At Naturecan Clinic, we are committed to protecting your personal information and being transparent about how we use it. This Privacy Notice explains what data we collect, why we collect it, how long we keep it, and what your rights are.
Please read this notice carefully. If you have any questions, contact us using the details in Section 13.
1. Who We Are
Naturecan Clinic is a remote specialist prescribing service operating under the trading name Naturecan Clinic.
| Legal name | Ropana Clinics Ltd |
| Registered address | Bank Chambers, St. Petersgate, Stockport, England, SK1 1AR |
| Company number | 14307655 |
| CQC registration | 1-14518645695 |
| Data Controller email | support-uk@naturecanclinic.com |
| Data Protection Lead | See Section 13 |
Ropana Clinics Ltd is registered with the Care Quality Commission (CQC) as an independent healthcare provider and is the Data Controller for all personal data processed in connection with your clinical care.
2. What Personal Data We Collect
Depending on how you use our service, we may collect the following categories of personal data. This notice applies to both registered patients and prospective patients who make an enquiry before registering.
Identity and Contact Information
-
Full name, date of birth, gender
-
Home address, email address, and telephone number
-
NHS number (where applicable)
-
Proof of identity documents (e.g. passport, driving licence) — may be requested at registration
Medical and Health Information
-
Summary Care Record (SCR) obtained from your GP or uploaded by you
-
Medical history, diagnoses, current medications, and prior treatment history
-
Information shared during your clinical consultation
-
Symptom tracker data submitted through our patient portal
-
A transcript of your video consultation, generated from the call recording and reviewed by your clinician before being stored as part of your clinical record
-
Prescribing decisions and treatment parameters set by your doctor
Payment Information
-
Payment card details, processed securely via our payment provider (we do not store full card numbers)
-
Subscription status and payment history
-
Buy Now Pay Later agreements, where Klarna is used (see Section 6)
Platform and Technical Data
-
Account login details (email address used at registration)
-
Appointment booking history and consultation records on our patient portal
-
Platform usage data, including pages visited and actions taken within the portal
-
IP address and device information when you access our online services
Communications
-
Emails and messages exchanged with our Patient Care team
-
Records of any complaints or concerns you raise with us
3. How We Collect Your Personal Data
We collect your personal data:
-
Directly from you — when you make an enquiry, create an account, complete eligibility questionnaires, attend consultations, or contact us
-
From your GP surgery — your Summary Care Record, obtained with your consent or following your instruction to us to request it on your behalf
-
Through our patient portal — data generated through your use of the platform, including symptom trackers and appointment activity
-
From our payment providers — confirmation of successful payment
4. Why We Use Your Personal Data
To Provide Your Clinical Care
Lawful basis (Art. 6 UK GDPR): Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation. Special category basis (Art. 9 UK GDPR): Art. 9(2)(h) — provision of health or social care treatment; DPA 2018 Schedule 1, paragraph 2.
-
To assess your eligibility for a prescription
-
To triage your case before your consultation and assign you to the most appropriate clinician
-
To conduct and record your video consultation and generate a clinical record
-
To produce and store a transcript of your consultation as required by CQC standards
-
To create and manage your prescription
-
To notify your GP of your treatment, in line with CQC clinical governance standards (see Section 6)
-
To support Shared Care arrangements where a nurse or prescribing pharmacist conducts follow-up or repeat reviews on your doctor's behalf
-
To maintain a safe, auditable clinical governance record
To Process Payments
Lawful basis (Art. 6 UK GDPR): Art. 6(1)(b) — performance of a contract; Art. 6(1)(c) — legal obligation (financial record-keeping).
-
To take payment for your initial consultation, follow-up appointments, and subscription
-
To process Buy Now Pay Later agreements via Klarna, where applicable
-
To maintain financial records as required by HMRC
To Communicate With You
Lawful basis (Art. 6 UK GDPR): Art. 6(1)(b) — performance of a contract; Art. 6(1)(f) — legitimate interests. A Legitimate Interests Assessment has been conducted and is available on request.
-
To send appointment confirmations, reminders, and follow-up instructions
-
To send prescription notifications and titration letters
-
To respond to your queries and support requests
-
To send service-related updates that affect your care
To Meet Our Legal and Regulatory Obligations
Lawful basis (Art. 6 UK GDPR): Art. 6(1)(c) — legal obligation. Special category basis (Art. 9 UK GDPR): Art. 9(2)(h); Art. 9(2)(g) — substantial public interest; DPA 2018 Schedule 1, paragraphs 2 and 6.
-
To comply with CQC requirements, including clinical governance, audit trails, and inspection readiness
-
To comply with the Misuse of Drugs Regulations 2001 in relation to prescribing and recording controlled drugs
-
To fulfil our pharmacovigilance obligations, including reporting suspected adverse reactions to the MHRA via the Yellow Card scheme
-
To respond to lawful requests from law enforcement, the Home Office Drugs Licensing team, or other regulators
For Clinical Governance and Patient Safety
Lawful basis (Art. 6 UK GDPR): Art. 6(1)(c) — legal obligation; Art. 6(1)(f) — legitimate interests. Special category basis: Art. 9(2)(h); DPA 2018 Schedule 1, paragraph 2.
-
To conduct multi-disciplinary team (MDT) reviews of prescribing decisions — no prescription is self-approved
-
To review high-risk prescribing decisions at our weekly governance meetings
-
To maintain a near-misses register and drive continuous improvement in patient safety
-
To audit our clinical processes and maintain records for CQC inspection
For Service Improvement
Lawful basis (Art. 6 UK GDPR): Art. 6(1)(f) — legitimate interests; Art. 6(1)(a) — consent (where required). Special category basis (where applicable): Art. 9(2)(a) — explicit consent; or Art. 9(2)(h) — health care.
-
To improve our patient portal and clinical workflows
-
To analyse anonymised or pseudonymised data for clinical audit and research purposes
-
To gather feedback on your experience where you choose to provide it
Consultation Call Recording
Your video consultation will be recorded. A transcript is generated from the recording and reviewed by your clinician before being stored as part of your clinical record, in line with CQC requirements.
Recordings and transcripts are retained as part of your clinical record for the period set out in Section 7. You will be informed of the recording at the start of your consultation.
We will never use your personal data for unsolicited marketing without your explicit consent. We do not sell your personal data to any third party.
5. Special Category Personal Data
Your health information — including your medical history, diagnoses, consultation records, and prescriptions — is classified as special category personal data under UK GDPR. This data attracts a higher level of legal protection.
We process your special category data on the following legal bases:
| Data category | Legal basis |
|---|---|
| Health care delivery | Art. 9(2)(h) UK GDPR — necessary for the provision of health or social care treatment. DPA 2018 Schedule 1, paragraph 2. |
| Explicit consent (e.g. GP records request) | Art. 9(2)(a) UK GDPR — you have given explicit consent to the processing. |
| Clinical governance, audit, pharmacovigilance | Art. 9(2)(g) UK GDPR — necessary for reasons of substantial public interest. DPA 2018, Schedule 1, paragraph 6 and/or paragraph 10. |
You may withdraw your consent for specific processing at any time. Withdrawing consent does not affect the lawfulness of processing that took place before withdrawal. We may need to retain some records for legal or regulatory reasons even after consent is withdrawn.
6. Who We Share Your Personal Data With
We only share your personal data where it is necessary for your care, required by law, or authorised by you.
Your GP
We are required to notify your GP of any prescription we issue, in line with CQC clinical governance standards and NHS guidelines for shared care. We will contact your GP by email where an address is available, or by post where it is not. We will record the action taken in every case.
Naturecan Pharmacy (MYC Dispensary Ltd)
Once a prescription is issued, we share your prescription details and payment confirmation with Naturecan Pharmacy so that your medication can be dispensed and dispatched. This sharing is governed by a formal data sharing agreement between Ropana Clinics Ltd and MYC Dispensary Ltd.
Our Patient Portal
Our patient portal processes patient data on behalf of Ropana Clinics Ltd under a compliant UK GDPR Article 28 Data Processing Agreement. Data is stored securely on Google Cloud Platform (GCP) infrastructure, hosted within the UK or EEA.
Video Consultation Provider (Twilio)
We use Twilio to deliver video consultations. Consultation calls are recorded and a transcript is generated from the recording. Your clinician reviews the transcript before it is stored as part of your clinical record. Twilio processes your data as a data processor under a UK GDPR Article 28 Data Processing Agreement. Twilio's privacy notice →
Payment Providers — Payabl and Klarna
We use regulated payment providers to process consultation fees and subscription payments.
-
Payabl
processes card payments securely. No clinical or health information is shared with Payabl.Payabl's privacy notice →
-
Klarna
provides a Buy Now Pay Later service where you choose to use it. We do not share clinical information or any data revealing your health status with Klarna. If you prefer not to share any financial data with a third-party credit provider, we offer alternative payment methods.Klarna's privacy notice →
Customer Support (Zendesk)
We use Zendesk to manage patient support requests and correspondence. Zendesk operates under a UK GDPR Article 28 Data Processing Agreement and does not use your support ticket data for its own purposes. Zendesk's privacy notice →
Regulators and Authorities
-
The Care Quality Commission (CQC) — for inspection and regulatory oversight
-
The Medicines and Healthcare products Regulatory Agency (MHRA) — including for Yellow Card pharmacovigilance reporting
-
The Home Office Drugs Licensing team — for controlled drug prescribing compliance
-
Law enforcement agencies — where required by law
7. How Long We Keep Your Personal Data
We retain your personal data only for as long as necessary for the purposes for which it was collected, or as required by applicable law and regulatory standards.
| Data category | Retention period |
|---|---|
| Patient clinical records | Minimum 8 years from the date of last treatment, in line with NHS records management standards; or until age 25 where the patient was under 18, whichever is longer. |
| Controlled drug prescribing records | Minimum 7 years, in accordance with the Misuse of Drugs Regulations 2001. Retained within the 8-year clinical record period above. |
| Consultation recordings and transcripts | Retained as part of the clinical record for the same period as patient clinical records above. |
| Financial and payment records | 7 years, in line with HMRC requirements. |
| Support and correspondence records | 3 years from your last interaction with us. |
| Prospective patient enquiry records (non-registered) | 12 months from the date of enquiry, unless you register during that period. |
At the end of the applicable retention period, your data will be securely deleted or irreversibly anonymised.
8. International Data Transfers
We aim to store and process your personal data within the United Kingdom. Where any of our technology providers transfer data outside the UK, we ensure that appropriate safeguards are in place — specifically, the UK International Data Transfer Agreement (IDTA) or Standard Contractual Clauses recognised under UK law, in compliance with UK GDPR Articles 44 to 49.
Please note that the European Economic Area (EEA) is not automatically a safe destination for data transferred from the UK. Transfers to EEA countries are permitted only where the UK has made an adequacy decision in respect of the relevant country.
9. Your Rights
Under UK GDPR, you have the following rights in relation to your personal data. To exercise any of these rights, please contact us using the details in Section 13.
Right to Be Informed
You have the right to be told how we use your personal data. This Privacy Notice fulfils that obligation.
Right of Access
You can request a copy of the personal data we hold about you (a Subject Access Request). We will respond within one calendar month.
Right to Rectification
If any information we hold about you is inaccurate or incomplete, you can ask us to correct it.
Right to Erasure
You can ask us to delete your personal data in certain circumstances. Note that we may need to retain some records to comply with legal and regulatory obligations.
Right to Restrict Processing
You can ask us to pause the processing of your data in certain circumstances, for example while we investigate a disputed record.
Right to Object
You can object to our processing of your data where we rely on legitimate interests as the lawful basis.
Right to Data Portability
Where we process your data by automated means on the basis of consent or a contract, you can request it in a structured, machine-readable format.
Right to Withdraw Consent
Where we process your data on the basis of consent, you can withdraw that consent at any time without affecting prior lawful processing.
Right to Complain
If you are unhappy with how we handle your personal data, you have the right to raise a complaint with the UK's data protection supervisory authority:
Information Commissioner's Office (ICO)
Website: www.ico.org.uk · Telephone: 0303 123 1113
Website: www.ico.org.uk · Telephone: 0303 123 1113
We would always encourage you to contact us directly in the first instance so we can try to resolve your concern before you escalate to the ICO.
10. Cookies and Online Tracking
When you use our patient portal or website, we may use cookies and similar technologies to maintain your session, remember your preferences, and support the security and performance of the platform.
We do not use cookies for advertising or profiling purposes on our clinical platform. For full details of the cookies we use and how to manage them, please refer to our Cookie Policy, available on our website.
11. How We Protect Your Data
We take the security of your personal data seriously, particularly given the sensitive nature of health information. Our measures include:
-
Secure, encrypted storage on Google Cloud Platform (GCP) infrastructure
-
Role-based access controls — staff and clinicians can only access data relevant to their role
-
Mandatory data protection training for all staff handling patient data
-
Regular penetration testing of our patient portal
-
Audit logging of all clinical actions, including prescription creation, review, and approval
In the event of a personal data breach that is likely to affect your rights and freedoms, we will notify the ICO within 72 hours and inform you as soon as reasonably practicable.
12. Changes to This Privacy Notice
We will review and update this Privacy Notice periodically to reflect changes in our services, technology, or applicable law. Where changes are material, we will notify you by email or via the patient portal before they take effect.
The version number and date at the top of this document show the current version and when it was last updated.
13. How to Contact Us
To exercise any of your rights, submit a Subject Access Request, or raise a concern about how we handle your personal data, please contact our Data Protection Lead.
Contact Details
We aim to respond to all data protection enquiries within 30 days of receipt.
Note on DPO: Insert DPO appointment status before publication — see v1.1 document for guidance.