GDPR Compliance

Our Commitment to GDPR

VitalApp is fully committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. As a healthcare service provider handling sensitive personal and health data, we take our data protection responsibilities seriously and have implemented comprehensive measures to ensure the privacy and security of your information.

Data Protection Principles

We process all personal data in accordance with the following GDPR principles:

• Lawfulness, fairness and transparency: We process your data lawfully, fairly, and in a transparent manner
• Purpose limitation: We collect data for specified, explicit, and legitimate purposes only
• Data minimisation: We only collect data that is adequate, relevant, and necessary
• Accuracy: We ensure personal data is accurate and kept up to date
• Storage limitation: We retain data only as long as necessary for the purposes collected
• Integrity and confidentiality: We implement appropriate security measures to protect your data
• Accountability: We take responsibility for complying with GDPR and can demonstrate our compliance

Legal Basis for Processing

We process your personal and health data under the following legal bases:

• Consent: You have given explicit consent for us to process your health data for healthcare monitoring purposes
• Contract: Processing is necessary for the performance of our service contract with you
• Legal obligation: Processing is necessary for compliance with healthcare regulations and legal requirements
• Vital interests: Processing is necessary to protect your vital interests in emergency healthcare situations
• Public interest: Processing is necessary for the provision of healthcare services in the public interest

Your Rights Under GDPR

Under UK GDPR, you have the following rights regarding your personal data:

How to Exercise Your Rights

To exercise any of your GDPR rights, please contact us using the details below. We will respond to your request within one month of receipt. In complex cases, we may extend this period by a further two months and will inform you of any such extension.

When making a request, please provide sufficient information to identify yourself and specify which right you wish to exercise. We may request additional information to verify your identity before processing your request.

Data Security Measures

We have implemented comprehensive technical and organisational security measures including:

• End-to-end encryption for data in transit and at rest
• Regular security audits and penetration testing
• Multi-factor authentication and access controls
• Staff training on data protection and information security
• Incident response and breach notification procedures
• Regular backups and disaster recovery planning
• Compliance with NHS Data Security and Protection Toolkit

Data Breach Procedures

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the Information Commissioner's Office (ICO) within 72 hours of becoming aware of the breach. If the breach poses a high risk, we will also notify affected individuals without undue delay and provide information about the nature of the breach and recommended protective measures.

International Data Transfers

We primarily store and process your data within the United Kingdom. If we transfer data outside the UK, we ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by the ICO, to protect your data in accordance with UK GDPR requirements.

Children's Privacy

When processing personal data of children under 16, we obtain consent from a parent or guardian with parental responsibility. We take extra care to protect children's privacy and ensure information is communicated in an age-appropriate manner.

Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our GDPR compliance. You can contact our DPO for any questions about data protection or to exercise your rights:

Right to Lodge a Complaint

If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with the supervisory authority:

Updates to This Policy

We may update this GDPR Compliance statement from time to time to reflect changes in our practices or legal requirements. We will notify you of any significant changes and update the "Last updated" date at the top of this page.

Contact Us

For any questions about our GDPR compliance or data protection practices, please contact us: