Virtual Triage Customer Privacy Notice

1. About Virtual Triage Ltd

Virtual Triage Ltd (“Virtual Triage”, “we”, “us”, “our”) provides a digital platform that enables clinics and clinicians to offer online appointments, video consultations, secure messaging, and related administrative tools.

We are registered with the Information Commissioner’s Office (ICO), registration number ZB962983.

We are NOT a healthcare provider and do NOT access or control clinical decisions, diagnoses, or treatments.

2. Our Role Under Data Protection Law

Virtual Triage acts in two different roles, depending on the type of data.

2.1 Data Controller

We are the Data Controller for:

  • Account registration details (email, phone number, login credentials)
  • Platform usage data (logs, analytics, device information)
  • Customer support interactions
  • Billing and subscription information
  • Communication preferences

This covers non-medical information required to run the platform.

2.2 Data Processor

We act as a Data Processor on behalf of clinicians and clinics for:

  • Medical history
  • Symptoms
  • Consultation notes
  • Diagnostic attachments
  • Clinical chat messages
  • Video consultation metadata
  • Uploaded medical documents

Clinicians and clinics (the “Providers”) are the Data Controllers for all medical or health information. They determine:

  • What clinical data is collected
  • What is recorded in consultations
  • How long medical data is stored
  • Who it is shared with

Virtual Triage does NOT make decisions about clinical data.

3. Personal Information We Process

We process the following data categories when you use Virtual Triage:

3.1 Identification & Contact Information

  • Name
  • Email address
  • Mobile number
  • Address

Used for: account access, secure login, communication, appointment notifications.

3.2 Account & Platform Information

  • Login credentials
  • Device information
  • IP address
  • Audit logs (security & compliance)
  • Video call technical metadata (not call content)

Used for: security, fraud prevention, system performance, compliance logging.

3.3 Health & Special Category Data (Processed on Behalf of Providers)

  • Medical history
  • Medications
  • Allergies
  • Symptoms
  • Consultation notes
  • Clinical communications
  • Reports uploaded by the clinician or patient
  • Images/files submitted for clinical review

We process this only as a Processor, following instructions from clinicians/clinics.

3.4 Phone Numbers & SMS Services

If you provide a mobile number, we may send:

  • Appointment reminders
  • Verification codes (2FA)
  • Account alerts
  • Clinician communication notifications

Standard messaging rates may apply. You may opt out any time by replying STOP, except for essential security messages.

4. Lawful Bases for Processing

Depending on data type, our lawful bases include:

4.1 Legitimate Interests (Controller role)

For: maintaining platform functionality; securing user accounts; preventing fraud; product monitoring and improvement; appointment and service notifications; customer support communications.

4.2 Contract (Controller role)

To operate your account and provide the service you signed up for.

4.3 Consent (Controller role, SMS/marketing & optional data only)

If applicable, for certain non-essential communications.

4.4 Performance of a Healthcare Provider’s Tasks (Processor role)

When processing medical data under instructions from clinicians/clinics.

4.5 Explicit Consent (Processor role)

Clinicians may collect explicit patient consent to process medical data through the platform.

5. How We Use Your Information

We use your data to:

  • Enable secure logins and account creation
  • Manage appointments and communications
  • Maintain video consultation functionality
  • Store clinical notes on behalf of Providers
  • Process payments securely
  • Detect and prevent security incidents
  • Generate anonymised usage analytics
  • Comply with applicable laws

We never use clinical data for advertising.

6. Who We Share Data With

We share data only when necessary and only as allowed by law.

6.1 Healthcare Providers (Clinicians/Clinics)

  • Consultation information
  • Medical history
  • Uploaded documents
  • Messages

These Providers are the Data Controllers.

6.2 Sub-processors (Technology Partners)

Used to provide secure delivery of our services:

  • Hosting providers
  • Video communication partners
  • SMS providers (e.g., Twilio)
  • Email delivery providers
  • Payment processors (e.g., Stripe)
  • Analytics providers (anonymised where possible)

All sub-processors are bound by Data Processing Agreements.

A full sub-processing list is available upon request.

6.3 Legal Requirements

We may disclose information:

  • To comply with law, court orders, or regulatory investigations
  • To protect vital interests (immediate harm situations)
  • To prevent crime or fraud

We do NOT sell or trade personal information.

7. International Transfers

Some of our technology partners may process data outside the UK/EU. Where this occurs, we:

  • Ensure the country is deemed “adequate” OR
  • Implement Standard Contractual Clauses (SCCs) OR
  • Apply supplementary technical measures (e.g., encryption, pseudonymisation)

You may request details of our transfer mechanisms.

8. Data Retention

8.1 Clinical Data (where we act as Processor)

Retention is determined by each Provider (clinic/clinician), who may be required by law to retain medical records for defined periods. Virtual Triage deletes or returns clinical data upon Provider instruction.

8.2 Account & Platform Data (Controller role)

We retain:

  • Account data while your account is active
  • Technical logs for security (typically up to 24 months)
  • Billing records for up to 6 years (legal requirement)

You may request deletion of non-clinical data at any time.

9. Your Rights

Under UK GDPR, you have rights over your personal data:

  • Right of access
  • Right to rectification
  • Right to erasure (not applicable to clinical data stored under clinicians’ legal obligations)
  • Right to restrict processing
  • Right to object (Controller data only)
  • Right to data portability
  • Right to withdraw consent (where used)

For clinical data, requests must be directed to the relevant Provider (clinic/clinician), as they control that information.

We respond to all requests within one month.

10. Security

We apply industry-standard safeguards including:

  • AES-256 encryption
  • Encrypted backups
  • Role-based access controls
  • Audit logging
  • Secure cloud infrastructure
  • Routine penetration testing

No system is 100% secure, but we take all reasonable measures to protect your data.

11. How to Complain

You may contact us with any privacy concerns:

  • Email: teams@virtualtriage.ai
  • Phone: +44 20 3744 6851

If you remain dissatisfied, you may complain to the ICO:

Information Commissioner’s Office

Wycliffe House

Water Lane

Wilmslow

SK9 5AF

Helpline: 0303 123 1113

Website: ico.org.uk

12. Updates to This Privacy Notice

We may update this Notice periodically. The latest version will always be available on our website.

Last Updated: 10-Dec-2025

Download Privacy Notice

🍪 We use cookies

We use cookies to enhance your browsing experience, provide personalized content, and analyze our traffic. Some cookies are essential for the proper functioning of our healthcare platform.

View our Cookie Policy