Legal · InPractice Health

Privacy Policy

This policy explains how InPractice Health handles personal information across our public website, business relationships and contracted services.

Effective date: July 11, 2026

01

Scope and our role

This Privacy Policy applies to InPractice Health websites, business communications, product inquiries and services that link to this policy (collectively, the “Services”). It applies to website visitors, prospective and current customers, research and data partners, authorised platform users and other business contacts.

When we act as controller

InPractice Health determines how and why personal information is used when you browse our website, submit an inquiry, communicate with us, or when we manage our own business, security and compliance activities.

When we act for a customer

For information submitted to or connected with a customer workspace, the customer generally determines the purposes of processing. InPractice Health acts as a processor, service provider or Business Associate, as applicable, under the customer agreement, Data Processing Agreement and/or Business Associate Agreement. If your request concerns information controlled by a clinic or other customer, please contact that organisation first. We assist customers with verified requests as required by contract and law.

This policy does not replace a clinic’s patient privacy notice, a signed customer agreement, DPA, BAA, data licence or research agreement. Those documents govern the relevant processing and control if their terms conflict with this general policy.

02

Information we collect

Information you provide

  • Contact information, including first name, surname, work email, mobile phone and country.
  • Professional information, such as organisation, role, clinic or partner type, and areas of interest.
  • Communications, inquiry messages, support requests, meeting notes and feedback.
  • Account and authentication information for authorised platform users.
  • Billing, contracting and transaction information provided in a business relationship.

Information collected when you use the Services

  • Device and network information, including IP address, browser type, operating system, referring URL and approximate location inferred from IP.
  • Service activity, including dates and times of access, feature interactions, queries, reports, diagnostics and security events.
  • Cookie and browser-storage preferences described in our Cookie Policy.

Customer and clinical information

Customers may connect clinical, operational, appointment, treatment, product, image, inventory, consent or business-system data. This may include health information and other sensitive information. We process this information only as authorised by the applicable customer agreement, customer instructions and law.

Derived, aggregated and de-identified information

We may create analytics, statistics, model outputs and de-identified or aggregated information as permitted by contract and law. Where information no longer identifies an individual and is not treated as personal information under applicable law, this policy does not restrict its use. We do not attempt to re-identify information that is required to remain de-identified.

03

Sources of information

We obtain information:

  • Directly from you when you submit a form, create an account or communicate with us.
  • From customers, authorised users and systems they choose to connect.
  • From service providers that support hosting, security, communications and business operations.
  • From public professional sources and business partners where permitted by law.
  • Automatically from devices and browsers when you use the Services.

04

How and why we use information

We use personal information only when we have an appropriate purpose and, where UK or EU data-protection law applies, a lawful basis.

PurposeTypical informationTypical lawful basis
Respond to inquiries and manage relationshipsContact, professional and communications informationLegitimate interests; steps requested before a contract; contract
Provide and support contracted ServicesAccount, customer, usage and connected-system informationContract; legitimate interests; customer instructions
Protect the Services and prevent misuseDevice, log, authentication and security informationLegitimate interests; legal obligation
Improve products, reliability and research workflowsUsage, feedback and appropriately aggregated or de-identified informationLegitimate interests; contract; consent where required
Send requested updates or marketingContact, professional and preference informationConsent where required; legitimate interests for permitted B2B communications
Meet legal, regulatory and contractual obligationsRelevant account, transaction, security and customer informationLegal obligation; contract; legitimate interests

Where we rely on legitimate interests, we consider the purpose, necessity and potential effect on individuals. You may object to this processing as described below. Where we rely on consent, you may withdraw it at any time without affecting earlier lawful processing.

05

How we disclose information

We may disclose information to:

  • Service providers and subprocessors that support cloud hosting, databases, security, communications, support, payments, professional advice and other business operations.
  • Customers and authorised users when necessary to provide the Services or respond to their instructions.
  • Research or data partners only as authorised by applicable agreements, permissions and law.
  • Government authorities, regulators, courts or other parties when required by law or reasonably necessary to protect rights, safety, security and the integrity of the Services.
  • A buyer, investor or successor in connection with a financing, merger, acquisition, reorganisation or sale of assets, subject to appropriate confidentiality and legal safeguards.
InPractice Health does not sell personal information or share it for cross-context behavioural advertising. If that practice changes, we will update this policy and provide legally required choices before doing so.

06

Cookies and similar technologies

Our current public website uses essential browser storage to remember display and privacy choices. Optional analytics and marketing technologies are disabled unless you consent. You can accept, reject or customise optional categories and reopen Cookie Preferences from the website footer at any time.

See our Cookie Policy for the current inventory, purposes and durations.

07

How long we retain information

We keep personal information only for as long as reasonably necessary for the purpose for which it was collected, including to provide Services, maintain security, comply with law, resolve disputes and enforce agreements. The criteria differ by record type:

  • Inquiry and business-contact records are retained while the relationship is active and for a reasonable follow-up period.
  • Customer account and service data is retained for the contract term and any required return, deletion, backup or legal period.
  • Customer-controlled clinical information is retained according to customer instructions and the applicable agreement, DPA or BAA.
  • Security and diagnostic logs are retained for periods proportionate to fraud prevention, incident response and reliability needs.
  • Privacy choices are retained for six months unless replaced sooner.

When retention is no longer justified, we delete, de-identify or securely isolate the information, subject to technical backup cycles and legal preservation requirements.

08

Security

We use administrative, technical and physical safeguards designed to protect information against unauthorised access, loss, misuse, alteration and disclosure. Measures may include encryption, access controls, logging, environment separation, vendor review, workforce confidentiality obligations and incident-response procedures, as appropriate to the risk.

No method of transmission or storage is completely secure. You are responsible for protecting your credentials and notifying us promptly of suspected unauthorised access.

09

Health data and HIPAA

When InPractice Health processes Protected Health Information on behalf of a HIPAA covered entity or another Business Associate, the applicable BAA governs permitted uses, safeguards, incident reporting, subcontractors and return or destruction of PHI. InPractice Health does not use customer PHI for independent advertising purposes.

HIPAA does not apply to every type of health-related information or every organisation. Where other consumer-health, breach-notification or state privacy laws apply, we process information according to the relevant role, agreement and legal requirements.

10

International data transfers

InPractice Health is based in the United States, and information may be processed in the United States and other countries where we or our service providers operate. Those countries may have data-protection rules different from those in your location.

Where required for transfers from the UK, European Economic Area or Switzerland, we use an approved transfer mechanism such as an adequacy decision, the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum or another lawful safeguard, together with supplementary measures where appropriate.

11

Your rights and choices

UK, EEA and similar rights

Depending on the law that applies, you may request access, correction, deletion, restriction, portability or objection; withdraw consent; and ask about safeguards used for international transfers. You may also lodge a complaint with your local supervisory authority.

United States privacy rights

Residents of certain US states may have rights to know or access, correct, delete and obtain a portable copy of personal information; opt out of certain sale, sharing, targeted advertising or profiling; limit certain uses of sensitive information; appeal a denied request; and receive equal service without discrimination for exercising a privacy right. These rights and exceptions vary by state and may not apply in every circumstance.

How to exercise a right

Email privacy@inpracticehealth.com with your request and the relationship or service involved. We may request information needed to verify your identity and authority. An authorised agent may submit a request where permitted by law. If customer-controlled data is involved, we may direct the request to the customer.

Marketing and cookie choices

You can unsubscribe using the link in a marketing email or contact us. You can change optional browser-storage choices using Cookie Preferences. We recognise Global Privacy Control for the marketing category as described in our Cookie Policy.

12

Children

The Services are intended for organisations and adults acting in a professional capacity. We do not knowingly collect personal information directly from children through the public website. Customer-controlled information about minors, if any, is processed only under customer instructions, applicable agreements and law.

13

Changes, contact and complaints

We may update this policy to reflect changes in our Services, practices or legal obligations. We will post the revised policy with a new effective date and provide additional notice when required.

Contact InPractice Health

Privacy questions and requests may be sent to privacy@inpracticehealth.com. Please do not send medical records or other sensitive health information by ordinary email.

Complaints

Please contact us first so we can investigate. If UK data-protection law applies, you may also complain to the UK Information Commissioner’s Office. EEA residents may complain to the supervisory authority in their country. US residents may contact their state attorney general or privacy regulator where applicable.