01
Scope and our role
This Privacy Policy applies to InPractice Health websites, business communications, product inquiries and services that link to this policy (collectively, the “Services”). It applies to website visitors, prospective and current customers, research and data partners, authorised platform users and other business contacts.
When we act as controller
InPractice Health determines how and why personal information is used when you browse our website, submit an inquiry, communicate with us, or when we manage our own business, security and compliance activities.
When we act for a customer
For information submitted to or connected with a customer workspace, the customer generally determines the purposes of processing. InPractice Health acts as a processor, service provider or Business Associate, as applicable, under the customer agreement, Data Processing Agreement and/or Business Associate Agreement. If your request concerns information controlled by a clinic or other customer, please contact that organisation first. We assist customers with verified requests as required by contract and law.
02
Information we collect
Information you provide
- Contact information, including first name, surname, work email, mobile phone and country.
- Professional information, such as organisation, role, clinic or partner type, and areas of interest.
- Communications, inquiry messages, support requests, meeting notes and feedback.
- Account and authentication information for authorised platform users.
- Billing, contracting and transaction information provided in a business relationship.
Information collected when you use the Services
- Device and network information, including IP address, browser type, operating system, referring URL and approximate location inferred from IP.
- Service activity, including dates and times of access, feature interactions, queries, reports, diagnostics and security events.
- Cookie and browser-storage preferences described in our Cookie Policy.
Customer and clinical information
Customers may connect clinical, operational, appointment, treatment, product, image, inventory, consent or business-system data. This may include health information and other sensitive information. We process this information only as authorised by the applicable customer agreement, customer instructions and law.
Derived, aggregated and de-identified information
We may create analytics, statistics, model outputs and de-identified or aggregated information as permitted by contract and law. Where information no longer identifies an individual and is not treated as personal information under applicable law, this policy does not restrict its use. We do not attempt to re-identify information that is required to remain de-identified.
03
Sources of information
We obtain information:
- Directly from you when you submit a form, create an account or communicate with us.
- From customers, authorised users and systems they choose to connect.
- From service providers that support hosting, security, communications and business operations.
- From public professional sources and business partners where permitted by law.
- Automatically from devices and browsers when you use the Services.
04
How and why we use information
We use personal information only when we have an appropriate purpose and, where UK or EU data-protection law applies, a lawful basis.
| Purpose | Typical information | Typical lawful basis |
|---|---|---|
| Respond to inquiries and manage relationships | Contact, professional and communications information | Legitimate interests; steps requested before a contract; contract |
| Provide and support contracted Services | Account, customer, usage and connected-system information | Contract; legitimate interests; customer instructions |
| Protect the Services and prevent misuse | Device, log, authentication and security information | Legitimate interests; legal obligation |
| Improve products, reliability and research workflows | Usage, feedback and appropriately aggregated or de-identified information | Legitimate interests; contract; consent where required |
| Send requested updates or marketing | Contact, professional and preference information | Consent where required; legitimate interests for permitted B2B communications |
| Meet legal, regulatory and contractual obligations | Relevant account, transaction, security and customer information | Legal obligation; contract; legitimate interests |
Where we rely on legitimate interests, we consider the purpose, necessity and potential effect on individuals. You may object to this processing as described below. Where we rely on consent, you may withdraw it at any time without affecting earlier lawful processing.
05
How we disclose information
We may disclose information to:
- Service providers and subprocessors that support cloud hosting, databases, security, communications, support, payments, professional advice and other business operations.
- Customers and authorised users when necessary to provide the Services or respond to their instructions.
- Research or data partners only as authorised by applicable agreements, permissions and law.
- Government authorities, regulators, courts or other parties when required by law or reasonably necessary to protect rights, safety, security and the integrity of the Services.
- A buyer, investor or successor in connection with a financing, merger, acquisition, reorganisation or sale of assets, subject to appropriate confidentiality and legal safeguards.
07
How long we retain information
We keep personal information only for as long as reasonably necessary for the purpose for which it was collected, including to provide Services, maintain security, comply with law, resolve disputes and enforce agreements. The criteria differ by record type:
- Inquiry and business-contact records are retained while the relationship is active and for a reasonable follow-up period.
- Customer account and service data is retained for the contract term and any required return, deletion, backup or legal period.
- Customer-controlled clinical information is retained according to customer instructions and the applicable agreement, DPA or BAA.
- Security and diagnostic logs are retained for periods proportionate to fraud prevention, incident response and reliability needs.
- Privacy choices are retained for six months unless replaced sooner.
When retention is no longer justified, we delete, de-identify or securely isolate the information, subject to technical backup cycles and legal preservation requirements.
08
Security
We use administrative, technical and physical safeguards designed to protect information against unauthorised access, loss, misuse, alteration and disclosure. Measures may include encryption, access controls, logging, environment separation, vendor review, workforce confidentiality obligations and incident-response procedures, as appropriate to the risk.
No method of transmission or storage is completely secure. You are responsible for protecting your credentials and notifying us promptly of suspected unauthorised access.
09
Health data and HIPAA
When InPractice Health processes Protected Health Information on behalf of a HIPAA covered entity or another Business Associate, the applicable BAA governs permitted uses, safeguards, incident reporting, subcontractors and return or destruction of PHI. InPractice Health does not use customer PHI for independent advertising purposes.
HIPAA does not apply to every type of health-related information or every organisation. Where other consumer-health, breach-notification or state privacy laws apply, we process information according to the relevant role, agreement and legal requirements.
10
International data transfers
InPractice Health is based in the United States, and information may be processed in the United States and other countries where we or our service providers operate. Those countries may have data-protection rules different from those in your location.
Where required for transfers from the UK, European Economic Area or Switzerland, we use an approved transfer mechanism such as an adequacy decision, the European Commission Standard Contractual Clauses, the UK International Data Transfer Addendum or another lawful safeguard, together with supplementary measures where appropriate.
11
Your rights and choices
UK, EEA and similar rights
Depending on the law that applies, you may request access, correction, deletion, restriction, portability or objection; withdraw consent; and ask about safeguards used for international transfers. You may also lodge a complaint with your local supervisory authority.
United States privacy rights
Residents of certain US states may have rights to know or access, correct, delete and obtain a portable copy of personal information; opt out of certain sale, sharing, targeted advertising or profiling; limit certain uses of sensitive information; appeal a denied request; and receive equal service without discrimination for exercising a privacy right. These rights and exceptions vary by state and may not apply in every circumstance.
How to exercise a right
Email privacy@inpracticehealth.com with your request and the relationship or service involved. We may request information needed to verify your identity and authority. An authorised agent may submit a request where permitted by law. If customer-controlled data is involved, we may direct the request to the customer.
Marketing and cookie choices
You can unsubscribe using the link in a marketing email or contact us. You can change optional browser-storage choices using Cookie Preferences. We recognise Global Privacy Control for the marketing category as described in our Cookie Policy.
12
Children
The Services are intended for organisations and adults acting in a professional capacity. We do not knowingly collect personal information directly from children through the public website. Customer-controlled information about minors, if any, is processed only under customer instructions, applicable agreements and law.
13
Changes, contact and complaints
We may update this policy to reflect changes in our Services, practices or legal obligations. We will post the revised policy with a new effective date and provide additional notice when required.
Contact InPractice Health
Privacy questions and requests may be sent to privacy@inpracticehealth.com. Please do not send medical records or other sensitive health information by ordinary email.
Complaints
Please contact us first so we can investigate. If UK data-protection law applies, you may also complain to the UK Information Commissioner’s Office. EEA residents may complain to the supervisory authority in their country. US residents may contact their state attorney general or privacy regulator where applicable.