (Art. 6(1)(f)) -- to assess whether your clinic is a suitable fit for MediMo
To store and manage applications from providers whose systems are not yet supported (waiting list)	Identity, Contact, Professional	Legitimate interests (Art. 6(1)(f)) -- to maintain a pipeline of prospective providers and notify you when MediMo becomes available to your practice
To create and manage your provider account	Identity, Contact, Profile, Technical	Performance of a contract (Art. 6(1)(b)) -- to register you as a provider and provide access to your account
To set up and manage Stripe Connect and enable payouts	Identity, Contact, Transaction, Technical	Performance of a contract (Art. 6(1)(b)) -- to enable platform functionality and process earnings
To display your profile publicly on the MediMo platform	Identity, Contact, Professional	Performance of a contract (Art. 6(1)(b)) -- to fulfil your request to be listed as a provider
To contact you with platform or service-related communications (e.g. dashboard access, availability, onboarding help)	Identity, Contact	Performance of a contract (Art. 6(1)(b)) -- to support your use of the service
To send marketing communications, such as updates, promotions or newsletters	Identity, Contact, Marketing and Communications, Technical, Usage, Profile	Consent (Art. 6(1)(a)) -- we will only send you marketing where you have actively opted in. You can withdraw your consent at any time (see "Your Rights" section below).
To analyse how providers interact with our platform (e.g. dashboard usage, onboarding steps completed)	Technical, Usage, Profile	Legitimate interests (Art. 6(1)(f)) -- to improve platform experience and provider engagement
To comply with tax, legal, or regulatory requirements (e.g. HMRC reporting)	Identity, Contact, Transaction	Legal obligation (Art. 6(1)(c)) -- to comply with UK tax and accounting laws
To manage support queries, complaints, or access requests	Identity, Contact, Profile	Legitimate interests (Art. 6(1)(f)) -- to provide customer support and resolve issues Legal obligation (Art. 6(1)(c)) -- where responding to a data subject rights request

5. How long we keep your personal data

We retain your personal data only for as long as necessary to fulfil the purposes we collected it for, including to meet legal, regulatory, tax, accounting, or reporting obligations.

In general:

• Account and profile information (such as your name, contact details, practice information, and dashboard usage history) is kept for up to 6 years after your account is closed or your last activity on the platform, in line with limitation periods for legal claims and audit purposes.
• Application and onboarding data (e.g. provider submissions, waiting list records, and PMS compatibility status) is retained while your application is under review or pending activation. If we do not activate your listing, we may retain limited information (e.g. name, contact, and PMS status) for up to 4 years to notify you when the platform becomes available to your system or area.
• Financial and transaction data (e.g. Stripe payout records and commission tracking) is retained for up to 6 years from the end of your relationship with MediMo (e.g. account closure or final transaction), in line with legal and tax requirements.
• Marketing preferences are retained until you withdraw your consent or opt out of receiving communications.
• Cookie and analytics data may be retained for up to 26 months, depending on the settings of our analytics providers. Please see our [Cookie Policy] for further details.

When your data is no longer required, we will delete it securely or anonymise it so that it can no longer be linked back to you. Anonymised data may be retained indefinitely for statistical, compliance, or platform improvement purposes.

Direct marketing

We will only send you direct marketing communications (such as provider updates, platform features or promotional opportunities) if you have actively opted in to receive them. You can set your marketing preferences when you register your provider account or update them at any time in your account settings.

We may use your Identity, Contact, Technical, Usage and Profile Data to understand how providers engage with our platform and tailor the content of our marketing accordingly.

You can withdraw your consent or change your preferences at any time by updating your marketing settings in your account, clicking the unsubscribe link in any marketing email, or contacting us directly.

Withdrawing consent will not affect your ability to use the MediMo platform.

Third-party marketing

We will only share your personal data with third parties for their own direct marketing purposes if you have given us your express consent to do so.

Opting out of marketing

You can opt out of receiving marketing communications from us at any time by clicking the unsubscribe link in any marketing email or by contacting us directly.

If you opt out of marketing, you will still receive essential service-related communications. These include onboarding updates, profile status notifications, changes to our terms or policies, or other messages necessary to manage your account.

Cookies

We use cookies and similar technologies to improve your experience on our website, analyse how the platform is used, and personalise content. Some cookies are essential for the site to function, while others are optional and require your consent.

For more information about the cookies we use and how to manage your preferences, please see our [Cookie Policy].

6. Disclosures of your personal data

We may share your personal data with the third parties listed below, where necessary, for the purposes outlined in the table above ("How We Use Your Personal Data").

a. Internal third parties

Other companies or contractors acting on behalf of MediMo who support our platform operations, onboarding, technical infrastructure, or provider support services.

b. External third parties

• Service providers acting as processors (e.g. cloud hosting providers, analytics platforms, payment processors like Stripe, customer support platforms).
• Professional advisers including lawyers, accountants, auditors, and insurers.
• Regulators and other authorities who require reporting of processing activities in certain circumstances (e.g. HMRC, ICO, financial authorities).

c. Platform and infrastructure partners

For example, where your use of the platform involves third-party services such as Stripe (for payouts) or a supported practice management system (e.g. Cliniko, Nookal), limited personal data may be shared to enable account linking, platform functionality, or to support your provider profile and integrations.

d. Business transfers

We may share your personal data with third parties in connection with a business transaction (e.g. a merger, acquisition, or asset transfer). If such a change occurs, the new owners may use your personal data in accordance with this privacy policy.

We require all third parties to respect the security of your personal data and to treat it in accordance with applicable data protection laws. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process it for specified purposes and in accordance with our instructions.

7. International transfers

Some of our service providers are based outside the UK, or may process your personal data using servers located outside the UK. This means your data may be transferred to or stored in countries that do not have the same level of data protection as the UK.

For example, we may use providers such as Stripe (for payments) and Microsoft Clarity (for analytics), which are based outside the UK or use non-UK infrastructure.

Whenever we transfer your personal data out of the UK, we ensure that a similar degree of protection is applied to it by using appropriate safeguards. These may include:

• Only transferring personal data to countries that the UK government has deemed to provide an adequate level of data protection; or
• Using standard contractual clauses (such as the International Data Transfer Agreement or the UK Addendum to the EU Standard Contractual Clauses) to ensure your data remains protected.

To learn more about these safeguards or request a copy, you can contact us using the details in the "Contact" section below.

8. Data security

We have implemented appropriate technical and organisational security measures to protect your personal data from being accidentally lost, used or accessed in an unauthorised way, altered, or disclosed.

Access to your personal data is limited to employees, contractors, and third-party service providers who have a legitimate business need to access it. They will only process your data on our instructions and are subject to strict confidentiality obligations.

We also have procedures in place to deal with any suspected personal data breach. Where we are legally required to do so, we will notify you and the relevant regulator of any such breach.

9. Data retention

How long will you use my personal data for?

We will only retain your personal data for as long as reasonably necessary to fulfil the purposes we collected it for, including to comply with legal, regulatory, tax, accounting, or reporting obligations.

We may retain your personal data for a longer period in the event of a complaint, or if we reasonably believe there is a prospect of a legal claim in connection with our relationship with you (for example, relating to payments, profile listings, or onboarding decisions).

To determine the appropriate retention period, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure, the purposes for which we process your data, and whether those purposes can be achieved through other means, as well as applicable legal and regulatory requirements.

By law, we are required to retain certain basic information about our providers (including Identity, Contact, Financial and Transaction Data) for up to six years after their account is closed or their last financial activity, for tax and accounting purposes.

In some circumstances, you can ask us to delete your data --- see Section 10: Your legal rights for more information.

We may also anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes. In such cases, we may use this information indefinitely without further notice to you.

10. Your legal rights

You have a number of rights under UK data protection laws in relation to your personal data. These include the right to:

• Request access to your personal data (a "subject access request") -- to receive a copy of the personal data we hold about you and check that we are processing it lawfully.
• Request correction of the personal data we hold -- to have any incomplete or inaccurate information corrected. We may need to verify the accuracy of any new data you provide.
• Request erasure of your personal data -- in certain circumstances, such as where there is no good reason for us to continue processing it, where you've withdrawn consent, or where we're required to delete it by law. We may not always be able to comply with your request for specific legal reasons, which we will explain to you at the time if applicable.
• Object to processing, where we are relying on legitimate interests (ours or a third party's), including any profiling based on those interests. We may be able to demonstrate compelling grounds to continue processing.

You also have an absolute right to object to direct marketing at any time. See "Opting out of marketing" for how to do this.

• Request the transfer of your personal data (data portability) -- where we process your data by automated means under consent or contract, we can provide it to you or a third party in a structured, commonly used, machine-readable format.
• Withdraw consent at any time -- where we rely on consent to process your personal data (see the table in Section 4 for examples). This will not affect the lawfulness of any processing carried out before you withdraw consent. If withdrawing consent affects the services we can offer you, we will explain this at the time.
• Request restriction of processing -- in certain circumstances, you can ask us to suspend the processing of your personal data. This may apply:
  • if you want us to establish the data's accuracy;
  • where our use of the data is unlawful but you do not want us to erase it;
  • where you need us to retain the data even if we no longer need it, for example to establish, exercise or defend legal claims; or
  • you have objected to our use of your data, but we need to verify whether we have overriding legitimate grounds to continue processing.

If you wish to exercise any of these rights, please contact us using the details set out in Section 11: Contact details.

No fee usually required

You will not have to pay a fee to exercise your rights. However, we may charge a reasonable fee or refuse to comply if your request is clearly unfounded, repetitive or excessive.

What we may need from you

To protect your personal data, we may need to request specific information to confirm your identity and ensure your right to access or exercise any other rights. We may also contact you for further details to help us respond more quickly.

Time limit to respond

We aim to respond to all legitimate requests within one month. If your request is particularly complex or you have made several requests, we may take longer but will keep you informed throughout.

11. Contact details

If you have any questions about this privacy policy or how we handle your personal data, or if you would like to exercise any of your privacy rights, please contact us using the details below:

12. Complaints

You have the right to make a complaint at any time to the Information Commissioner's Office (ICO), the UK regulator for data protection issues (www.ico.org.uk). We would, however, appreciate the chance to deal with your concerns before you approach the ICO so please contact us in the first instance.

13. Changes to the privacy policy and your duty to inform us of changes

We keep our privacy policy under regular review. This version was created on 22/05/2025 and is the first version of this policy.

It's important that the personal data we hold about you is accurate and up to date. Please let us know if your personal information changes during your relationship with MediMo, such as your email address, phone number or business address.

14. Third-party links

This website may include links to third-party websites, plug-ins or applications. Clicking on those links or enabling those features may allow third parties to collect or share data about you.

We do not control these third-party websites and are not responsible for their privacy practices. When you leave our website, we encourage you to read the privacy policy of every website you visit.