Privacy policy

This policy was last updated on 4 February 2025.

Introduction

We respect your privacy and take the protection of personal information very seriously. This privacy policy describes what personal information we collect and/or receive from an End-User, including personal information of any data subjects whose personal information is shared with us by an End-User. Unless the context indicates otherwise, our privacy policy applies to users and resellers of any of our services, software platforms or applications, visitors to any MedBrief websites and persons submitting personal information to us via other channels such as online surveys and forms (individually and collectively referred to in this policy as “the Services”). By using our Services, you agree to the terms and conditions set out in this privacy policy. Where you provide us with the personal information of a third party, you warrant and represent that you have all necessary consents and authorisations to do so.

Where used in this policy, the terms “you”, “End-User” or “Reseller” means the person making use of and/or reselling any of our Services and “we” or “our” means MedBrief or its Licensors as defined in the MedBrief Terms of Use.

It is important that you read this privacy policy together with other terms and conditions and/or policies we provide.

Commitments to privacy

We are committed to maintaining the confidentiality, integrity and security of personal information and we will take all appropriate technical and organisational security measures to ensure that where any personal information is provided to us it will be protected against loss, destruction and damage, and against unauthorised or accidental access, processing, erasure, transfer, use, modification, disclosure or other misuse.

We shall not disclose to any person any personal data of a data subject that is processed or hosted by us unless such disclosure complies in all respects with the provisions of any applicable data protection legislation or regulations relating to the data subject.

Information we collect and receive

We collect personal information that is necessary for us to provide End-Users with our services. We only collect and use the minimum personal information we need to provide and improve our services.

Examples of personal information which we may collect and process include, but are not necessarily limited to, information relating to an End-User’s name, email and/or physical address, fixed or mobile phone number, location information and in some circumstances (provided the End-User has explicitly consented to or authorised us to collect or process this personal information) age, gender, reproductive status, marital status, national, ethnic or social origin, sexual orientation, physical or mental health information and medical records, disability, conscience, belief, culture, language and birth of the individual, educational, criminal or employment history of the individual, personal income and financial status or information relating to insurance or financial transactions in which they have been involved.

We collect and receive information following ways:

Information given to us

MedBrief software users may be required to submit limited personal information when accessing the Services including a username, email address and password for the purposes of protecting user accounts against unauthorised access. In addition, document and files contained in the Services may contain the personal information of third parties.

We collect personal information through direct interactions with the End-User and when they:

Complete forms, sign up for an account, or subscribe or register to access or use our services.
Contact us using our Contact Us form
Apply for a position advertised on our Careers page
Complete surveys

Information we automatically collect or receive

We may automatically record certain information about the use of our Services such as account activity, browsing actions and patterns, the device used to access our Services, geographic information and other log information.

The information we receive by using our Services, including our website, other online services, applications, email messages and advertisements, if any, is collected using cookies, web beacons and other technologies.

A cookie is a small data file stored on the web browser on a computer’s hard drive. Cookies and other technologies allow us to count how many users visited certain web pages within our web site, their personal preferences and to measure the effectiveness of our website and electronic advertisements for different computing devices and regions.

A web beacon is a small image file that we place on our Services or in an email. We use it to track how many times a web page is accessed, the time it was accessed and the location of users who accessed it.

Examples of information we collect using the technologies described above include:

IP address – a numerical code to identify a device, together with the country, region or city you are located.
Activity while using our Services (e.g. login frequency, actions taken, etc.)
Browsing history of the content visited on our sites, including how you were referred to our sites via other websites.
Your device information (e.g. type of device, operating system, browser, etc.)

Refer to our Cookie Policy for more information about our use of cookies and how to manage them.

How we use the information we collect and/or receive

We process and use personal data we collect and/or receive only where required for specific purposes, for example:

Managing our contractual and/or employment relationships.
Facilitating communication with you.
Operating and managing our business operations including or being part of the provision of our services to our clients and their employees/contractors and their customers.
Complying with legal requirements.
Monitoring use of any of our Services.
Improving the security and functioning of our Services, websites, networks and information systems.
Applying analytics to business operations and data to describe, predict and improve business performance within MedBrief and/or to provide a better user experience.
Improving or developing the range of products and services that we can offer our customers.

In the event of information collected for recruitment/employment purposes, personal information may be used to:

Assess the applicant’s suitability for employment for the role applied for.
Manage an application.
Facilitate communication with the applicant.
Administration of employee benefits.
Perform any legally required reporting and respond to legal process.

We will never disclose confidential, personal or sensitive data without the consent of the party to whom we owe the duty of confidentiality and/or the data subject concerned. We may process and transfer anonymised data in our reasonable discretion including within the Licensor’s group of companies.

How long we retain personal information

We will retain your personal data only for as long as is necessary. We maintain specific records management and retention policies and procedures, so that personal data are deleted after a reasonable time according to the following retention criteria:

We retain your data for as long as we have an ongoing relationship with you (in particular if you have an account with us).
We will only keep the data while your account is active or for as long as needed to provide services to you.
We retain your data for as long as needed to comply with our global legal and contractual obligations.

If we no longer need your data, we will delete it or make it anonymous by removing all details that identify you. If we have asked for your permission to process your personal data and we have no other lawful grounds to continue with that processing, we will delete your personal data.

How we protect personal information

We adopt market leading security measures to protect your personal data. This includes (without being limitative):

We hold an ISO27001 certification, which indicates that we adhere to the highest and strictest information security standards. This is a security standard awarded by the British Standards Institution (“BSI”) that serves as international certification that MedBrief adheres to the highest and strictest standards. This certification is the only auditable international standard that defines the requirements for an Information Security Management System (“ISMS”) and confirms that MedBrief’s processes and security controls provide an effective framework for protecting our clients’ and our own information.
We hold a Cyber Essentials and Cyber Essentials Plus certification that demonstrates that MedBrief is protecting itself by implementing the most important cyber security controls. A team of experts review the scheme at regular intervals to ensure it stays effective in the ever-evolving threat landscape.
We have regular penetration testing performed by a third-party provider, which continues to show the strength of our technical defences.

API’s and third-party processing

Where, for the purpose of providing the Services to you, any MedBrief Service acts as an Application Programming Interface (“API”) for the purpose of specifying how different software systems should interact with each other, or where for that same purpose any MedBrief Service interacts with other API’s, including third party API’s, we may pass and retrieve data, including personal information, between the different software systems and third parties that interact via those API’s. Where we make use of third party service providers to help us provide the Services to you, including for the purposes of retrieving or delivering information, records, notifications or other messages to you or your End-Users or for hosting or providing any component of our services to you, we require such third parties to maintain the confidentiality of any personal information we provide to them for these purposes. Some of these third parties may be situated outside of your country and you consent to your personal data and that of any data subjects you provide to us being transferred cross-border so that we can provide the Services to you. In this regard, we ensure that we comply with the relevant data protection laws and regulations of the territory in which a data subject is located and we engage only with reputed third party service providers who have security and privacy policies and procedures providing an adequate level of protection, or the same level of protection as we do ourselves. You warrant that you have all necessary permissions to give us the above consent.

Your rights regarding the personal data that we hold about you

You have the following rights in relation to the personal information we hold about you:

You have the right to receive a copy of the personal data we hold about you.
You have the right to correct the personal data we hold about you.
Where applicable, you may also have a right to receive a machine-readable copy of your personal data.
You also have the right to ask us to delete your personal data or restrict how it is used. There may be exceptions to the right to erasure for specific legal reasons which, if applicable, we will set out for you in response to your request.
Where you have provided us with consent to use your personal data, you can withdraw this consent at any time.
You have the right to lodge a complaint with the supervisory authority if you have a concern about any aspect of our privacy practices, including the way we have handled your personal data. Where this relates to a UK data subject or any data processing subject to UK law, you can report it to the UK Information Commissioner’s Office (ICO). You can find details about how to do this on the ICO website at https://ico.org.uk/concerns/ or by calling their helpline on 0303 123 1113.

Communications with you

We communicate with our End-Users, resellers and other persons by email and other messaging applications. We may invite you to opt in to promotional communications from us that are not strictly related to the provision of the Services to you.

Revisions and termination

This policy may be updated from time to time at our discretion and changes will become effective upon posting to our website.

Any changes we may make to this privacy policy will be posted on this page. If changes are significant, we may choose to notify you by email or to clearly indicate on our home page that the policy has been updated.

If MedBrief merges with, or is acquired by, any other business, you acknowledge that your personal information may fall under the control of another person.

Questions and comments

If you have questions, comments, concerns or feedback regarding this Privacy Policy, please send an e-mail to [email protected].

MedBrief is a company registered in England and Wales under company number 10632197. Our registered office is at Unit 5 Avenue Terrace Avenue Road, Aston, Birmingham, England, B6 4DY.