Skip to main content

Privacy Policy

PUBLIC

Deep-Medical Ltd

External Privacy Notice

 

Document Control

 

OWNER Deep-Medical
APPROVER
CLASSIFICATION Public
DATE OF ISSUE 10/10/25
ISSUE V2.0
REASON FOR ISSUE/UPDATE Second Issue (Draft)
NEXT REVIEW 10/10/26
DISTRIBUTION Online, on Deep Medical’s website

 

VERSION AUTHOR SUMMARY OF CHANGES DATE
1.0 Evalian Limited First version 10/06/24
2.0 Evalian Limited Second version (minor amendments) 10/10/25

 

Document Release:

This document remains the property of Deep Medical. Release to regulatory authorities is permitted as required. Release to other organisations or individuals may only be authorised by Deep-Medical Ltd Directors.

Deep-Medical Ltd

External Privacy Notice

Last Updated: 10th October 2025

 

  • Who we are and what we do.

Who we are.

We are Deep-Medical Ltd (“Deep Medical”, “us”, “we”, “our”). We are a limited company registered in England and Wales under registration number 13242918 and we have our registered office at 1 Primrose Street, London, EC2A 2JN. We are registered with the UK supervisory authority, Information Commissioner’s Office (“ICO”) in relation to our processing of Personal Data under registration number ZB228006.

What we do

We are in the business of using artificial intelligence to understand human behaviour, create efficient services, and challenge health inequality. Our solutions optimise clinician time and improve patient experiences. By predicting non- attendance with over 90%* accuracy, we can get more people into urgent appointments and onto life-saving pathways sooner. Better for hospitals, better for people, better for society.

We are committed to protecting the privacy and security of the Personal Data we process about you. 

In most cases, when we process NHS patient appointment and related health data, we act as a data processor on behalf of NHS Trusts, who remain the data controllers. In those circumstances, the NHS Trust decides the purposes and lawful bases for processing. We act as a controller only in relation to our own business operations, such as website users, customers, and suppliers.

  • Purpose of this privacy notice 

The purpose of this privacy notice is to explain what Personal Data we collect about you and how we process it. This privacy notice also explains your rights, so please read it carefully. If you have any questions, you can contact us using the information provided below under the ‘How to contact us’ section. 

  • Who this privacy notice applies to

This privacy notice applies to you if:

  1. You visit our website.
  2. You engage in goods or services provided from us.
  3. You enquire about our products and/or services. 

When we process NHS appointment and patient data, we do so as a processor on behalf of the NHS Trusts. Patients should refer to the Trust’s privacy notice for full details of how their data is used. This notice explains how we handle such data on their behalf.

  • What Personal Data is

‘Personal Data’ means any information from which someone can be identified either directly or indirectly. For example, you can be identified by your name or an online identifier. 

‘Special Category Personal Data’ is more sensitive Personal Data and includes information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying someone, data concerning physical or mental health or data concerning someone’s sex life or sexual orientation.  

  • Personal Data we collect.

The type of Personal Data we collect about you will depend on our relationship with you. For the type of Personal Data, we collect see the table below in the section entitled ‘Purposes, lawful bases, and retention periods.

Where we act as a processor acting on behalf of the Data controller, personal data will include appointment information only; however, this may infer that a patient has a health condition of some kind by virtue of the appointment type/ clinic information. (utilising the NHS Data Dictionary). Deep Medical does not intentionally handle specific special category data. 

  • How we collect your Personal Data

We collect Personal Data directly from you in person, by telephone, text, or email and/or via our website. 

 

However, we may also collect your Personal Data from third parties such as: 

 

  • reputable companies who provide lead generation contact lists 
  • others to whom you have provided consent
  • publicly available sources such as social media platforms 
  • when we act as a Data Processor on behalf of a data Controller 

 

  • Purposes, lawful bases, and retention periods

Where we are a Data Controller – We will only use your Personal Data when the law allows. Most commonly, we will use your Personal Data in the following circumstances:

We will only retain your data for as long as reasonably necessary to fulfil the purposes we collected it for, including to satisfy any legal, regulatory, tax, accounting or reporting requirements. We may retain your data for a longer period in the event of a complaint or if we reasonably believe there is a prospect of litigation concerning our relationship with you.

To determine the appropriate retention period for personal data, we consider the amount, nature and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your data, the purposes for which we process your data and whether we can achieve those purposes through other means, and the applicable legal, regulatory, tax, accounting, or other requirements.

In most cases, we will keep your information for three years after our relationship with you ends but where we have a contract with you, we will keep it for at least 6 years. It will vary depending on what data we hold, why we hold it and what we are obliged to do by law.

We will not keep your personal information longer than is reasonably necessary to fulfil the relevant purposes set out in this Privacy Policy and to comply or demonstrate compliance with our legal and regulatory obligations. Where we can, and it is appropriate, we will minimise personal data or de-personalise data to use for statistical or analytical purposes. In some cases, such as if a dispute or a legal action is affecting the information we may need or be required to keep personal information for longer.

By law we have to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data for at least 6 years.

In some circumstances you can ask us to delete your data: see Your legal rights below for further information.

In some circumstances, we will anonymise your data (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.

 

Where we are a Data processor in relation to NHS patient data, the lawful basis is determined by the relevant NHS Trust. This is typically Article 6(1)(e) UK GDPR – processing necessary for the performance of a public task, together with Article 9(2)(h) – processing necessary for the management of health or social care systems and services. We only process such data under the documented instructions of the NHS Trust.

We also collect, use, and share aggregated data such as statistical or demographic data for any purpose. Aggregated data could be derived from your personal data but is not considered personal data in law as this data will not directly or indirectly reveal your identity. For example, we may aggregate your Usage Data to calculate the percentage of users accessing a specific feature or page of our website. However, if we combine or connect aggregated data with your data so that it can directly or indirectly identify you, we treat the combined data as personal data which will be used by this privacy policy.

  • Sharing your Personal Data

We may share your personal data with trusted third parties, but only when it is necessary for the purposes described in this Privacy Notice and in accordance with applicable data protection laws. These third parties may include:

  • Service providers and business partners who perform services on our behalf (such as payment processing, IT support, analytics, marketing, and delivery services).
  • Regulators, law enforcement, or other legal authorities when required to comply with legal obligations or to protect our rights, safety, and property.
  • Professional advisors such as auditors, insurers, and legal representatives in the course of legitimate business operations.
  • Affiliates or group companies where necessary to provide our services or operate our business.

We do not sell or rent your personal data to third parties. Whenever we share data, we ensure that appropriate safeguards are in place to protect your information, including data protection agreements where required.

  • International Transfers

Your Personal Data will not be processed outside the European Economic Area (“EEA”). While we do not routinely transfer your data outside the European Economic Area (EEA) should we do so, we will only do this as permitted by data protection legislation.

10.Security

All information you provide to us is stored on secure cloud servers. Once we have received your information, we will use strict procedures and security features to try to prevent your data from being accidentally lost, used, or accessed in an unauthorised way. We will collect and store personal data on your Device using application data caches browser web storage (including HTML5) and other technology. We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator when we are legally required to do so.

We use a range of technical and organisational measures to protect personal data, including encryption, pseudonymisation, strict access controls, staff training, and continuous monitoring. When handling sensitive health data, we apply enhanced safeguards to ensure confidentiality, integrity, and availability at all times.

11.  Your rights and how to complain.

You have certain rights in relation to the processing of your Personal Data, including to:

  • Right to be informed

You have the right to know what personal data we collect about you, how we use it, for what purpose and in accordance with which lawful basis, who we share it with and how long we keep it. We use our privacy notice to explain this.

  • Right of access (commonly known as a “Subject Access Request”)

You have the right to receive a copy of the Personal Data we hold about you.

  • Right to rectification 

You have the right to have any incomplete or inaccurate information we hold about you corrected.

  • Right to erasure (commonly known as the right to be forgotten)

You have the right to ask us to delete your Personal Data.

  • Right to object to processing

You have the right to object to us processing your Personal Data. If you object to us using your Personal Data for marketing purposes, we will stop sending you marketing material. 

  • Right to restrict processing

You have the right to restrict our use of your Personal Data. 

  • Right to portability

You have the right to ask us to transfer your Personal Data to another party.

  • Automated decision-making. You have the right not to be subject to a decision based solely on automated processing which will significantly affect you. We do not use automated decision-making.  

We use artificial intelligence models to generate predictions about the likelihood of a patient missing an appointment. These outputs are used to support NHS staff in their planning and decision-making, but they are not used to make final decisions about care without human involvement. This means you will not be subject to a decision based solely on automated processing

  • Right to withdraw consent

If you have provided your consent for us to process your Personal Data for a specific purpose, you have the right to withdraw your consent at any time. If you do withdraw your consent, we will no longer process your information for the purpose(s) you originally agreed to, unless we are permitted by law to do so.

  • Right to lodge a complaint

You have the right to lodge a complaint with the relevant supervisory authority if you are concerned about the way in which we are handling your Personal Data. The supervisory authority in the UK is the Information Commissioner’s Office who can be contacted online at:

Contact us | ICO

Or by telephone on 0303 123 1113

How to exercise your rights

You will not usually need to pay a fee to exercise any of the above rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances. 

If you wish to exercise your rights, you may contact us using the details set out below within the section called ‘How to contact us and our Data Protection Officer’. We may need to request specific information from you to confirm your identity before we can process your request. Once in receipt of this, we will process your request without undue delay and within one month. In some cases, such as with complex requests, it may take us longer than this and, if so, we will keep you updated.  

  •   Children’s Privacy

We do not offer our products and services to children, and we do not knowingly collect Personal Data of children without parental consent, unless permitted by law. If you are a child, you must have your parent’s permission to use our services. If you learn that a child has provided us with their Personal Data without parental consent, you may contact us, as described below, and if appropriate, we will securely and permanently delete it, in accordance with applicable law.

  •  How to contact us and our Data Protection Officer 

If you wish to contact us in relation to this privacy notice or if you wish to exercise any of your rights outlined above, please contact us as follows:

Email address: privacy@deep-medical.ai

Postal address: Deep Medical, 80 Coleman Street, London, EC2R 5BJ

 

We have also appointed a Data protection Officer (“DPO”). Our DPO Evalian Limited can be contacted as follows: 

Email address: DPO@Evalian.co.uk

Postal address: West Lodge, Colden Common, Leylands Business Park, Hampshire SO21 1TH

 

Please mark your communications FAO the ‘Data Protection Officer’.

  • Changes to this privacy notice

We may update this notice (and any supplemental privacy notice), from time to time as shown below. We will notify of the changes where required by applicable law to do so.

Last modified 10/10/25